Sudo Not working on Solaris 10

SolarisRSA · July 6, 2015, 3:26am

Hi All, im a bit new to Solaris 10 iv been working on Redhat and cant seem to get the sudo working on Solaris 10:D

Iv installed the below packages via pkgadd command:

  gcc-4.7.2-sol10-x86-local
 libiconv-1.14-sol10-x86-local
 libintl-3.4.0-sol10-x86-local
  sudo-1.8.13-sol10-x86-local
 zlib-1.2.8-sol10-x86-local

The below script I wrote to add the user and edit the sudoers file so that the ccsadmin user can execute the commands listed.

 #!/bin/bash
  
 echo "WARNING this script will add user CCSADMIN and Modify permissions to M&R user this server, with predefined passwords, The script will delay for 10secs before it will start
 to create accounts"
 echo "############################## `sleep 5`############################"
  
 echo "Now adding and Modifying Users"
  
 useradd -d /export/home/ccsadmin -m -s /bin/bash -c "CCS user for Compliance Scanning" ccsadmin
 groupadd ccsadmin
 mkdir /export/home/ccsadmin/.ssh
 cd /export/home/ccsadmin
 chown -R ccsadmin:ccsadmin .
 chmod 700 /export/home/ccsadmin/.ssh
 touch /export/home/ccsadmin/.ssh/authorized_keys
 echo "ssh-dss AAAAB3NzaC1kc3MAAACAabEQZiLgxkqz+a3RNl6xI4l26R8fVtzK74bbcVQjTTDwIjz08+aoyPmdiSe7HoO2wKuy/MlWATP0dgtmtGsr755Aj98xg09bm1OwajSbtN2OBBWvq9HvSIdq/yi02SFKQXnxtp1mlSuqueoTLJiO7aceCysEcixRV9VD2lOnljMAAAAVALhTIYQmRkAXJhO+eYM4rm6TieYTAAAAgCWLg+2v16Br7re0IbZHc3juja4Wv6PNKekFmOz/r/1yR9X3S1vFiqlTnhHndRzmgwmPUIH6S1u1szSWC6ldRRyliydt5suot7uvxoAw7qT58r4hVbTl3/q5twCJWfW7xMzKyAwRy6Ssxg4LsxMZd2VClpJZGBqwj1E19Xa9CPyQAAAAgFyj/qnT1CyahPWGppgtL3TbyelZr9/NMvT86xfsVOjwM6rowXLp3mepMDN77IL71/6tQYj5qcHxynFlwBZK5cPqu7YdYpB6Ss23Z0kBzUwEolZaQXesZ/4p7AkhDKjk+md31cpqFpXdpYEgdXGy6TCUJ200vrB1xFtb6aVeMar8 CCS dsa-key-20110210" >> /export/home/ccsadmin/.ssh/authorized_keys
 echo "ssh-dss AAAAB3NzaC1kc3MAAACBAMdMrR0Pq7qhn0MI00ZJjCtsJ8rvAWMz7iaBjHZfs78Iy4SIkYS/rOXfZN+YhBlB9WGYmRVnbdEHe/w8zE4wYtRCiF7Xcyh9xFpK0bxJiKFDeQMLDdyiCGpkx85oyy/w466iWNNIzTTiZAE1pOe6KFf6IlNBGJfl4dMe0xlSluKNAAAAFQC+sGFXibhXHT8dKdIr7GX+13pl3QAAAIEAw9f4bs0AMsWN3gYbD4rdrg40Xlop559BW/G6SVcQ9KtS8QZAV2UbbceJnuESAacPUqQVB3NJGi34QuWrVMfOd4plpzi5sK8uyl0lqHGqZODC9uXQxmaKtNoZEcdfoD1v3nvFDiZxFiBDJpvRrmjLTrnVjL7pBQvqmLNMZDRlGvEAAACADqys82qDYpcPifGf2NLl5kuyHz0JpKz+qdI57sOX3dUDFyzLCaPAAG23vd+LRb9PPfNLvJ988t5B+M4kKD91WbNUz3AL0S20j15h6WAMFYpTdkO4k/4391XY28DLs5lxUNGgQEbrIdZqLp5vKPL59gzFRwLDzZjAPa3g4KtD65A= TripWire nCircle" >> /export/home/ccsadmin/.ssh/authorized_keys
 chmod 644 /export/home/ccsadmin/.ssh/authorized_keys
 chown -R ccsadmin:ccsadmin /export/home/ccsadmin/.ssh/authorized_keys
  
 sleep 3
 echo "Adjusting CCSADMIN Sudoers file"
  
