NOPASSWD not working with sudo...

[jxfish2]

I'm attempting to implement sudo on an HP-UX server.

I have certain commands that must be executed as a particular user, and can not use sudo to execute those commands directly, as the environment variables aren't picked up properly.

So, I am trying to authorize certain users to "su -" to those application specific user IDs to execute the commands directly...

I do NOT want to give out the application specific passwords, as I don't want anyone to login to these application specific user accounts directly...

What I am attempting is this:

visudo

# The following entry should allow members of the "users" group, or the user "user01", to "su -" to application specific user accounts, without knowing or entering a password:

%users localhost = NOPASSWD: /usr/bin/su - <APP_ID>

- OR -

user01 localhost = NOPASSWD: /usr/bin/su - <APP_ID>

Visudo doesn't complain about any syntax related errors when I exit and save the session...

When I login as &quot;user01&quot; and then type &quot;su - <APP_ID>&quot;, I'm still prompted for a password...

When I login as any other user, that belongs to the &quot;users&quot; group, I'm still prompted for a password...

I've tried using the actual system name in place of localhost...

I've tried using the full PATH to &quot;su&quot; ( /usr/bin/su )...

I don't know what else to try...

Is this a bug, or am I doing something wrong?

Any help would be much appreciated...

Again, this is on an HP-UX system, running 11.11 or 11.i...

TIA

Jxfish2

 

[Chapter11]

1) sudo will almost always ask for the user's password (not root's password) the first time you use it.

2) instead of having su commands in suodoers, I suggest something like this:

/usr/local/bin/app01
[tt]#!/bin/ksh

TEST=`whoami`

case &quot;${TEST}&quot; in
&quot;root&quot su - app01
;;

*) sudo ${0}
;;
esac
[/tt]

in sudoers:
%user NOPASSWD: /usr/local/bin/app01

I don't have a similar thing to test with, but the idea is as follows:

users should not have to worry about sudo or su.
A user executes &quot;app01&quot; script as themselves. The app01 script determines who is running it, in this case the * case applies. app01 recalls itself with &quot;sudo&quot;. The second iteration of itself will be run as &quot;root&quot; which is caught by the other case, and does something else - su to another user which presumably does something interesting.

Remember point #1. The first time a user uses sudo, it'll ask for *their* password.

 

[Robnhood]

Another thing to consider when implementing sudo is to try to avoid putting directories in the sudoers file. If you do, you could give them the ability to get a root prompt via sudo sh

Craig

http://www.SecurelySpeaking.com

 

[sreedca]

Hi,

I have changed my user passwd in NIS environment,the hange is successful.I could log on from all the servers allowed to me.Then i log back in using new passwd.When i do "sudo su -",the passwd is asked and when i type my new user passwd,my new passwd is not being taken,instead,my old user passwd is accepted.How to make sudo recognize my new passwd?

Thx

Srid

 

[ericbrunson]

sudo either needs to be configured to use nis or else use it through some sort of pam interface or something. It may not be linked against the nis libraries.