|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
|May the source be with you, but remember the KISS principle ;-)|
|News||Recommended Links||Sudo (superuser do)||Access Control in Operating Systems||Introduction to Role-based Access Control|
|Enterprise Unix System Administration||HP-UX Precompiled open source software||RPM on HP-UX||Bash on HP-UX||History||Humor||Etc|
Like Solaris HP-UX implements RBAC. RBAC is an alternative to the traditional "all-or-nothing" root user model, which grants permissions to the root user for all operations, and denies permissions to non-root users for certain operations. HP-UX RBAC allows you to distribute administrative responsibilities by creating roles with appropriate authorizations and assigning them to non-root users and groups. See HP-UX System Administrator's Guide: Security Management
That means that sudo functionality can be implemented natively in HP-UX using RBAC and you do not need to install additional package.The HP-UX RBAC main components are very close to the original Solaris implmentation:
Still sudo has such an entrenched role that people seldom do this. Most sysadmin who administer several different flavors of Unix tend to install classic sudo implementation.
Go to http://software.hp.com/ and search for sudo. ixSudo one of the bundles available as part of the Internet Express package... just select the one for the version of HP-UX you are running and you are good to go. he only slightly weird thing about it that the sudoers file is actually stored in /opt/iexpress/sudo/etc. Create a symlink to /etc/sudoers to access the file from usual location.
IT Resource Center forums
Author Subject: Sudoers file ozas Jan 21, 2011 15:20:13 GMTHi,
Please just a quick one. Does any one know how I can restrict users from being able to switch to root in sudoers file?? Presently the users are defined in the sudoers file and could switch to another user without password but I do not want them to be able to switch to root.
Note: If you are the author of this question and wish to assign points to any of the answers, please login first.For more information on assigning points ,click here
Patrick Wallek Jan 21, 2011 15:35:32 GMT UnassignedUse a command alias like this:
Cmnd_Alias SU=!/usr/bin/su ‚?�, !/usr/bin/su *root*
Add this to each user and they should not be able to su to root.
ozas Jan 21, 2011 16:01:41 GMT N/A: Question AuthorI have tried that before it did not work. See below my sudoers file, maybe I need to change anything.
This is the sudoers file:
User_Alias WAS = g343ahe,m017ahe,y073ahe,y072ahe,h234ahe,r019ahe,r032ahe
User_Alias SUPPORT = d060ahe,h070ahe,s029ahe
#User privilege specification root ALL=(ALL) ALL SUPPORT ALL=(ALL) ALL SUPPORT ALL=(ALL) NOPASSWD: ALL WAS ALL=(ALL) NOPASSWD: ALL WAS ALL=/usr/bin/su - wasdevadmin,/bin/su - wasdevadmin
What I want is that the users in WAS should not be ble to switch to root, but they should be able to switch to user "wasdevadmin". Only users in SUPPORT should be able to switch to root.
Jeff Traigle, CSE - HP-UX Jan 21, 2011 16:14:48 GMT Unassigned> WAS ALL=(ALL) NOPASSWD: ALL > WAS ALL=/usr/bin/su - wasdevadmin,/bin/su - wasdevadmin
The first line is saying to allow the WAS users to run any command on any host as any user. The second line is redundantly saying to allow WAS users to run the su commands specified on all hosts as root. You don't have anything restricting them from running su to root as a previous post stated to do.
Patrick Wallek Jan 21, 2011 16:15:34 GMT UnassignedWhat about the following:
WAS ALL=!/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - wasdevadmin,/bin/su - wasdevadmin
You also have 2 lines for WAS. I don't remember which will take priority, but the 2 may be conflicting.
What happens if you comment out the first WAS line?
ofure Jan 21, 2011 17:18:22 GMT UnassignedThanks for your prompt reply. This has partly resolved the issue. At least users in WAS cannot su to root again but now the WAS cannot switch to wasdevadmin user. I want a situation where they can switch to wasdevadmin without been prompted for a password.