 cp /usr/local/etc/sudoers /usr/local/etc/sudoers.backup
 echo '#######################'>> /usr/local/etc/sudoers
 echo '## Adding ccsadmin and relevant command permissions'>> /usr/local/etc/sudoers
 echo 'ccsadmin ALL=(ALL) SETENV: NOPASSWD: SECURITY, NETWORKING, SOFTWARE, SERVICES, LOCATE, STORAGE, DELEGATING, PROCESSES, DRIVERS, !SU, !ACTIVEADMCMDS, !SYSADMCMD, ADMINCMD, E
 NVCMDS, NOEXEC: /usr/bin/find, /usr/bin/uptime, /usr/bin/uname, /usr/sbin/dig, /usr/bin/cat, /usr/sbin/ifconfig, /usr/bin/date, /usr/bin/grep, /usr/bin/who, /usr/bin/ypwhich, /us
 r/bin/ps,  /usr/bin/ls, /usr/bin/who, /usr/bin/id, /usr/bin/strings, /usr/bin/file, /usr/sbin/df, /usr/bin/cksum, /usr/bin/runat, /usr/bin/pkginfo, /usr/sbin/patchadd, /usr/bin/n
 etstat, /usr/bin/rpcinfo, /usr/sbin/sysdef, /usr/sbin/routeadm, /usr/sbin/ndd, /usr/bin/mdb, /usr/bin/egrep, /usr/sbin/eeprom, /usr/bin/ulimit -a, /usr/sbin/pkgchk, /usr/bin/svcs
 , /usr/bin/ls, /usr/bin/cut' >> /usr/local/etc/sudoers
 echo '## End of ccsadmin entry'>> /usr/local/etc/sudoers
 echo '#######################'>> /usr/local/etc/sudoers
 exit $?    #Exit with status 0 (successful. To check this, do echo $? after script execute

This is the Standard Sudoers File

 root@tcipidc01 # cat /usr/local/etc/sudoers
 # sudoers file.
 #
 # This file MUST be edited with the 'visudo' command as root.
 #
 # See the sudoers man page for the details on how to write a sudoers file.
 #
  
 # Host alias specification
  
 # User alias specification
  
 # Cmnd alias specification
  
 # Defaults specification
 Defaults logfile=/var/log/sudo.log
  
 # Runas alias specification
  
 # User privilege specification
 root    ALL=(ALL) ALL
 ccsadmin        ALL=(ALL) ALL
 hillsro         ALL=(ALL) ALL
  
 # Uncomment to allow people in group wheel to run all commands
 # %wheel        ALL=(ALL)       ALL
 %sysadmin  ALL=(ALL) ALL
  
 # Same thing without a password
 # %wheel        ALL=(ALL)       NOPASSWD: ALL
 %sysadmin  ALL=(ALL) ALL
  
 # Samples
 # %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
 # %users  localhost=/sbin/shutdown -h now
 root@tcipidc01 #

After the script edit the sudoers file it looks like this below:

 [root@THC-A-01_NET0 08:48:36 /]#cat /usr/local/etc/sudoers
 ## sudoers file.
 ##
 ## This file MUST be edited with the 'visudo' command as root.
 ## Failure to use 'visudo' may result in syntax or file permission errors
 ## that prevent sudo from running.
 ##
 ## See the sudoers man page for the details on how to write a sudoers file.
 ##
  
 ##
 ## Host alias specification
 ##
 ## Groups of machines. These may include host names (optionally with wildcards),
 ## IP addresses, network numbers or netgroups.
 # Host_Alias    WEBSERVERS = www1, www2, www3
  
 ##
 ## User alias specification
 ##
 ## Groups of users.  These may consist of user names, uids, Unix groups,
 ## or netgroups.
 # User_Alias    ADMINS = millert, dowdy, mikef
  
 ##
 ## Cmnd alias specification
 ##
 ## Groups of commands.  Often used to group related commands together.
 # Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
 #                           /usr/bin/pkill, /usr/bin/top
  
 ##
 ## Defaults specification
 ##
 ## You may wish to keep some of the following environment variables
 ## when running commands via sudo.
 ##
 ## Locale settings
 # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
 ##
 ## Run X applications through sudo; HOME is used to find the
 ## .Xauthority file.  Note that other programs use HOME to find
 ## configuration files and this may lead to privilege escalation!
 # Defaults env_keep += "HOME"
 ##
 ## X11 resource path settings
 # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
 ##
 ## Desktop path settings
 # Defaults env_keep += "QTDIR KDEDIR"
 ##
 ## Allow sudo-run commands to inherit the callers' ConsoleKit session
 # Defaults env_keep += "XDG_SESSION_COOKIE"
 ##
 ## Uncomment to enable special input methods.  Care should be taken as
 ## this may allow users to subvert the command being run via sudo.
 # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
 ##
 ## Uncomment to enable logging of a command's output, except for
 ## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
 # Defaults log_output
 # Defaults!/usr/bin/sudoreplay !log_output
 # Defaults!/usr/local/bin/sudoreplay !log_output
 # Defaults!/sbin/reboot !log_output
  
