[dthacker]

I'm using sudo from the
pWare - AIX Open Source software for IBM AIX 5.3 and 6.1
site.
Here's what I'm trying to do.
I have a power user called "rtkprd" that several people now use. I want stop all logins with this user id, and force the users to login under their own id, then sudo to rtkprd. For example, I would log into the system as "thackerd" and then sudo to "rtkprd" to run the privileged commands.

My /etc/sudoers file has only a few lines at this point. It looks like this:

Code:

#Defaults
Defaults logfile=/var/log/sudo


#User privilege specification
root    ALL=(ALL)  ALL
thackerd  ALL = (rtkprd) ALL

I'm expecting to be able to login as thackerd, then "sudo -i rtkprd" to get rtkprd's powers. Instead I'm getting this error:

Code:

/home/thackerd> sudo -i rtkprd

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
Sorry, user thackerd is not allowed to execute '/usr/bin/ksh rtkprd' as root on rtkdev.mydomain.local.

How can I fix this?

Thanks in Advance!
Dave

[ross.mather]

I've done this several ways, the specific error means you need to enable:

thackerd ALL = (rtkprd) /usr/bin/ksh

You could also create a group to access this:

%access_trk = (rtkprd) /usr/bin/ksh

And add all the relevant users to the group.

I've also done this by enabling su - rtkprd as a root action for the specific users.

[dthacker]

I don't think we've got the recipe yet. I've created a little shell script called /usr/local/bin/only_rtkprd.sh. I've set the mode on it to 700.

Then I simplified my /etc/sudoers file like this:

Code:

 
Defaults logfile=/var/log/sudo
root    ALL = (ALL) ALL
thackerd        ALL = (rtkprd)  /usr/local/bin/only_rtkprd.sh

And I tried to run the script by using sudo:

Code:

 
/home/thackerd> id
uid=516(thackerd) gid=1(staff) groups=206(rtkprd)
/home/thackerd> sudo /usr/local/bin/only_rtkprd.sh
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
Password:
Sorry, user thackerd is not allowed to execute '/usr/local/bin/only_rtkprd.sh' as root on rtkdev.mydomain.local.

Same problem, can't execute the script and AIX thinks I'm trying to execute as root. That really baffles me because I've got (rtkprd) for the user that the script should be run as.

I also tried this with the %groupname approach. My user id is a member of the group "rtkprd" (see screenshot above) I tried this setup in /etc/sudoers:

Code:

 
#Defaults
Defaults logfile=/var/log/sudo
root    ALL = (ALL) ALL
%rtkprd ALL = (rtkprd)          /usr/local/bin/only_rtkprd.sh

I get the same error message. Again, why does sudo or AIX think I'm trying to execute as root?

I'm baffled.

Dave

[j.gann]

look at sudo's -u option