Grant Unix ID the right to restart services without granting sudo/root privilege (or restrict sudo)

We have a request from applications team to grant their non-privileged Solaris and AIX ids to be
able to execute their Shell scripts (which contains lines to run binaries) :
  sudo /gl/_ctron_/start1292
  sudo /gl/_ctron_/start1291

Q1:
Is there any way not to grant them sudo & root and yet still allow them to stop/start the services?
Or if we grant sudo, restrict them to run only those specific scripts & their sudo can't do anything else?

Q2:
Any way we can use SGID or SUID sticky bits to grant them without giving them root/sudo privileges?
sunhuxAsked:
Who is Participating?
 
dfkeConnect With a Mentor Commented:
Hi,

A1:

you can use sudo to let the user run just 1 specific command without a password:

Username ALL=(ALL) NOPASSWD: /gl/_ctron_/start1292

Open in new window

or if you want to let them also use arguments along with it:

Username ALL=(ALL) NOPASSWD: /gl/_ctron_/start1292 ARG1 ARG2

Open in new window


A2:

You can read up on SUID, SGID and Sticky bit here.

Cheers
1
 
sunhuxAuthor Commented:
Thanks very much;  is the above applicable for both Solaris 10 and AIX 7.x ?


Btw, Linux setuid is equivalent to SUID in Solaris?
0
 
sunhuxAuthor Commented:
One concern just raised by colleague: as we don't know what's in the Shell scripts, then
the apps team members could amend the script to put in any other commands, then
they would be able to do other unauthorized commands: so despite restricting to the
shell scripts stated, they can potentially do more
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
arnoldConnect With a Mentor Commented:
You have to inspect the script, and the team will not be able to exit the script inde you setuid di de root will be the owner of the script in order for setuid to work and run the script as root.

Sudo is the way to go though your question outright rules it out making the issue more complex then it needs to be.

The other option, is yo have your own script that monitors a specific location where individuals have rights to create a fire that will function as a flag.
ServiceA
Your script running every minute, once it sees on of these files, removes the file, restarts the service, note make sure yo explicitly define which services you allow people to restart.

The script will run out of cron or similar scheduler...
1
 
arnoldCommented:
sudo can grant individuals access to singular and specific commands.
0
 
nociConnect With a Mentor Software EngineerCommented:
IMPORTANT: The users of the shell scripts should NOT be able to modify them....

best practice (IMHO)
- they deliver a set of scripts
- those are taken to another location and audited....
- if approved they are set to useage location (where they only have execute rights)
- setup  sudo to only allow the execute only ones to be used.

An option can be to use sudo only on the specific commands needed INSIDE the script.
(This still requires auditing & sandboxing the script).
2
All Courses

From novice to tech pro — start learning today.