Sudo user cannot run sudo commands

I am having an issue with sudo on RHEL.

I have a domain account that has been given sudo rights. However I cannot sudo commands (e.g. sudo netstat -ltnup | grep -E ':80') unless its a sudo su - command.

The resulting error is as follows:

Sorry, user [abc] is not allowed to execute '/bin/netstat -ltnup as root on [hostname.domain] 

Open in new window


Can anyone offer a solution please?
Effin_EllAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
This is a pretty good and quite concise description of the problem:

https://unix.stackexchange.com/questions/139955/problem-executing-command-as-a-different-user-with-sudo-u

"This is because sudo is different from su. When you su abc, you become the user abc as far as the system is concerned. You can then do anything that abc can do.

On the other hand, sudo is used to allow other users to execute some commands by proxy. In other words, your sudo configuration allows you to do some commands on behalf of abc. If the command you're trying to execute is not one of them, you get the error you reported."


Have the sysadmin edit /etc/sudoers so that the affected user has the desired command added to his sudo "profile".

See the description of /etc/sudoers at the link below:

https://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html
nociSoftware EngineerCommented:
appearantly the su - command is allowed to be executed by sudo.
This needs to be (re)configured in the /etc/sudoers file (or some file in /etc/sudoers.d)
Did you try:?

sudo su - -c "netstat -ltnup" | grep -E :80

Open in new window



(where the netstat command will be executed by su..
serialbandCommented:
If you can sudo su while other commands are blocked, then whoever set that up for you doesn't understand what sudo is for.  I doubt that's that case and suspect that sudo su would be blocked if sudo netstat is blocked.

Why do you need to run it as root?  Was the execute bit turned off for regular users?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

arnoldCommented:
sudo su and sudo su - have been replaced by sudo -i and sudo -s

In short, understanding which command you are authorizing abc user to run.
Potentially the concise link provided earlier shoukd point you in the right direction.
Sudoers file (/etc/sudoers) efi table by use of visudo
Upon rights elevation sudo -I sudo -s, if you get a denial, run what you seem to have been authorized sudo su - and look at sudoers settings.
Seems rather strange config that a user is limited on which commands they can run under sudo while being permitted to run su - under the sudo command.
serialbandCommented:
/etc/sudoers controls sudo -i or -s differently from sudo su.  Someone that doesn't know how that works might disallow one, but still accidentally allow the other.
arnoldCommented:
It sounds as though whoever configured sudoers for abc user explicitly specified which command the user is authorized to run
Su, su -
As an example, only those two commands are authorized, no other command as the first argument is permitted.

To fix this, elevate using sudo su -  -c visudo and add netstat, and other command you need to run, or alternatively, replace the current with all to allow all commands after sudo.  
This is the strangest setup, seemingly the party configuring sudoers was unfamiliar with settings or what their intent was.

When one is limiting a user as to which commands they can run with elevated rights, -i,-s, su or any editor are never granted. Editors are blocked because each has an option to open a shell which in elevated editing mode means the shell is with root rights.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.