Patrick Wallek Jan 21, 2011 17:52:13 GMT UnassignedWhat does your sudoers file look like now?
Matti Kurkela Jan 21, 2011 21:06:34 GMT Unassigned> I want a situation where they [= the users in sudo group WAS] can switch to wasdevadmin without been prompted for a password.
You need this line in your sudoers file:
WAS ALL=(wasdevadmin) NOPASSWD: ALL
Then tell your users to use the sudo command like this:
sudo -H -u wasdevadmin -i (to run a shell as wasdevadmin; equivalent to "sudo su - wasdevadmin")
...or like this:
sudo -H -u wasdevadmin <command> (to run <command> as wasdevadmin and then continue the session as themselves)
ofure Jan 22, 2011 11:41:47 GMT Unassigned
Below is how my sudoers file now look:
User_Alias WAS = g343ahe,m017ahe,y073ahe,y072ahe,h234ahe,r019ahe
User_Alias SUPPORT = d060ahe,h070ahe,s029ahe #User privilege specification root ALL=(ALL) ALL SUPPORT ALL=(ALL) ALL SUPPORT ALL=(ALL) NOPASSWD: ALL WAS ALL=!/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - wasdevadmin,/bin/su - wasdevadmin WAS ALL=(wasdevadmin) NOPASSWD: ALL
But the users in WAS still cannot switch to wasdevadmin account. I want the users in WAS to be able to do this without prompting for password. Thanks. Regards.
INH Jan 23, 2011 04:54:27 GMT Unassigned
Remove the user name you dont wantthem to do sudo to root in sudoers file
if you have to grant specfic access you can grant in sudoers file for required users. by defining user alis, command alias and host alias for those users
ofure Jan 24, 2011 11:13:23 GMT Unassigned;The challenge I have now is that I want the users in WAS to be able to switch to the account wasdevadmin without prompting for password. I have tried this below but did not work.
WAS ALL=(wasdevadmin) NOPASSWD: ALL
Matti Kurkela Jan 24, 2011 15:49:55 GMT Unassigned
> WAS ALL=(wasdevadmin) NOPASSWD: ALL
When you use this sudoers line, your user *must* use "sudo -u wasdevadmin -i" or similar sudo command to become wasdevadmin. The "-H" option is optional, but probably in line with the user's expectations.
With this sudoers line, a command like "sudo su wasdevadmin" or "sudo su - wasdevadmin" will *not* work. This is because these commands first use sudo to become root, then use su to become the target user. Sudo can do it in one step - but it requires that the user uses the correct syntax.
ofure Feb 17, 2011 10:37:51 GMT UnassignedHi All,
When I type this: sudo -u wasdevadmin -i it works without prompting me for password but it is a long command. I want to be able to type su - wasdevadmin and for it to call up sudo -u wasdevadmin -i
Presently, I have this configuration:
#cd /bin # ls -l su* root root 45 Feb 16 17:17 su root root 28336 Oct 30 2008 su.original
# cat su sudo su.original $@
So presently when I type su -, it call up sudo su.original, which works fine for my switching to root access. How can I also have: "sudo -u wasdevadmin -i" equal to "su - wasdevadmin"
ofure Feb 17, 2011 12:24:30 GMT Unassigned
I have resolved this by creating an alias for wasdevadmin.
Tags: Sudo, Sudo for HPUX
Jun 3, 2008
My HP-UX (11.23) didn't come with sudo on it.
Is there a reliable source, which I can download it from?
Go to http://software.hp.com/ and search for sudo. ixSudo one of the bundles available as part of the Internet Express package... just select the one for the OS revision you're running.
Download ixSudo - part of Internet Express package - http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1123
1. You download only the portions of the Internet Express package that you want. If you just want sudo, then just download ixSudo from the Internet Express download page.
2. Configuration is the same. It's still sudo. HP just built it and packaged it. The only slightly weird thing about it that the sudoers file is actually stored in /opt/iexpress/sudo/etc. There is a symlink, /etc/sudoers, that points to it.
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: September 12, 2017