Solved

Need help with setting up user sudo permissions

Posted on 2010-11-16
6
649 Views
Last Modified: 2013-12-16
I have two Centos boxes, a dev and a qa, that need to have the same access for a group of users. Both boxes are on a NIS and both boxes have the same sudoers file to allow users to run sudosh as a different "application user". One box is working for one userid but is not on the other box. They get this error:
 [devboxwps029]/ap/d/bwpsj
>sudo -u didxml sudosh
[sudo] password for josha29:
Sorry, user  josha29 is not allowed to execute '/usr/bin/sudosh' as didxml on devboxwps029.
[devboxwps029]/ap/d/bwpsj

Open in new window


Here is the sudoers file:
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

#
Defaults    requiretty

Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

# User_Alias      ROOT=tjy3f09,sundeep017,eital06, josha29
User_Alias      JR=tjy3f09
User_Alias      DEV=xxx444,xxx412, feind77, wangxl07, tyle29, ijackAX,nancy003, edison407,  josha29

Runas_Alias     AP_ACCOUNTS=didvr, didxml, didtool, didbg

Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh

JR      ALL=SUDOSH,(didvc)SUDOSH,(didxml)SUDOSH,(didbg)SUDOSH,(didtool)SUDOSH
DEV     ALL=(didvc)SUDOSH,(didxml)SUDOSH,(didbg)SUDOSH,(AP_ACCOUNTS)SUDOSH,(didtool)SUDOSH

Open in new window


The other QA box has as sudoers file that looks the same except the application names have a q in front on them instead of a d: qidxml instead of didxml On this box they have no problems running as qidxml.

Any ideas on what could be keeping this person from executing as as didxml?
0
Comment
Question by:Thaidog
  • 3
  • 2
6 Comments
 
LVL 2

Expert Comment

by:ckiral
ID: 34149919
You allowed only /usr/local/bin/sudosh, but apparently is in /usr/bin on that server...

 Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh

Open in new window

0
 
LVL 76

Expert Comment

by:arnold
ID: 34149988
Check the nsswitch.conf in particular the group entry and make sure that both have file nis.

also check each system /etc/group file to make sure that they are identical.

you need to also make sure that there are local user for the nis user that is having issues since the local will take precedence over nis.
i.e. you have user1 in both nis and local to one of the boxes using the same password.
when user1 logs into this system passwd: file nis will mean the local user1 is how sudo will treat a sudo request.  since local user1 is not a member of the NIS defined group, sudo access will be denied.
0
 
LVL 2

Accepted Solution

by:
ckiral earned 500 total points
ID: 34150092
Changing 27h  line on servers sudoers file accordingly will solve the problem
Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh, /usr/bin/sudosh

Open in new window

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Thaidog
ID: 34169882
ckiral's answers appear to have worked... I will find out from the users soon and award points asap if so.
0
 

Author Comment

by:Thaidog
ID: 34174534
Well the user can use the command but the commad on the box that does not have the modified sudosh path is working differently than the one that has the /usr/bin/path.

When a the user uses sudo -u dhdxml sudosh on the old box the command drops them in to the didxml folder:

/ap/d/idxml

But is does not do that on the system we changed the path on... it just puts them in /ap/d/bwpsj which is the users home folder. /ap/d/didxml is the didxml home folder.

0
 
LVL 2

Expert Comment

by:ckiral
ID: 34179444
I think we should se contents of sudosh file to make a comment.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

After running Ubuntu some time, you will be asked to download updates for fixing bugs and security updates. All the packages you download replace the previous ones, except for the kernel, also called "linux-image". This is due to the fact that w…
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now