LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > AIX
User Name
Password
AIX This forum is for the discussion of IBM AIX.
eserver and other IBM related questions are also on topic.

Notices

Reply
 
Search this Thread
Old 10-25-2010, 11:42 PM   #1
fernfrancis
Member
 
Registered: Feb 2009
Location: Goa(India)-Sharjah(UAE)
Distribution: RHEL,centos,fedora,ubuntu
Posts: 224

Rep: Reputation: 18
sudo install


I Have AIX 5.3 installed in my enviroment here, i am new to aix so dont know how this is to be done if someone can help me
i need to install sudo and configure this for a particular user

ALLOW:

/usr/bin/crontab -l

/usr/bin/dsmc

/usr/bin/su - *

/usr/bin/find

/usr/bin/ls -la *

/usr/bin/du

/usr/bin/lsof



DISALLOW:

!/usr/bin/su - root, !/usr/bin/su root, !/usr/bin/su - ctxsrvr, !/usr/bin/su - ctxssl, !/usr/bin/su - ingres, !/usr/bin/su - ba, !/usr/bin/su - hvr, !/usr/bin/su - rpl_*, !/usr/bin/su - monjami, !/usr/bin/su - oracle, !/usr/bin/su - mtt, !/usr/bin/su - fax, !/usr/bin/su ctxsrvr, !/usr/bin/su ctxssl, !/usr/bin/su ingres, !/usr/bin/su ba, !/usr/bin/su hvr, !/usr/bin/su rpl_*, !/usr/bin/su monjami, !/usr/bin/su oracle, !/usr/bin/su mtt, !/usr/bin/su fax



please help
 
Old 10-26-2010, 04:23 PM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,995
Blog Entries: 5

Rep: Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782
Haven't done it on AIX (I have on Linux, HP-UX and Solaris) but typically you'd install sudo then modify the sudoers file using the visudo command.

Basically you setup something like the following in sudoers:
Code:
# User Aliases
User_Alias      <UALIASNAME>  = <login1>[,<login2>] [...]
Here you decide what user alias name to give (e.g. you could call it SPECUSER for "special user" or "billybob" just because you like that name. The login ids are the ones that appear in /etc/password. You can have more than one separated by comma. (Note the brackets are not iteral so shouldn't appear in the file.)

Code:
# Command Aliases
Cmnd_Alias      <CALIASNAME1> = /usr/bin/su - <userid1>
Cmnd_Alias      <CALIASNAME2> = /usr/bin/su - <userid2>
Cmnd_Alias      LSOF = /usr/bin/lsof
Here again you decide the alias names you want (we typically base these on the user id we want to allow su access to) for example you might put:
"Cmnd_Alias ORACLE = /usr/bin/su - oracle". The 3rd line is how you grant access to the LSOF command. (The aliasname doesn't have to be LSOF - it could be anything you want so long as it is unique within the suders file.)

Code:
# Grants
<UALIASNAME> ALL = <CALIASNAME1>[,<CALIASNAME2>] [...]
Here you use the user alias you created and add all the command aliases you want logins in that user alias to have access to. (The "ALL" means all machines but unless you've defined other machines in the sudoers file it doesn't actually give access to any other machines.)
So your final grant might look like:
SPECUSER ALL = ORACLE, LSOF

That would give the logins in SPECUSER access to "su - oracle" and "/usr/bin/lsof".

Note that rather than giving "sudo su - *" and excluding all other user IDs you should do the oposite. Give ONLY "sudo su -" to the IDs you want. You can create a Cmnd_Alias for each ID the user should have access to. By doing this you prevent them from gaining access to a new account they shouldn't have access to later. Personally I can't see any reason any user (other than system administrators) should be allowed to sudo to all other users - it should typically be reserved to admin accounts. If you allow this person to sudo to fred's account for example he might do things as fred that would be logged as being done by fred for which fred might get fired. We do have multiple administrative accounts that we allow users to access as shown above but none that allow one "real" user to become another "real" user. Note that there is a security log for sudo so you can tell when they become another user but won't see what they did once they became that user. However, if you really want to do it the way you said you can in fact negate access by doing that on the grant line.

P.S. I thought AIX had some built in tool that granted root access like sudo but accessed via smitty. Haven't used that but have a vague recollection of seeing it mentioned somewhere.

Last edited by MensaWater; 10-26-2010 at 04:27 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: The Ultimate Sudo FAQ To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 01:36 AM
$sudo apt-get install... how do you know the name? Delpheno Linux - Newbie 9 05-03-2010 12:28 AM
Problem with SUDO : sudo: pam_authenticate: Module is unknown cristoph_ Linux - Software 2 03-02-2009 07:12 PM
Restricting Editing in Sudo (Advanced Sudo Question) LinuxGeek Linux - Software 4 11-04-2006 03:20 PM
install with sudo cambie Linux - Software 2 12-09-2004 09:48 AM


All times are GMT -5. The time now is 01:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration