Hello All,
I am trying to grant sudo privileges to a set of users (say tom and jerry) to sudo to another set of users (jim, harry). This is because we don't want to disclose the password of jim and harry.
I did defined the user_alias and runas alias.
%wms ALL = (USR) /usr/bin/su -, where wms is the group to which (tom and jerry belong) and USR is the Runas_Alias for jim and harry
But, it is not liking it. I did multiple combinations but it ain't working.
I am running it on AIX 7.1, thanks in advance.
I am able to do it successfully by adding the below, but I have 9 users so I don't want to add 9 lines in sudoers file.
JDA ALL = /usr/bin/su - jim, where JDA is User_Alias for tom and jerry
What do you mean "to sudo to another set of users"? Are you confusing sudo with su? Also, you can stack the two commands, for example, if tom types "sudo su - jim" he will use sudo to execute the su command, and become the jim user, without knowing jim's password. Additionally, the NOPASSWD option in the sudoers file will allow tom to do this without typing any password at all.
First, you have to create a command-alias: the command(s) you want to allow. Than you have to create a user-alias: the (group of) user(s) you want to make use of the allowed commands. Finally you have to create a rule, where you state that the users in user-alias are allowed to execute the commands in command-alias. (I skipped the host-alias as this seems to be no issue here.)
That is the general outline of what you have to do. Please post these three definitions from your file /etc/sudoers here, then we can evaluate what you have done and what went wrong.
User_Alias JDA = rlalgudi, kwalker, ndevries, afitzpat
Runas_Alias DA = wmstst, modtst, emstst, remtst
JDA ALL = (DA) ALL
Also, I have tried using
%wms ALL = (DA) /usr/bin/su -, where wms is the group to which User_Alias users belong to
I want to achieve all this in one command, instead of specifying the access to each user. Like it is working if I do the below
%wms ALL = /usr/bin/su - wmstst
But when I try to use Runas_Alias instead of single user I get the below.
kwalker@myaixhost:/home/kwalker:$ sudo -l
User kwalker may run the following commands on this host:
(wmstst, modtst, emstst, remtst) ALL
kwalker@myaixhost:/home/kwalker:$ sudo su - emstst
Sorry, user kwalker is not allowed to execute '/usr/bin/su - emstst' as root on myaixhost.
If i am not mistaken you can include user groups in the User_Alias definition. If you have already a Unix group for this i suggest you use this instead of specifying another group in the sudoers file. This is easier to maintain.
If you want to switch to another user you have to use the "su" command as "root", sudo s complaint was basically that you have no rule defining such a privilege for the users you want to be able to become other users. A "Runas_Alias" defines the (effective) user (ID) under which to run the command. You have allowed all users in JDA to run all commands as one of the users in DA - certainly not what you wanted. (To test my assumption: try "sudo -u emstst /bin/ls" as user "kwalker". This should work - you have run "/bin/ls" under the effective user ID of emstst.)
Delete the Runas_Alias. Define a Cmnd_Alias with the commands "su - wmstst", "su - modtst", etc., then allow the user "User_Alias-Name" to run command "Cmnd_Alias-Name" as root. This should work.
---------- Post updated at 12:33 PM ---------- Previous update was at 12:11 PM ----------
Thanks Bakunin, that was it, I was able to achieve using
Cmnd_Alias
As you mentioned above.
This is what I did
User_Alias JDA = tom, julie, harry
Cmnd_Alias CMD = /usr/bin/su - wmstst,/usr/bin/su - emstst, /usr/bin/su - modtst
JDA ALL=CMD, also I tried %groupname, which works fine too, but I rather go with User_Alias
the runas_alias, is the users list that you allow the user to "run as" with the "-u username" option of sudo, it doesn't affect the user list that you want to allow as parameter of the "su -"
you have probably not understand the sudo tool : you don't need to cascade "su -" in sudo because sudo's job is to perform the "SetUser".
if you use this config line :
%wms ALL = (DA) ALL
then you allow all users of the "wms" group to run as any user of the "DA" RunAS_Alias via the "sudo -u username ....."