[PLUG] Sudo Access to application accounts...Some thoughts please??

Matt Rae mattrae at gmail.com
Wed Feb 6 19:28:58 UTC 2008


Does the molnet-app account give access to run a number of apps for
example A,B,C,D? I don't think after phil has ran "sudo su -
molnet-app" it is possible to say, "Well you were originally phil, so
you only get access to A and B".

I think one way you could do this is to have a sudoers like:

droberts SCDMAPPSERVERS= (molnet-app) A, B, C, D
phil SCDMAPPSERVERS= (molnet-app) A, E, F, G
eric SCDMAPPSERVERS= (molnet-app) A, B, C, D, E, F, G

where the apps are a full command like if A was "/usr/bin/MolnetAcmd [A-z]*"

Also from the sudoers man page "Wildcard matching is done via the
POSIX fnmatch(3) routine. Note that these are not regular
expressions."

After that if phil wanted to run A, he could use the command

sudo -u molnet-app /usr/bin/MolnetAcmd start

Might not be the best solution but maybe this will get the ball rolling.

Otherwise maybe you can make an account for each app.

Matt Rae

On Feb 6, 2008 10:39 AM,  <Daniel.Roberts at sanofi-aventis.com> wrote:
> Hello All
> I am seeking some comments on my sudoers file snipped below..
>
> What I am trying to do is allow several select users to administer their
> applications using a local application account and avoid having to give
> the user either full sudo access or the passwd word to the application
> account..
>
> In other words..I want to force user 'droberts' to run the command 'sudo
> su - molnet-app'  which would switch the user over to the molnet-app
> account from which the app work can be done..
>
> Problem though is this..
> How is it possible to partition the responsibility of say applications
> A,B,C and D to 'droberts';  Applications A, E, F and G to 'phil' and
> applications A,B,C,D,E, F and G to my root admin person 'eric'..
>
> I have figured it out for a single group to admin all the app accounts
> (see my sudoers file below) but how can I do something as described as
> above by using the sudoers file without adding additional GIDS?  Does
> the sudo file support a hierarchy of rights for example?
> Does anyone out there have any examples they could forward or have
> suggestions!
> Thanks for any advice!
> Sincerely
> Dan Roberts
>
>
> SAMPLE WORKING /etc/sudoers FILE
>
> ## This file must be edited with the 'visudo' command.
>
> ########################################################################
> ##############################
> ##
> ## Host Aliases
> ## Groups of machines. You may prefer to use hostnames (perhaps using
> ## wildcards for entire domains) or IP addresses instead.
> Host_Alias     SCDMAPPSERVERS = sissenv128p, gaia
> ##
> ########################################################################
> ##############################
>
> ########################################################################
> ##############################
> ##
> ## User Aliases
> ## These aren't often necessary, as you can use regular groups
> ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
> ## rather than USERALIAS
> User_Alias APPADMINS = droberts, phil
> ##
> ########################################################################
> ##############################
>
>
> ########################################################################
> ##############################
> ##
> ## Command Aliases
> ## These are groups of related commands...
>
> ## SCDM Specific Application Administration Accounts
> Cmnd_Alias APPADMIN = /bin/su - ccg-app, /bin/su - molnet-app
> ##
> ########################################################################
> ##############################
>
>
> ########################################################################
> ##############################
> ##
> # Defaults specification
> #
> # Disable "ssh hostname sudo <cmd>", because it will show the password
> in clear.
> #         You have to run "ssh -t hostname sudo <cmd>".
> #
> ## Allow root to run any commands anywhere
> root ALL=(ALL)  ALL
>
> ## Allows members of the 'apps' group to run APPADMIN commands on the
> SCDMAPPSERVERS
> %apps SCDMAPPSERVERS=APPADMIN
>
>
>
>
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>



More information about the PLUG mailing list