LinuxQuestions.org - [SOLVED] sudo setup

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - sudo setup (https://www.linuxquestions.org/questions/linux-security-4/sudo-setup-802042/)

ZAMO	04-14-2010 04:19 PM

sudo setup

Here is another sudo posting from me.,

I have a user x belongs to group X and a user y belongs to group Y. These two groups are not related to each other by any means.

I want user x to sudo into y as

sudo su - y

How can I setup that? I don't want others in group Y to do that.

troop

04-14-2010 04:41 PM

/etc/sudoers

Code:

x ALL=(y) ALL

The user x may run any command on any host, but only as y.
E.g

Code:

sudo -u y /bin/ls

sudo su y

By default, sudo requires that a user authenticate him before running a command.

ZAMO	04-14-2010 04:52 PM

troop,

Do you mean in /etc/sudoers? . AM using Redhat EL4

troop

04-14-2010 05:01 PM

yes, add the string to your /etc/sudoers

custangro

04-14-2010 05:54 PM

Quote:

Originally Posted by ZAMO (Post 3935706)

troop,

Do you mean in /etc/sudoers? . AM using Redhat EL4

Edit the file with the visudo command

unSpawn

04-14-2010 06:39 PM

Quote:

Originally Posted by troop (Post 3935694)

Code:

x ALL=(y) ALL

This line lets user "x" run ALL commands on ALL hosts as Runas_Alias "y". While the OP remains responsible for questioning the quality and effect of any "advice" given that is NOT what the OP is asking for. Even worse this deliberately weakens security posture without you warning him. I strongly suggest you edit your post to reflect this. If you don't or won't then please keep from posting "advice".

troop

04-15-2010 01:40 AM

Quote:

Originally Posted by unSpawn (Post 3935777)

While the OP remains responsible for questioning the quality and effect of any "advice" given that is NOT what the OP is asking for.

Quote:

Originally Posted by ZAMO (Post 3935670)

I want user x to sudo into y

Why not?

Quote:

Originally Posted by unSpawn (Post 3935777)

Even worse this deliberately weakens security posture without you warning him. I strongly suggest you edit your post to reflect this.

ok.

Valery Reznic

04-15-2010 02:22 AM

Quote:

Originally Posted by unSpawn (Post 3935777)

I don't see how it weakens security. OP asked for 'su -y' for x.
After 'su -y' x can do whatever y can do.

troop suggested solution that allows run any command as y. Why it's weaker security ?
It seems to me that in both cases x can do anything y can.

unSpawn

04-15-2010 02:42 AM

The fact that allowing user x to 'su' to y undermines the purpose of Sudo should be mentioned, yes, and while you're right to conclude that after 'su' x can do whatever y can do but the OP asked for a specific command which is in line with the purpose of Sudo: to allow granular control over what specific commands a user may run.

Valery Reznic

04-15-2010 03:12 AM

Quote:

Originally Posted by unSpawn (Post 3936094)

Quote:

I want user x to sudo into y as

sudo su - y

It doesn't look for me like OP wants granular control.

And I don't think it's undermines the purpose of Sudo:
after all ALL is built into sudo exactly for the cases OP asked about.

ZAMO	04-15-2010 04:50 PM

Thanks for everyone here to help me.

Thanks for everyone here to help me.

It worked for me with

Code:

x ALL=ALL

There is no security concerns as user "x" has no access to other servers .
Am sorry to say, it may be my fifth(or more) posting here regarding sudo. I don't know why am allergetic to "sudo" . I have a learn a lot in sudo.

Thanks again for a useful discussion from all.

All times are GMT -5. The time now is 03:23 PM.