Bug 650

Hi Todd,

user knuckles is supposed to be able to run selected commands as user oracle on ttmsd01 only, without being prompted for a password.  Looks like I have it specified correctly when I verify with sudo -l:

root@ttmsd01:/root >su - knuckles
knuckles@ttmsd01:/home/knuckles >sudo -l
Matching Defaults entries for knuckles on this host:
    always_set_home, ignore_local_sudoers, insults, log_output, log_year, logfile=/var/adm/sudo.log, !env_reset, !lecture, !listpw, !set_logname, !syslog, !visiblepw

User knuckles may run the following commands on this host:
    (oracle) NOPASSWD: /bin/rm, /usr/bin/rm, /u00/app/oracle/local/bin/*.sh, /u00/app/oracle/local/bin/*.ksh, /u00/app/oracle/backup/scripts/*, /u00/app/oracle/backup/scripts/splitsville/*, /usr/oracle/local/bin/rebuild_indexes.sh

I write a simple script named /u00/app/oracle/local/bin/hello.sh:

knuckles@ttmsd01:/home/knuckles >cat /u00/app/oracle/local/bin/hello.sh
#!/usr/bin/ksh
echo "hello.  I am `whoami`"

It's executable by oracle:
knuckles@ttmsd01:/home/knuckles >ls -al /u00/app/oracle/local/bin/hello.sh
-rwxr-x--- 1 oracle dba 44 May 22 10:50 /u00/app/oracle/local/bin/hello.sh

Yet, I am unable to try to run it as user oracle with sudo -u option:

knuckles@ttmsd01:/home/knuckles >sudo -u oracle /u00/app/oracle/local/bin/hello.sh
local Password:
Sorry, user knuckles is not allowed to execute '/u00/app/oracle/local/bin/hello.sh' as root on ttmsd01.
Request rejected by Privilege Manager

First it prompts for a password, which it shouldn't be, but once I give it knuckles' password, it seems that it didn't properly parse the -u option becuase it says not allowed to execute as root.  That is accurate, but I was trying to execute as oracle.

Now on the same system, I have another user with nearly the identical specification, except in sudoers I had to specify a global default runas specification to run as oracle because the userID is used on many servers.

sudo -l looks the same except for the defaults section, last entry:

root@ttmsd01:/root >su  - uoradbt
UORADBT@TTMSD01(49)  /home/uoradbt
>sudo -l
Matching Defaults entries for uoradbt on this host:
    always_set_home, ignore_local_sudoers, insults, log_output, log_year, logfile=/var/adm/sudo.log, !env_reset, !lecture, !listpw, !set_logname, !syslog, !visiblepw, runas_default=oracle

User uoradbt may run the following commands on this host:
    (oracle) NOPASSWD: /bin/rm, /usr/bin/rm, /u00/app/oracle/local/bin/*.sh, /u00/app/oracle/local/bin/*.ksh, /u00/app/oracle/backup/scripts/*, /u00/app/oracle/backup/scripts/splitsville/*, /usr/oracle/local/bin/rebuild_indexes.sh

This user can run the script with no problem:

UORADBT@TTMSD01(50)  /home/uoradbt
>sudo -u oracle /u00/app/oracle/local/bin/hello.sh
hello.  I am oracle

I understand how uoradbt is able to work.  I mean, each implementation should work, but I am stumped why knuckles does not?  It seems like sudo -u is being ignored?  I also tried it with a UID number instead of a userID:

knuckles@ttmsd01:/home/knuckles >sudo -u \#1001 /u00/app/oracle/local/bin/hello.sh
local Password:
Sorry, user knuckles is not allowed to execute '/u00/app/oracle/local/bin/hello.sh' as root on ttmsd01.
Request rejected by Privilege Manager

Sudo is v1.8.7 on AIX 6.1.  Also qpm is part of the equation:

knuckles@ttmsd01:/home/knuckles >sudo -V
Sudo version 1.8.7
pmplugin policy_plugin 5.6.0 (040)
pmplugin io_plugin 5.6.0 (040)

Any help is appreciated.  I'm stumped.  Thank you very much for your time.