I am planning to implement sudo for users.
Under [# User privilege specification], it looks I have to put the users who need to have sudo access:
What are the recommended [# User privilege specification] for users? I don't think I need to give the ALL privilege (i.e [root ALL=(ALL) ALL]) to AIX users.
I'd like to know the commonly used privilege specification for sudo users.
Please advise.
Well I would suggest that you create Cmnd_Alias in /etc/sudoers depending on the users' roles. Then, create groups depending on the roles and add the users in those groups. Provide the group to use the Cmnd_Alias. This way, it will save you a lot of time when you have new user with the same role and when you need to add new commands for the particular role.
If you let me know the role for the users, I might be able to show you an example of how to set sudo privileges for them.
I do NOT want them
Please advise if these are possible.
I guess that granularity will be not possible with sudo. sudo will be used for a positive list, what they may do, not what they may not do. You might want to have a look into RBAC (Role Based Access Control). You can create a role with just the permissions your users need and assign that to them. There are some IBM Redbooks and IBM System Magazine articles about security handling RBAC.
Well I can give you an example how I setup command alias in /etc/sudoers file for our ID Administration team. This is what it looks like:
Cmnd_Alias IDADMIN=/usr/bin/mkuser, /usr/bin/chuser, /usr/sbin/rmuser, \
/usr/bin/passwd [0-9]*, /usr/bin/passwd [A-z]* ,\
!/usr/bin/passwd root, \
/usr/bin/chsec, /usr/bin/mkgroup, /usr/sbin/rmgroup, \
/home/comadm/passwd_lastupdate.pl, \
/usr/bin/ls, /usr/bin/chmod, /usr/bin/chown, /usr/bin/chgrp, \
/usr/bin/find, /usr/sbin/lsuser, /usr/bin/vi /etc/ftpusers, \
/usr/local/bin/generate_user_file_list, \
/usr/local/bin/remove_user_files, /usr/bin/cat, \
/usr/bin/rm -f /var/spool/mail/*, \
! /usr/bin/rm -f /var/spool/mail/root, \
/usr/bin/rm -f /var/spool/cron/crontabs/*, \
! /usr/bin/rm -f /var/spool/cron/crontabs/root, \
/usr/bin/rm -f /var/spool/cron/atjobs/*, \
/usr/bin/rm -rf /home/*, /usr/bin/pwdadm, /usr/bin/smitty user
With command alias you can not only create positive set of list but also you can specify what they cannot do using sudo (as opposed to what zaxxon said, note the exclamatory sign in front of commands which are being restricted).
Hope you get an idea on how to set up /etc/sudoers
Never used it that way, learned something, thanks. Though using RBAC might be more apropriate still according to what he listed.
# Cmnd alias specification
Cmnd_Alias IDADMIN=/usr/bin/mkuser, /usr/bin/chuser, /usr/sbin/rmuser, \
/usr/bin/passwd [0-9]*, /usr/bin/passwd [A-z]* ,\
!/usr/bin/passwd root, \
/usr/bin/chsec, /usr/bin/mkgroup, /usr/sbin/rmgroup, \
/home/comadm/passwd_lastupdate.pl, \
/usr/bin/ls, /usr/bin/chmod, /usr/bin/chown, /usr/bin/chgrp, \
/usr/bin/find, /usr/sbin/lsuser, /usr/bin/vi /etc/ftpusers, \
/usr/local/bin/generate_user_file_list, \
/usr/local/bin/remove_user_files, /usr/bin/cat, \
/usr/bin/rm -f /var/spool/mail/*, \
! /usr/bin/rm -f /var/spool/mail/root, \
/usr/bin/rm -f /var/spool/cron/crontabs/*, \
! /usr/bin/rm -f /var/spool/cron/crontabs/root, \
/usr/bin/rm -f /var/spool/cron/atjobs/*, \
/usr/bin/rm -rf /home/*, /usr/bin/pwdadm, /usr/bin/smitty user
# Defaults specification
Defaults passprompt="Enter password of %u: "
Defaults syslog=local2
# Runas alias specification
# User privilege specification
root ALL=(ALL) ALL
On /etc/sudoers, I added it as above.
How do you put the restrictions to AIX users with 'Cmnd_Alias'?
Do I need to put a user, i.e. JDoe, under here?
# User privilege specification
root ALL=(ALL) ALL
Sorry for the novice question....
Thanks so much
I am sorry but this is worst idea that you can have....
Let me give some examples how you can gain root privileges:
vi - is having possibility to go out to shell..with root access or you cann edit any file
smitty - the same thin on each moment you can press F9 and go to shell
find - command has also privileges to execute commands as root (look for exec in man)
cat - using this command you can overwrite any file and then usi it to execute any command on system
chuser - with this command you can change any user parameters including root
All those commands looks harmless but you can use them to gain root privileges.
In my opinion or you are giving privileges to people that you can trust or you are not giving them privileges at all.
Any half way just creates risk to you.
If you have some application teams that you do not want to give root access just give them access to sudo su - to specific application user if they need more privileges they should ask you for help
Daniel,
You can use the Cmnd_Alias in the following to assign to a specific or a group of users:
idadmin ALL=NOPASSWD: IDADMIN
# for a group use % sign in front of the group name
%idadmingr ALL=NOPASSWD: IDADMIN
NOPASSWD simply tells that user do not need to enter password while using sudo. If not needed in your case, do not use it.
zaxxon,
Yes, even I would vote for RBAC but keeping in mind that there are still a lot of 5L AIX systems around in the industry, RBAC may not implemented widely and specially when ID Administration works under the shadow of Information Security (in our case). But, if it's 6.1 or even 7.1 AIX, RBAC is the thing people should go for.
gito,
Good catch! There's always a risk with programs which accept shell escapes. We did not have any other way to achieve the same goal with AIX5.1L. sudo su - to a specific user does not add any advantage. What if the person do need vi to edit the permitted file in sudoers? Contacting server admins for editing files in vi is surely not an option in the huge environment we work in. Any better suggestion is always welcome!! 
Sorry to be slightly off topic, though...
@admin_xor:
Agreed. Additionally it can become very complex using RBAC if one starts to go in depth and detail, at least the impression I got. We use it only to stop using root. It is also one of the things I would prefer to have a good graphical front end in such cases of using plenty of roles and custom permissions^^