sunhux
asked on
Grant Unix ID the right to restart services without granting sudo/root privilege (or restrict sudo)
We have a request from applications team to grant their non-privileged Solaris and AIX ids to be
able to execute their Shell scripts (which contains lines to run binaries) :
sudo /gl/_ctron_/start1292
sudo /gl/_ctron_/start1291
Q1:
Is there any way not to grant them sudo & root and yet still allow them to stop/start the services?
Or if we grant sudo, restrict them to run only those specific scripts & their sudo can't do anything else?
Q2:
Any way we can use SGID or SUID sticky bits to grant them without giving them root/sudo privileges?
able to execute their Shell scripts (which contains lines to run binaries) :
sudo /gl/_ctron_/start1292
sudo /gl/_ctron_/start1291
Q1:
Is there any way not to grant them sudo & root and yet still allow them to stop/start the services?
Or if we grant sudo, restrict them to run only those specific scripts & their sudo can't do anything else?
Q2:
Any way we can use SGID or SUID sticky bits to grant them without giving them root/sudo privileges?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
One concern just raised by colleague: as we don't know what's in the Shell scripts, then
the apps team members could amend the script to put in any other commands, then
they would be able to do other unauthorized commands: so despite restricting to the
shell scripts stated, they can potentially do more
the apps team members could amend the script to put in any other commands, then
they would be able to do other unauthorized commands: so despite restricting to the
shell scripts stated, they can potentially do more
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
sudo can grant individuals access to singular and specific commands.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Btw, Linux setuid is equivalent to SUID in Solaris?