Solved

Need help with setting up user sudo permissions

Posted on 2010-11-16
6
651 Views
Last Modified: 2013-12-16
I have two Centos boxes, a dev and a qa, that need to have the same access for a group of users. Both boxes are on a NIS and both boxes have the same sudoers file to allow users to run sudosh as a different "application user". One box is working for one userid but is not on the other box. They get this error:
 [devboxwps029]/ap/d/bwpsj
>sudo -u didxml sudosh
[sudo] password for josha29:
Sorry, user  josha29 is not allowed to execute '/usr/bin/sudosh' as didxml on devboxwps029.
[devboxwps029]/ap/d/bwpsj

Open in new window


Here is the sudoers file:
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

#
Defaults    requiretty

Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

# User_Alias      ROOT=tjy3f09,sundeep017,eital06, josha29
User_Alias      JR=tjy3f09
User_Alias      DEV=xxx444,xxx412, feind77, wangxl07, tyle29, ijackAX,nancy003, edison407,  josha29

Runas_Alias     AP_ACCOUNTS=didvr, didxml, didtool, didbg

Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh

JR      ALL=SUDOSH,(didvc)SUDOSH,(didxml)SUDOSH,(didbg)SUDOSH,(didtool)SUDOSH
DEV     ALL=(didvc)SUDOSH,(didxml)SUDOSH,(didbg)SUDOSH,(AP_ACCOUNTS)SUDOSH,(didtool)SUDOSH

Open in new window


The other QA box has as sudoers file that looks the same except the application names have a q in front on them instead of a d: qidxml instead of didxml On this box they have no problems running as qidxml.

Any ideas on what could be keeping this person from executing as as didxml?
0
Comment
Question by:Thaidog
  • 3
  • 2
6 Comments
 
LVL 2

Expert Comment

by:ckiral
ID: 34149919
You allowed only /usr/local/bin/sudosh, but apparently is in /usr/bin on that server...

 Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh

Open in new window

0
 
LVL 77

Expert Comment

by:arnold
ID: 34149988
Check the nsswitch.conf in particular the group entry and make sure that both have file nis.

also check each system /etc/group file to make sure that they are identical.

you need to also make sure that there are local user for the nis user that is having issues since the local will take precedence over nis.
i.e. you have user1 in both nis and local to one of the boxes using the same password.
when user1 logs into this system passwd: file nis will mean the local user1 is how sudo will treat a sudo request.  since local user1 is not a member of the NIS defined group, sudo access will be denied.
0
 
LVL 2

Accepted Solution

by:
ckiral earned 500 total points
ID: 34150092
Changing 27h  line on servers sudoers file accordingly will solve the problem
Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh, /usr/bin/sudosh

Open in new window

0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:Thaidog
ID: 34169882
ckiral's answers appear to have worked... I will find out from the users soon and award points asap if so.
0
 

Author Comment

by:Thaidog
ID: 34174534
Well the user can use the command but the commad on the box that does not have the modified sudosh path is working differently than the one that has the /usr/bin/path.

When a the user uses sudo -u dhdxml sudosh on the old box the command drops them in to the didxml folder:

/ap/d/idxml

But is does not do that on the system we changed the path on... it just puts them in /ap/d/bwpsj which is the users home folder. /ap/d/didxml is the didxml home folder.

0
 
LVL 2

Expert Comment

by:ckiral
ID: 34179444
I think we should se contents of sudosh file to make a comment.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now