 ##
 ## Runas alias specification
 ##
  
 ##
 ## User privilege specification
 ##
 root ALL=(ALL) ALL
  
 ## Uncomment to allow members of group wheel to execute any command
 # %wheel ALL=(ALL) ALL
  
 ## Same thing without a password
 # %wheel ALL=(ALL) NOPASSWD: ALL
  
 ## Uncomment to allow members of group sudo to execute any command
 # %sudo ALL=(ALL) ALL
  
 ## Uncomment to allow any user to run sudo if they know the password
 ## of the user they are running the command as (root by default).
 # Defaults targetpw  # Ask for the password of the target user
 # ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
  
 ## Read drop-in files from /usr/local/etc/sudoers.d
 ## (the '#' here does not indicate a comment)
 #includedir /usr/local/etc/sudoers.d
 #######################
 ## Adding ccsadmin and relevant command permissions
 ccsadmin ALL=(ALL) SETENV: NOPASSWD: SECURITY, NETWORKING, SOFTWARE, SERVICES, LOCATE, STORAGE, DELEGATING, PROCESSES, DRIVERS, !SU, !ACTIVEADMCMDS, !SYSADMCMD, ADMINCMD, ENVCMDS, NOEXEC: /usr/bin/find, /usr/bin/uptime, /usr/bin/uname, /usr/sbin/dig, /usr/bin/cat, /usr/sbin/ifconfig, /usr/bin/date, /usr/bin/grep, /usr/bin/who, /usr/bin/ypwhich, /usr/bin/ps,  /usr/bin/ls, /usr/bin/who, /usr/bin/id, /usr/bin/strings, /usr/bin/file, /usr/sbin/df, /usr/bin/cksum, /usr/bin/runat, /usr/bin/pkginfo, /usr/sbin/patchadd, /usr/bin/netstat, /usr/bin/rpcinfo, /usr/sbin/sysdef, /usr/sbin/routeadm, /usr/sbin/ndd, /usr/bin/mdb, /usr/bin/egrep, /usr/sbin/eeprom, /usr/bin/ulimit -a, /usr/sbin/pkgchk, /usr/bin/svcs, /usr/bin/ls, /usr/bin/cut
 ## End of ccsadmin entry
 #######################
 #######################
 ## Adding ccsadmin and relevant command permissions
 ccsadmin ALL=(ALL) SETENV: NOPASSWD: SECURITY, NETWORKING, SOFTWARE, SERVICES, LOCATE, STORAGE, DELEGATING, PROCESSES, DRIVERS, !SU, !ACTIVEADMCMDS, !SYSADMCMD, ADMINCMD, ENVCMDS, NOEXEC: /usr/bin/find, /usr/bin/uptime, /usr/bin/uname, /usr/sbin/dig, /usr/bin/cat, /usr/sbin/ifconfig, /usr/bin/date, /usr/bin/grep, /usr/bin/who, /usr/bin/ypwhich, /usr/bin/ps,  /usr/bin/ls, /usr/bin/who, /usr/bin/id, /usr/bin/strings, /usr/bin/file, /usr/sbin/df, /usr/bin/cksum, /usr/bin/runat, /usr/bin/pkginfo, /usr/sbin/patchadd, /usr/bin/netstat, /usr/bin/rpcinfo, /usr/sbin/sysdef, /usr/sbin/routeadm, /usr/sbin/ndd, /usr/bin/mdb, /usr/bin/egrep, /usr/sbin/eeprom, /usr/bin/ulimit -a, /usr/sbin/pkgchk, /usr/bin/svcs, /usr/bin/ls, /usr/bin/cut
 ## End of ccsadmin entry
 #######################

Please advise on how I can get the ccsadmin user to run the sudo commands.

Thanks

Smiling_Dragon · July 6, 2015, 5:14pm

Keep the users on their toes eh?

Unless I'm missing it (and I might be, that sudoers has a lot of comments) you don't seem to be defining any of these aliases earlier in the file. I can't see how that would work.

BTW, using NOEXEC to limit all those binaries is not likely to keep someone out of a root shell if they are determined, unless those commands are the only ones being granted to the user.