[ale] sudo frustrations, help please

DJ-Pfulio DJPfulio at jdpfu.com
Tue Aug 25 12:06:35 EDT 2015 

I thought he didn't want them both to run anything as root, just as the
2nd userid.

There is a way to do this - I've done it a few times for app-deployment
userids.  There are examples in the sudoers manpage. They were clear
last time I looked, but that was years ago.

Ok ... found that sudoers file, it is more complex than you need,
referencing many tool groups, limited hosts, limit users and specific
programs AND options for each - plus I probably shouldn't have a copy
anymore ... ;(  A few ideas

# list the end users ...
User_Alias  FINANCE_YPU=user1,user2

# Build the app-deploy alias from different user-aliases
User_Alias APP_USERS=FINANCE_YPU,jd

# What account to run as?
Runas_Alias   APP_OPER=deploy5432

# exactly which commands should be allowed
Cmnd_Alias GEN_TOOLS=/usr/bin/mv,/usr/bin/rm,\
                        /usr/local/bin/gzip,/usr/local/bin/gunzip,\
                        /usr/sbin/tar,/bin/compress,/bin/uncompress

# Let APP  authorized users run GEN_TOOLS cmds on
# All hosts - no password
APP_USERS    all=(APP_OPER) NOPASSWD: GEN_TOOLS

Don't forget you can block specific commands too. Just put them into a
Cmd_Alias then block those with a ! ... after the included, desired
commands.



On 08/25/2015 11:27 AM, Jim Kinney wrote:
> Create a Linux group teamsysuser and add users to that group. In
> sudoers file
> @teamsysusers ALL(ALL) NOPASSWD:ALL
> Or shortcut all of this and add them to the WHEEL group (on RHEL-like
> systems) and uncomment the WHEEL line in sudoers file.
> On Tue, 2015-08-25 at 11:18 -0400, Narahari 'n' Savitha wrote:
>> Here is the scenario I am trying to solve.
>>
>> teamsysuer => system account  without a shell but has the following
>> entry in sudoers file
>>
>> teamssysuser ALL(ALL) NOPASSWD:ALL
>>
>> ========================
>>
>> narahari => regular user 
>> robert => regular user
>>
>> ========================
>>
>> We want to be able to allow 
>> narahari and robert run commands as themselves and teamsysuser only.
>>
>> I have done some playing around sudoers file
>>
>> User_Alias      ALL_MY_USERS = narahari robert
>> Runas_Alias     TEAM_SYS_USER = teamssysuser
>>
>> ......
>> .......
>> ....
>> ......
>> ......
>>
>> teamssysuser ALL=(ALL) NOPASSWD: ALL
>>
>> ALL_MY_USERS    ALL = (TEAM_SYS_USER) NOPASSWD:ALL
>>
>> =================================
>>
>> I am not sure if this is the right approach or conceptually am I
>> wrong ?
>>
>> -N

More information about the Ale mailing list