• Part I
  • sun managers I
• Part D
  • sun managers D
• Part L
  • sun managers L
• Part H
  • sun managers H
• Part B
  • sun managers B
• Part E
  • sun managers E
• Part J
  • sun managers J
• Part F
  • sun managers F
• Part C
  • sun managers C
• Part K
  • sun managers K

SITEMAP

SUMMARY: can't do "sudo -s" on hardened box

Hi,

Thanks to all the helpful replies : just fyi I've been
using "visudo" instead of just "vi /etc/sudoers" all these
while & a couple of people suggested that using vi can
corrupt sudoers file such that it will refuse to work.

However, it's Bill Steeple who got the "spot-on" answer
(which I've appended below). I thought "!SHELLS" in
the /etc/sudoers file is just a comment/remark but it's not.


Thanks,
G Sun


=====================================

Doesn't your sudoers file state...

%helpdesk ALL=ALL, !SHELLS

Anyone in the HELPDESK group cannot run anything in the SHELLS file and
since you are using 'sudo -s' which calls SUDO and passes the SHELL
command to it, you are basically stating that the user 9gohpo (who is in
the group smcadmin and helpdesk) will not be able to run any of the
shells listed in the /etc/shells file.

remove your user account from the HELPDESK group and then try it again.
This should remove the more restrictive settings you have for the
HELPDESK group.

Bill

---------------Original Message---------------

From: Gold Sun [mailto:goldsun8 at yahoo.com.sg]
Sent: Thu 4/14/2005 8:39 PM
To: codeprof at codeprof.com
Cc:
Subject: Partial Summary: can't do "sudo -s" on hardened box
Hi All,

The problem is my colleague's id on the same server
is OK (ie he could do 'sudo -s').

Yes, /usr/bin/ksh is in /etc/shells :
# more shells
/bin/sh
/bin/csh
/bin/ksh
/usr/bin/sh
/usr/bin/csh
/usr/bin/ksh
/bin/false
/sbin/sh
/usr/local/bin/bash

I've also tried Frank's suggestion in /etc/sudoers :
root ALL=(ALL) ALL
9gohpo ALL=(ALL) ALL
%smcadmin ALL=ALL
%helpdesk ALL=ALL, !SHELLS

but I'm still getting the message :
Sorry, user 9gohpo is not allowed to execute '/usr/bin/ksh' as
root on sp01qtt02ist5s5
when doing 'sudo -s'

Is there some daemon that I must restart for it to take
effect? I've placed my id under both smcadmin &
helpdesk groups in /etc/group

Thanks
G Sun

Yahoo! Mobile
- Download the latest ringtones, games, and more!

Comments

"sun managers H [Part H]" Sponsored Links

• "sun managers H [Part H]" New Questiones!

  • SUMMARY: can't do "sudo -s" on hardened box
  • SUMMARY: Can't delete folders.....
  • SUMMARY: Can't "get" a file after ftp into host
  • SUMMARY: cannot relay email messages
  • SUMMARY: cannot create /etc/foo: Operation not applicable
  • SUMMARY: cannot boot from dvd on Ultra-60
  • Summary: can we trace a listening udp/tcp ports to the underlying applications/program
  • SUMMARY: Can Solaris 9 patches be installed on a production system (a Oracle server) without tak
  • SUMMARY: can an ultra5 handle an internal drive greater than 137GB?
  • SUMMARY: calling ipfilter guru's
  • Summary: Burning DVDs under Solaris
  • Summary: Building gcc 3.4.2 on Solaris 10 x86
  • SUMMARY: bring up scsi and IDE hard drives without probe-scsi
  • SUMMARY: both hosts in-sync w/ UTC, but not each other?
  • Summary: bootable external drive for Sun Fire X4200 x64 Server?
  • SUMMARY: Bootable DVD to deploy x86 flash archives
  • SUMMARY: boot with new IP does not take effect in Sol10
  • SUMMARY: Boot Disk?
  • SUMMARY: boot command disabled error
  • SUMMARY: bochs on Solaris

Copyright © 2008 thatsjava.com • All rights reserved • CMS Theme by WebmasterFund.com - 0.25