I have two users in my AIX system appadmin (Application admin ) and appuser (Application user)
Application Admin user has special permission to run every thing about this application.
I have one script called /usr/app.sh
Only appadmin has permission to run this script
by sudo I want to let appuser to be able to run this script
by root I have configured the system as the following
visudo
%appuser ALL=( appadmin) /usr/app.sh
As per the above configuration appuser should has permission to run sudo and it should to execute that script
When appuser login to the system and when he type sudo �l
User appuser may run the following commands on this host:
(appuser) /usr/app.sh
Everything is ok till now .. but when he try to execute that command by sudo he will got the below
$ sudo /usr/app.sh
Sorry, user appuser is not allowed to execute '/usr/app.sh' as root on Appserver.
why it saying as root I configured sudo to run that script by appadmin and why is not allowed to execute that sicript !
UNless you want to post the entire sudoers file I'm not sure I can help you much more. Can you check to see if there are additional lines that feature the appadmin user or the groups to which it belongs further on in the sudoers file. Sometimes these can overwrite rather that add to the privileges.
This is exactly what ross.mather is trying to tell you: it might well be that other parts of the /etc/sudoers file are contradicting the part you have posted. So please post a C-O-M-P-L-E-T-E /etc/sudoers file (btw.: wrapping code-tags around it would be a nice touch) and not just the part you think is interesting.
I suppose you have double-checked the file modes for "/usr/app.sh" to make sure appadmin has indeed execution rights, haven't you?
No sudo expert here but do use it and I was thinking that the % sign in front of a value was to allow everyone in that group to execute the command. You said you have two different users not two different groups. Maybe it works the same for users as well so I may be off base here and if so I apologize for mudding up the water evern worse.
As system admin i decided not to give shell access to users and even application admins on production systems.
I give them access via a simple webpage and the menus are suid capable.
So, even root commands can be granted to someones menu.
I like the fact that no commandline trying or messups are possible.