LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-03-2015, 10:39 AM   #1
Westmoreland
LQ Newbie
 
Registered: Oct 2012
Location: Groves, Texas
Distribution: RHEL
Posts: 13

Rep: Reputation: Disabled
sudo to user other than root but do not allow sudo to root


I have a set of RHEL 5 boxes running our ERP software on Oracle databases. I need to allow my DBA's to su to oracle and one other account (banner) without knowing the oracle or banner password. But I need to prevent them from su'ing to any other user especially root. I only want them to be able to switch to the oracle user or the banner user. I've recreate the accounts on a test system to try and work through my confusion and better understand how to use sudo before implementing it on my production systems.

Typically the user changes to these accounts like this:

>sudo su - oralce

They are then prompted to enter their own password and it lets them in. The problem is that they can use the command to become root, or any other user, as well.

I have a group on my system (enterpriseapps) which contains the users I want to grant access to. I edited my /etc/sudoers file. Here's how it looks:

Code:
User_Alias DBA = %enterpriseapps
Runas_Alias ORACLE = oracle, banner
#Cmnd_Alias SU = !/bin/su -, !/bin/su *root*, !/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - oracle, /usr/bin/su - banner, /bin/su - oracle, /bin/su - banner
Cmnd_Alias SU = /usr/bin/su - oracle, /usr/bin/su - banner, /bin/su - oracle, /bin/su - banner

%sysadmin       ALL=(ALL)       ALL
DBA             ALL=(ORACLE)    NOPASSWD: SU
So, if I understand it correctly, users in the DBA User_Alias should be able to run from any system (ALL) as users in the ORACLE Runas_Alias with NOPASSWD and they should only be able to run the commands in the SU Cmnd_Alias. Of course, I have my sysadmin group setup so that they can become root.

So I configured my Cmnd_Alias two different ways but they both give me same result:

Quote:
[jonesc@rhcsa03r5v ~]$ sudo su - oracle
[sudo] password for jonesc:
Sorry, user jonesc is not allowed to execute '/bin/su - oracle' as root on rhcsa03r5v.lamar.edu.
I've been researching this for days now and still having issues. Anybody got any ideas about what I'm missing here? I'm sure I have misconfigured, just can't see the error.
 
Old 02-03-2015, 10:57 AM   #2
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 982
Blog Entries: 2

Rep: Reputation: 244Reputation: 244Reputation: 244
wrong
Quote:
DBA ALL=(ORACLE) NOPASSWD: SU
right
Quote:
DBA ALL=NOPASSWD: SU
 
Old 02-03-2015, 11:11 AM   #3
Westmoreland
LQ Newbie
 
Registered: Oct 2012
Location: Groves, Texas
Distribution: RHEL
Posts: 13

Original Poster
Rep: Reputation: Disabled
That's awsome. So, I assume that because I specified the commands that could run sudo limits users to just those specific commands? Which would make my first Cmnd_Alias, the one that uses the not operator (!) pointless? That definitely solved my issue for now. Thanks you very much.
 
Old 02-03-2015, 11:48 AM   #4
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 982
Blog Entries: 2

Rep: Reputation: 244Reputation: 244Reputation: 244
The right command is this one
Code:
$ sudo su - oracle
which means run su as root (and get a shell as oracle). If you run su as oracle su will ask for the root password and you don't want that.

Definitely do not use the not operator. The sudoers man page explains.
http://www.ranum.com/security/comput...itorials/dumb/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
sudo: effective uid is not 0, is sudo installed setuid root? awladnas Linux - Newbie 10 08-30-2014 06:03 PM
Question about the sudo command, specifically how to have sudo act as if user is root slacker_ Linux - Newbie 17 09-22-2013 03:48 PM
User is Not Able to sudo su -l root devUnix Linux - Server 22 08-14-2013 06:52 AM
Can't use sudo, only account that's not root is not a sudo'ers [Ubuntu 9.10] randyriver10 Linux - Desktop 1 01-09-2010 07:56 PM
SUDO as *non-root* user spratty Linux - Newbie 3 05-19-2004 03:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration