Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Any alternate to sudo

Status
Not open for further replies.
KPKIND

KPKIND

Technical User
Sep 8, 2003
130
IN
Hi *,

I have a requirement where the operator needs to kill the users who have logged in to the application,so thought it would be worth if I use sudo. But the number of operators whom I have give access to the kill command is around 6,which worries me a bit. Just to let you know all these operators go in to a menu driven program as soon as they login and all the key sequences are trapped. Is it still a threat to the system or a compromise of the security. If so it would be great if some one let me know an alternative for this situation.

Thanks

Kumar
 
Sort by date Sort by votes
As long as you set restrictions/allowables appropriately, I wouldn't see a problem. Isn't that what sudo's for?
 
Upvote 0 Downvote
Yes the purpose of sudo is that,but I am just worried a bit only b'coz the access I am allowing is for the command "kill".

Cheers

Kumar
 
Upvote 0 Downvote
I take your point (and missed it earlier!). I guess it comes down to how much you trust your operators, and what management procedures are in place to prevent misuse. As long as you have an audit trail it shouldn't be an issue IMHO.
 
Upvote 0 Downvote
Yes,we trust our operators but trying to even eliminate that last chance of misuse, that's all. Is there any alternate route for this task .......
 
Upvote 0 Downvote
Is this a one off requirement ? i.e do they need to kill users on an individual basis or just everyone in the application ? If the latter then could you not invoke a root level script with sudo - they wouldn't have access to the kill command then.

Alex
 
Upvote 0 Downvote
This sounds better....What I will do is,I will keep the code to kill the users in a script owned by root and run this script using sudo from the operators program...

Thanks a lot
Kumar
 
Upvote 0 Downvote
Make sure the scripted owned by root, is only writeable by root. This is a better solution then giving access to kill.
 
Upvote 0 Downvote
Also be sure that the script does its own logging of what it does, since the sudo log will only show that the script itself was run.



Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

 
Upvote 0 Downvote
I do something along these lines where the user name is passed to the script as a parameter so the Help Desk operators can run
Code: 
kill_proc.ksh <user name>
The first thing that kill_proc.ksh does is to check that the UID of <user name> is > 1000 - i.e. not root!
Alternatively you can edit the sudoers file to prevent certain users being used as a parameter. Check the web site which has examples of this using passwd (which you might also want to give your Help Desk operators like we have)
I don't want to sound like a salesman but sudo is the biz when granting functions to the Help Desk (and no - I don't have shares in them!)

Columb Healy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

A
  • Locked
  • Question
Adding Existing LUN to New LPAR AIX
Replies
0
Views
401
Alvinghost
A
sheilar32
  • Locked
  • Question
Migrating from AIX to anything else
Replies
0
Views
364
sheilar32
sheilar32
noobAIX
  • Locked
  • Question
How to extend PP on VG ( FREE PPs: 0 (0 megabytes))
Replies
1
Views
261
chgwhat
chgwhat
moudmmm
  • Locked
  • Question
Cann't open XManager to AIX
Replies
1
Views
185
unixfreak
unixfreak
BunnyMerah
  • Locked
  • Question
Using sed to find matched patterns and append
Replies
1
Views
161
johnherman
johnherman

Part and Inventory Search

Sponsor

Back
Top