[ale] sudo for a group to user how to please

Narahari 'n' Savitha savithari at gmail.com
Wed Apr 1 09:47:53 EDT 2015 

Now that you put that, we may not get much from that approach.

What we really want is for a group to be able to run commands as the vips
user.

The idea here is that only one user is given permission to  run commands on
 Suse VM as super user without pw.

The members of the group puppet-folks should be able to run commands either
as that vips user or scripts owned by vips should be runnable by the
members  of the group.

-Narahari

On Tue, Mar 31, 2015 at 7:43 PM, Alex Carver <agcarver+ale at acarver.net>
wrote:

> What is this going to get you?  If they can become the vips user then
> they can go up one more link in the chain and be root for anything.
> You're gaining nothing by allowing them to become the unrestricted vips
> user.  You might as well give them direct sudo access.
>
> On 2015-03-31 16:40, Narahari 'n' Savitha wrote:
> > Friends:
> >
> > Thank You folks for your time and reading this email.
> >
> > Here is the scenario
> >
> > I have a machine with a user call vips
> >
> > This vips user has sudo on the box to do pretty much anything
> > vips ALL = (ALL) NOPASSWD:ALL
> >
> > I have two other users narahari and zikka
> >
> > narahari and zikka belong to puppet-folks user group
> >
> > pupppet-folks:x:2100:narahari,zikka
> >
> >
> > The entry in the sudoers file is
> > %pupppet-folks ALL = (vips) ALL
> >
> > .......
> >
> > When I login as narahari on to the box, and I try the following command
> >
> > narahari at cdl-pid-c1-02:~> sudo su -u virtual
> > narahari's password:
> > Sorry, user narahari is not allowed to execute '/bin/su -u virtual' as
> root
> > on cdl-pid-c1-02.
> >
> > I am at a loss.  The idea is that either narahari or zikka logs in they
> > should be able to get to a shell for the vips user.
> >
> > If not the shell, at least something like sudo su -u vips bash -c
> > "/home/vips/cool/loveTheWorld.sh"
> >
> > Please provide some thoughts or if I am going about this the wrong way
> > correct me please.
> >
> > -Narahari
> >
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150401/9f9504c6/attachment.html>

More information about the Ale mailing list