Solved

Need help with setting up user sudo permissions

Posted on 2010-11-16
6
659 Views
Last Modified: 2013-12-16
I have two Centos boxes, a dev and a qa, that need to have the same access for a group of users. Both boxes are on a NIS and both boxes have the same sudoers file to allow users to run sudosh as a different "application user". One box is working for one userid but is not on the other box. They get this error:
 [devboxwps029]/ap/d/bwpsj
>sudo -u didxml sudosh
[sudo] password for josha29:
Sorry, user  josha29 is not allowed to execute '/usr/bin/sudosh' as didxml on devboxwps029.
[devboxwps029]/ap/d/bwpsj

Open in new window


Here is the sudoers file:
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

#
Defaults    requiretty

Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

# User_Alias      ROOT=tjy3f09,sundeep017,eital06, josha29
User_Alias      JR=tjy3f09
User_Alias      DEV=xxx444,xxx412, feind77, wangxl07, tyle29, ijackAX,nancy003, edison407,  josha29

Runas_Alias     AP_ACCOUNTS=didvr, didxml, didtool, didbg

Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh

JR      ALL=SUDOSH,(didvc)SUDOSH,(didxml)SUDOSH,(didbg)SUDOSH,(didtool)SUDOSH
DEV     ALL=(didvc)SUDOSH,(didxml)SUDOSH,(didbg)SUDOSH,(AP_ACCOUNTS)SUDOSH,(didtool)SUDOSH

Open in new window


The other QA box has as sudoers file that looks the same except the application names have a q in front on them instead of a d: qidxml instead of didxml On this box they have no problems running as qidxml.

Any ideas on what could be keeping this person from executing as as didxml?
0
Comment
Question by:Thaidog
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 2

Expert Comment

by:ckiral
ID: 34149919
You allowed only /usr/local/bin/sudosh, but apparently is in /usr/bin on that server...

 Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh

Open in new window

0
 
LVL 78

Expert Comment

by:arnold
ID: 34149988
Check the nsswitch.conf in particular the group entry and make sure that both have file nis.

also check each system /etc/group file to make sure that they are identical.

you need to also make sure that there are local user for the nis user that is having issues since the local will take precedence over nis.
i.e. you have user1 in both nis and local to one of the boxes using the same password.
when user1 logs into this system passwd: file nis will mean the local user1 is how sudo will treat a sudo request.  since local user1 is not a member of the NIS defined group, sudo access will be denied.
0
 
LVL 2

Accepted Solution

by:
ckiral earned 500 total points
ID: 34150092
Changing 27h  line on servers sudoers file accordingly will solve the problem
Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh, /usr/bin/sudosh

Open in new window

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Thaidog
ID: 34169882
ckiral's answers appear to have worked... I will find out from the users soon and award points asap if so.
0
 

Author Comment

by:Thaidog
ID: 34174534
Well the user can use the command but the commad on the box that does not have the modified sudosh path is working differently than the one that has the /usr/bin/path.

When a the user uses sudo -u dhdxml sudosh on the old box the command drops them in to the didxml folder:

/ap/d/idxml

But is does not do that on the system we changed the path on... it just puts them in /ap/d/bwpsj which is the users home folder. /ap/d/didxml is the didxml home folder.

0
 
LVL 2

Expert Comment

by:ckiral
ID: 34179444
I think we should se contents of sudosh file to make a comment.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question