Sudo help needed

UNIX for Advanced & Expert Users
1

Scenario: I have two servers, A and B. Server A is using autosys to connect to server B via ssh in order to run scripts. The scripts to be run on server B must be run by user "weblogic".

So what I did was make the autosys user connect with a ssh key from server A to server B. After that I gave sudo permissions to autosys so that it may run commands as weblogic. Here's my excerpt from visudo:

User_Alias      SU_AUTOSYS = autosys
Cmnd_Alias    AUTOSYS_SU = /usr/bin/su - weblogic
SU_AUTOSYS    ALL = NOPASSWD: AUTOSYS_SU

To further facilitate the automating I wrote a small script (runasweblogic.sh) that should automate the sudo <cmd> process:

#!/bin/sh
args="$@"
sudo su - weblogic  $args

I am thinking now that server A could connect to server B and run commands as weblogic in this manner:

ssh serverB "/opt/home/autosys/runasweblogic.sh  /opt/weblogic/whateverscript.sh"

This isn't working at all and is giving errors such as, "Sorry, user autosys is not allowed to execute /usr/bin/su - weblogic /opt/weblogic/whateverscript.sh" as root on serverB

Any ideas? I'm going nuts here...:confused:

2

One more thing. If I login to server B as autosys and run "sudo su - weblogic", it works.

3

Yeah, if you provide arguments for a particular sudo command to run, it can run only with those arguments. So it probably works just to do "sudo su - weblogic" but any additional arguments make a different command. Add a star to let the command be run with an argument.

But this isn't what you really want. What you really want is sudo configured to run the command as weblogic and bypass su altogether:

#!/bin/sh
exec sudo -u weblogic -H "$@"

And your sudoers file like:

ALL    ALL = (weblogic) NOPASSWD: /opt/weblogic/whateverscript.sh
4

Actually, I went a little further than that just for security, and now it's working.

Here's the entry in the sudoers file now:

autosys        ALL =(weblogic) /opt/home/autosys/test.sh, /opt/weblogic/wls92/domains/dev05/batch/*.sh, /opt/weblogic/wls92/domains/dev05/*.sh

I removed the others and figured I'd just go this way since you can obviously ensure only certain files are run as weblogic.

Thanks for the assistance! I should have done it this way in the first place. :o