Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with sudo

Status
Not open for further replies.

Neely

Technical User
May 14, 2007
6
IN
I can't seem to figure out, how to allow a user to run a command thru sudo as another user without having to supply the password.<br>I think I'm confused about Runas_Alias ?<br><br>And if you know of any sudo sites other than <A HREF=" TARGET="_new"> for examples...<br><br><br>Thanks,
 
Take a look at the manual page for sudoers (<FONT FACE=monospace>man sudoers</font>) and look for the section on NOPASSWD.&nbsp;&nbsp;To quote:<br><br>NOPASSWD and PASSWD<br>&nbsp;&nbsp;&nbsp;&nbsp;By default, sudo requires that a user authenticate him or<br>&nbsp;&nbsp;&nbsp;&nbsp;herself before running a command.&nbsp;&nbsp;This behavior can be<br>&nbsp;&nbsp;&nbsp;&nbsp;modified via the NOPASSWD tag.<br><br>This should let you set up commands to run without entering a password.
 
I believe I understand about using NOPASSWD, it's that I need to have the user <font color=red>(userA)</font>, run a command to start and stop a program. This program only start's correctly when run by another user id <font color=red>(userB)</font>.<br>ei: userA runs&nbsp;&nbsp;&gt; <b>sudo programs_name</b><br>And when I check the components of the program running (ps -ef), they are all owned<br>by root and not userB.<br>I have also tried userA running &gt; <b>sudo -u userB program_name</b><br><br>Hope that made since.<br><br>Thanks,
 
I think I understand what you're trying to do a little better now :)&nbsp;&nbsp;I've knocked together a bit of a contrived example that should allow you to do what you want:-<br><FONT FACE=monospace><br>User_Alias&nbsp;&nbsp;ADMINS = adam, bob, chuck<br><br>Runas_Alias OP = des, earl, fred<br><br>Host_Alias&nbsp;&nbsp;SPARC = sun1, sun2, sun3<br><br>greg&nbsp;&nbsp;SPARC = (OP) NOPASSWD: /usr/local/bin/start_service,\<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(OP) /usr/local/bin/stop_service<br></font><br>The User_Alias line says that whenever we use ADMINS in the sudoers file, we are talking about adam, bob, and chuck.&nbsp;&nbsp;<br><br>The Runas_Alias says that when we refer to OP we are referring to des, earl, and fred.<br><br>The Host_Alias sets up SPARC as referring to the servers sun1, sun2, and sun3.<br><br>The last entry is for the user &quot;greg&quot;.&nbsp;&nbsp;It says that on any of the SPARC boxes, he may run /usr/local/bin/start_service or /usr/local/bin/stop_service as any of the users des, earl, or fred.&nbsp;&nbsp;However, when starting the service greg wouldn't have to enter a password because the &quot;NOPASSWD&quot; flag is set.<br><br>Hope this helps.
 
From the sudo home page:<br><br>NOPASSWD and PASSWD<br>By default, sudo requires that a user authenticate him or herself before running a command. This behavior can be modified via the NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used to reverse things. For example: <br><br><br>&nbsp;ray&nbsp;&nbsp;&nbsp;&nbsp;rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm<br>would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm as root on the machine rushmore as root without authenticating himself. If we only want ray to be able to run /bin/kill without a password the entry would be: <br><br><br>&nbsp;ray&nbsp;&nbsp;&nbsp;&nbsp;rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm<br>
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top