Hello,
I have a wrapper script that I am trying to build/execute, which has two different sub scripts, which run as two separate users.
Purpose is to mask the contents of the script and allow the user to execute utlrp.sql, which requires sys level privs to execute.
User FORD logs in, and executes the wrapper script, wrapper.sh
The wrapper script presents it's content in menu format. Here is what the wrapper.sh
- execute one.sql
- execute two.sql and three.sql
- execute three.sql
A
one.sql
requires no specific credentials
B
two.sql
REQUIRES FORD credentials to execute.
has logid check at beginning and kicks you out if you aren't the FORD user.
three.sql
requires "ORACLE" credentials to log in and execute utilrp.sql -- which requires to log in as sys for execution.
C
three.sql
Same as above, but only runs the utlrp.sql script.
So I edited sudousers (VISUDO) to implement the neccessary privs. (shown in RED)
## Runas alias
Runas_Alias DB = oracle
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw # Ask for the password of the target user
# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
## Read drop-in files from /usr/local/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /usr/local/etc/sudoers.d
FORD ALL = (ALL) NOPASSWD: /export/home/oracle/wrapper.sh
FORD ALL = (DB) NOPASSWD: /oracle/12c/bin/sqlplus
(I have also tried the second entry NOT using runas_alias with exact same results)
If I execute a sudo -l from the command line, it shows:
$ sudo -l
User ford may run the following commands on falcon:
(ALL) NOPASSWD: /export/home/oracle/wrapper.sh
(oracle) NOPASSWD: /oracle/12c/bin/sqlplus
Here is where I'm stuck. From my understanding, for the user to execute this via the sudo functionality, the main wrapper command would be executed as such:
sudo wrapper.sh. It prompts me for the menu as desired. When I choose A, it doesn't see user FORD...and kicks me out.
When I choose B or C, it works fine. It executes the second one fine, and logs in as sys executing the utlrp.sql.
So my question is this: Is there a way to configure the sudo set up so that user FORD executes the wrapper, passes user FORD to menu item A, but only passes it's self as the ORACLE user to menu items B or C for the sake of sqlplus as sys?
Thanks.