• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 686
  • Last Modified:

Need help with setting up user sudo permissions

I have two Centos boxes, a dev and a qa, that need to have the same access for a group of users. Both boxes are on a NIS and both boxes have the same sudoers file to allow users to run sudosh as a different "application user". One box is working for one userid but is not on the other box. They get this error:
 [devboxwps029]/ap/d/bwpsj
>sudo -u didxml sudosh
[sudo] password for josha29:
Sorry, user  josha29 is not allowed to execute '/usr/bin/sudosh' as didxml on devboxwps029.
[devboxwps029]/ap/d/bwpsj

Open in new window


Here is the sudoers file:
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

#
Defaults    requiretty

Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

# User_Alias      ROOT=tjy3f09,sundeep017,eital06, josha29
User_Alias      JR=tjy3f09
User_Alias      DEV=xxx444,xxx412, feind77, wangxl07, tyle29, ijackAX,nancy003, edison407,  josha29

Runas_Alias     AP_ACCOUNTS=didvr, didxml, didtool, didbg

Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh

JR      ALL=SUDOSH,(didvc)SUDOSH,(didxml)SUDOSH,(didbg)SUDOSH,(didtool)SUDOSH
DEV     ALL=(didvc)SUDOSH,(didxml)SUDOSH,(didbg)SUDOSH,(AP_ACCOUNTS)SUDOSH,(didtool)SUDOSH

Open in new window


The other QA box has as sudoers file that looks the same except the application names have a q in front on them instead of a d: qidxml instead of didxml On this box they have no problems running as qidxml.

Any ideas on what could be keeping this person from executing as as didxml?
0
Thaidog
Asked:
Thaidog
  • 3
  • 2
1 Solution
 
ckiralCommented:
You allowed only /usr/local/bin/sudosh, but apparently is in /usr/bin on that server...

 Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh

Open in new window

0
 
arnoldCommented:
Check the nsswitch.conf in particular the group entry and make sure that both have file nis.

also check each system /etc/group file to make sure that they are identical.

you need to also make sure that there are local user for the nis user that is having issues since the local will take precedence over nis.
i.e. you have user1 in both nis and local to one of the boxes using the same password.
when user1 logs into this system passwd: file nis will mean the local user1 is how sudo will treat a sudo request.  since local user1 is not a member of the NIS defined group, sudo access will be denied.
0
 
ckiralCommented:
Changing 27h  line on servers sudoers file accordingly will solve the problem
Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh, /usr/bin/sudosh

Open in new window

0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
ThaidogAuthor Commented:
ckiral's answers appear to have worked... I will find out from the users soon and award points asap if so.
0
 
ThaidogAuthor Commented:
Well the user can use the command but the commad on the box that does not have the modified sudosh path is working differently than the one that has the /usr/bin/path.

When a the user uses sudo -u dhdxml sudosh on the old box the command drops them in to the didxml folder:

/ap/d/idxml

But is does not do that on the system we changed the path on... it just puts them in /ap/d/bwpsj which is the users home folder. /ap/d/didxml is the didxml home folder.

0
 
ckiralCommented:
I think we should se contents of sudosh file to make a comment.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now