Sudo question

RonDeF · September 1, 2015, 11:29am

I am running AIX 6.6.5.115 and am experiencing a problem using sudo. I have shell scripts that I created for our HR user and shell scripts that I created for root administrators. I do have a need to embed a sudo command in the user shell script to run one command as root. However the two environments are different and the command will fail if I use a sudo -u root followed by the command as it is using the HR user variables rather than the true root variables. Can someone please offer me some suggestions on how to do this? I am new to sudo and am trying to learn it on my own due to budget constraints.

Thanks in advance,

Ron

vbe · September 1, 2015, 11:53am

You havent chown us the line in sudoers file for that HR user...
Have you tried to pass a line in sudoers like ?

HRuser ALL=(ALL)   NOPASSWD:<the command you want to pass>

RonDeF · September 1, 2015, 12:13pm

I have not tried that as I have three different commands any one of which many need to be run depending on what is being processed on that particular day. I thought I should be able to just run the command via sudo but the environment and PS1 variables due not set properly when using sudo commands. I can manually set everything with the exception of the PS1 variable.

Corona688 · September 1, 2015, 12:23pm

$ sudo -u root

usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
            [command]
usage: sudo [-AbEHknPS] [-C num] [-g group] [-h host] [-p prompt] [-u user]
            [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-C num] [-g group] [-h host] [-p prompt] [-u user] file
            ...

$

You haven't shown us what you're actually doing so I'm only guessing, but you may want to sudo su - instead of sudo su .

The -u root is redundant.

RonDeF · September 1, 2015, 12:41pm

Here is the command and error, the error is coming up due to the wrong environment variables and PS1 variables being set (user variables, not root). The reason for the sudo -u root is so the user does not get prompted for the root password when the script runs as they do not have access to the root login. The user will just click on an icon in windows to run the script and only be prompted for their user login.

Command:

sudo -u root /opt/AMSADV3/AMSJobInteractionClient/impenrl.sh

Error:

AMS ADVANTAGE 3.x Batch CommandLine Processor 1.1
Load Balancing Enabled

Exception in thread "main" java.lang.NullPointerException
at com.amsinc.gems.adv.batch.jobmanagerclient.AMSJobInteractionClient.<init>(AMSJobInteractionClient.java:265)
at com.amsinc.gems.adv.batch.jobmanagerclient.AMSJobInteractionClient.main(AMSJobInteractionClient.java:3010)

---------- Post updated at 12:41 PM ---------- Previous update was at 12:30 PM ----------

The variables are different as shown below, I have also removed ssh ip addresses and server names for this post that would normally show in the environment for security reasons. When logged in as the hr user and the script is launched the PS1 User name shows the hr user not the root user.

HR User:

HOME=/opt/AMSADV3/hrm39
PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/opt/AMSADV3/hrm39/bin:/usr/bin/X11:/sbin:.
MAIL=/var/spool/mail/hr
SHELL=/bin/csh
TZ=America/New_York
SSH_TTY=/dev/pts/2
TERM=xterm
AUTHSTATE=compat
LANG=en_US
LOCPATH=/usr/lib/nls/loc
LC__FASTMSG=true
ODMDIR=/etc/objrepos
CLCMD_PASSTHRU=1
NLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat

root user:

 LANG=en_US
LOGIN=root
SSH_TTY=/dev/pts/4
CLCMD_PASSTHRU=1
PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/java5/jre/bin:/usr/java5/bin
LC__FASTMSG=true
LOGNAME=root
MAIL=/usr/spool/mail/root
LOCPATH=/usr/lib/nls/loc
PS1=xxxxxxxxx [$USER]: $PWD >
USER=root
AUTHSTATE=compat
SHELL=/usr/bin/ksh
ODMDIR=/etc/objrepos
HOME=/
TERM=xterm
MAILMSG=[YOU HAVE NEW MAIL]
PWD=/
TZ=America/New_York
ENV=//.kshrc
A__z=! LOGNAME

Corona688 · September 1, 2015, 2:05pm

Try sudo -i so it runs the script in a proper root shell with root's environment.

bakunin · September 2, 2015, 9:40am

First: a script should set its own set of variables. You wouldn't have this problem then. Do something like this:

#! /bin/ksh

. /some/common/environment.file

<...rest of your script...>

If you really have to set some environment outside the script use su s "-c" switch:

sudo su -c ENV=/some/file /your/command

Attention: "-c" will wipe out your environment completely before the ENV variable is set. You better make sure that everything you ever need is defined in "/some/file" one or the other way.

I hope this helps.

bakunin

RonDeF · September 2, 2015, 10:17am

I figured out a solution to my problem. As I stated earlier I was able to set the root variables, everything except for the PS1 variables. I found a modification that allows me to set the PS1 variables and that in turn will allow me to run the portion of the script as root with both the env variables and the PS1 variables set.

I have to separate out the actual sudo command into another shell script and then call that script using the sudo command and the PS1 variables get set.

Example (Command placed into it's own executable file)
File name: test1.scr

Solution: Run the test1.scr script

sudo -u root test1.scr

MichaelFelt · September 5, 2015, 8:29am

Hi. I am on vacation - for another two weeks - but rather than an addon, you could also look at RBAC on AIX. And as long as a script begins with #!you can even add a script to RBAC.

Just reply here if your are interested or curious - I will go into more details for your questions when I am back (roughly another 10 days).