Grant Unix ID the right to restart services without granting sudo/root privilege (or restrict sudo)

We have a request from applications team to grant their non-privileged Solaris and AIX ids to be
able to execute their Shell scripts (which contains lines to run binaries) :
  sudo /gl/_ctron_/start1292
  sudo /gl/_ctron_/start1291

Q1:
Is there any way not to grant them sudo & root and yet still allow them to stop/start the services?
Or if we grant sudo, restrict them to run only those specific scripts & their sudo can't do anything else?

Q2:
Any way we can use SGID or SUID sticky bits to grant them without giving them root/sudo privileges?
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dfkeCommented:
Hi,

A1:

you can use sudo to let the user run just 1 specific command without a password:

Username ALL=(ALL) NOPASSWD: /gl/_ctron_/start1292

Open in new window

or if you want to let them also use arguments along with it:

Username ALL=(ALL) NOPASSWD: /gl/_ctron_/start1292 ARG1 ARG2

Open in new window


A2:

You can read up on SUID, SGID and Sticky bit here.

Cheers
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Thanks very much;  is the above applicable for both Solaris 10 and AIX 7.x ?


Btw, Linux setuid is equivalent to SUID in Solaris?
0
sunhuxAuthor Commented:
One concern just raised by colleague: as we don't know what's in the Shell scripts, then
the apps team members could amend the script to put in any other commands, then
they would be able to do other unauthorized commands: so despite restricting to the
shell scripts stated, they can potentially do more
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

arnoldCommented:
You have to inspect the script, and the team will not be able to exit the script inde you setuid di de root will be the owner of the script in order for setuid to work and run the script as root.

Sudo is the way to go though your question outright rules it out making the issue more complex then it needs to be.

The other option, is yo have your own script that monitors a specific location where individuals have rights to create a fire that will function as a flag.
ServiceA
Your script running every minute, once it sees on of these files, removes the file, restarts the service, note make sure yo explicitly define which services you allow people to restart.

The script will run out of cron or similar scheduler...
1
arnoldCommented:
sudo can grant individuals access to singular and specific commands.
0
nociSoftware EngineerCommented:
IMPORTANT: The users of the shell scripts should NOT be able to modify them....

best practice (IMHO)
- they deliver a set of scripts
- those are taken to another location and audited....
- if approved they are set to useage location (where they only have execute rights)
- setup  sudo to only allow the execute only ones to be used.

An option can be to use sudo only on the specific commands needed INSIDE the script.
(This still requires auditing & sandboxing the script).
2
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.