[PLUG] Sudo Access to application accounts...Some thoughtsplease??

Daniel.Roberts at sanofi-aventis.com Daniel.Roberts at sanofi-aventis.com
Wed Feb 6 20:30:34 UTC 2008 

To clarify

Molnet-app is the GCOS name for a specific UID on my system that I use
to install the molnet applciation..
The same holds true for Applications A,B,C,D,E and etc..

Lets say that the application account names are A-APP, B-APP, C-APP and
so on
So I would want for example to give
Droberts the ability to to su to A-APP, su B-APP and etc
While 
Phil could only su to E-APP and G-APP for instance..
While my super admin could su to all the given app names above..

And when the user su's over to the given application account such as
A-APP the person then can run whatever command is required to
maintain/setup the application to which they just sudo'd to ..
I hope this helps clarify my situation and question a bit
Thanks
!DAn
 

-----Original Message-----
From: plug-bounces at lists.pdxlinux.org
[mailto:plug-bounces at lists.pdxlinux.org] On Behalf Of Matt Rae
Sent: Wednesday, February 06, 2008 2:29 PM
To: General Linux/UNIX discussion and help,civil and on-topic
Subject: Re: [PLUG] Sudo Access to application accounts...Some
thoughtsplease??

Does the molnet-app account give access to run a number of apps for
example A,B,C,D? I don't think after phil has ran "sudo su - molnet-app"
it is possible to say, "Well you were originally phil, so you only get
access to A and B".

I think one way you could do this is to have a sudoers like:

droberts SCDMAPPSERVERS= (molnet-app) A, B, C, D phil SCDMAPPSERVERS=
(molnet-app) A, E, F, G eric SCDMAPPSERVERS= (molnet-app) A, B, C, D, E,
F, G

where the apps are a full command like if A was "/usr/bin/MolnetAcmd
[A-z]*"

Also from the sudoers man page "Wildcard matching is done via the POSIX
fnmatch(3) routine. Note that these are not regular expressions."

After that if phil wanted to run A, he could use the command

sudo -u molnet-app /usr/bin/MolnetAcmd start

Might not be the best solution but maybe this will get the ball rolling.

Otherwise maybe you can make an account for each app.

Matt Rae

On Feb 6, 2008 10:39 AM,  <Daniel.Roberts at sanofi-aventis.com> wrote:
> Hello All
> I am seeking some comments on my sudoers file snipped below..
>
> What I am trying to do is allow several select users to administer 
> their applications using a local application account and avoid having 
> to give the user either full sudo access or the passwd word to the 
> application account..
>
> In other words..I want to force user 'droberts' to run the command 
> 'sudo su - molnet-app'  which would switch the user over to the 
> molnet-app account from which the app work can be done..
>
> Problem though is this..
> How is it possible to partition the responsibility of say applications

> A,B,C and D to 'droberts';  Applications A, E, F and G to 'phil' and 
> applications A,B,C,D,E, F and G to my root admin person 'eric'..
>
> I have figured it out for a single group to admin all the app accounts

> (see my sudoers file below) but how can I do something as described as

> above by using the sudoers file without adding additional GIDS?  Does 
> the sudo file support a hierarchy of rights for example?
> Does anyone out there have any examples they could forward or have 
> suggestions!
> Thanks for any advice!
> Sincerely
> Dan Roberts
>
>
> SAMPLE WORKING /etc/sudoers FILE
>
> ## This file must be edited with the 'visudo' command.
>
> ######################################################################
> ##
> ##############################
> ##
> ## Host Aliases
> ## Groups of machines. You may prefer to use hostnames (perhaps using 
> ## wildcards for entire domains) or IP addresses instead.
> Host_Alias     SCDMAPPSERVERS = sissenv128p, gaia
> ##
> ######################################################################
> ##
> ##############################
>
> ######################################################################
> ##
> ##############################
> ##
> ## User Aliases
> ## These aren't often necessary, as you can use regular groups ## (ie,

> from files, LDAP, NIS, etc) in this file - just use %groupname ## 
> rather than USERALIAS User_Alias APPADMINS = droberts, phil ## 
> ######################################################################
> ##
> ##############################
>
>
> ######################################################################
> ##
> ##############################
> ##
> ## Command Aliases
> ## These are groups of related commands...
>
> ## SCDM Specific Application Administration Accounts Cmnd_Alias 
> APPADMIN = /bin/su - ccg-app, /bin/su - molnet-app ## 
> ######################################################################
> ##
> ##############################
>
>
> ######################################################################
> ##
> ##############################
> ##
> # Defaults specification
> #
> # Disable "ssh hostname sudo <cmd>", because it will show the password

> in clear.
> #         You have to run "ssh -t hostname sudo <cmd>".
> #
> ## Allow root to run any commands anywhere root ALL=(ALL)  ALL
>
> ## Allows members of the 'apps' group to run APPADMIN commands on the 
> SCDMAPPSERVERS %apps SCDMAPPSERVERS=APPADMIN
>
>
>
>
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
_______________________________________________
PLUG mailing list
PLUG at lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

More information about the PLUG mailing list