Hi, I was wondering if someone can give me some pointers about configuring SUDO. I am trying to configure SUDO to have about 30 users run about 200 scripts as a different user. I understand that I can create an User_Alias but how do I give that User_Alias rights to run all the scripts in a certain directory? We add scripts to that directory every week and don't want to keep a static Cmnd_Alias . Does that make sense? Your help is appreciated very much.
Jake
Why not make a group; [scripts], add those users who are permitted to run these scripts to this group. Then they can just su to that group to run those scripts.
Everytime you create a new script, just change the owner to that group.
Pardon my ignorance, but how do you su to a group? One can SU to another user but how does that work for a group?
Yes. Correction.
My mistake, I usually create a dummy user, such as script, which is usually in a group called script, then I just su script.
You would need to use the command newgrp to change to a different group.
create wrapper script which will change to the directory where your scripts reside and run specified script (input parameter) from the current directory (so, that wrapper limits running scripts from specific directory). Wrapper owner must be root and permissions must be set to 700.
In sudo configuration you will need to define permissions only for the wrapper script.
Your users wil run scripts in following manner:
mypath/mywrapper myscript parm1 parm3 .... parmN
Use this syntax to allow sudo access to an entire directory:
User_Alias Host_Alias = (ALL) directory/
where
User_Alias is your User_Alias, userid, group, netgroup, or ALL
Host_Alias is your Host_Alias, host, netgroup, or ALL
directory is the directory conatining all your scripts
The key to this is to make sure to put the slash ( / ) on the end of your directory entry, as in " /usr/global/bin/ "