Bugzilla – Bug 650
sudo -u not behaving as expected
Last modified: 2014-09-24 10:18:07 MDT
Hi Todd, user knuckles is supposed to be able to run selected commands as user oracle on ttmsd01 only, without being prompted for a password. Looks like I have it specified correctly when I verify with sudo -l: root@ttmsd01:/root >su - knuckles knuckles@ttmsd01:/home/knuckles >sudo -l Matching Defaults entries for knuckles on this host: always_set_home, ignore_local_sudoers, insults, log_output, log_year, logfile=/var/adm/sudo.log, !env_reset, !lecture, !listpw, !set_logname, !syslog, !visiblepw User knuckles may run the following commands on this host: (oracle) NOPASSWD: /bin/rm, /usr/bin/rm, /u00/app/oracle/local/bin/*.sh, /u00/app/oracle/local/bin/*.ksh, /u00/app/oracle/backup/scripts/*, /u00/app/oracle/backup/scripts/splitsville/*, /usr/oracle/local/bin/rebuild_indexes.sh I write a simple script named /u00/app/oracle/local/bin/hello.sh: knuckles@ttmsd01:/home/knuckles >cat /u00/app/oracle/local/bin/hello.sh #!/usr/bin/ksh echo "hello. I am `whoami`" It's executable by oracle: knuckles@ttmsd01:/home/knuckles >ls -al /u00/app/oracle/local/bin/hello.sh -rwxr-x--- 1 oracle dba 44 May 22 10:50 /u00/app/oracle/local/bin/hello.sh Yet, I am unable to try to run it as user oracle with sudo -u option: knuckles@ttmsd01:/home/knuckles >sudo -u oracle /u00/app/oracle/local/bin/hello.sh local Password: Sorry, user knuckles is not allowed to execute '/u00/app/oracle/local/bin/hello.sh' as root on ttmsd01. Request rejected by Privilege Manager First it prompts for a password, which it shouldn't be, but once I give it knuckles' password, it seems that it didn't properly parse the -u option becuase it says not allowed to execute as root. That is accurate, but I was trying to execute as oracle. Now on the same system, I have another user with nearly the identical specification, except in sudoers I had to specify a global default runas specification to run as oracle because the userID is used on many servers. sudo -l looks the same except for the defaults section, last entry: root@ttmsd01:/root >su - uoradbt UORADBT@TTMSD01(49) /home/uoradbt >sudo -l Matching Defaults entries for uoradbt on this host: always_set_home, ignore_local_sudoers, insults, log_output, log_year, logfile=/var/adm/sudo.log, !env_reset, !lecture, !listpw, !set_logname, !syslog, !visiblepw, runas_default=oracle User uoradbt may run the following commands on this host: (oracle) NOPASSWD: /bin/rm, /usr/bin/rm, /u00/app/oracle/local/bin/*.sh, /u00/app/oracle/local/bin/*.ksh, /u00/app/oracle/backup/scripts/*, /u00/app/oracle/backup/scripts/splitsville/*, /usr/oracle/local/bin/rebuild_indexes.sh This user can run the script with no problem: UORADBT@TTMSD01(50) /home/uoradbt >sudo -u oracle /u00/app/oracle/local/bin/hello.sh hello. I am oracle I understand how uoradbt is able to work. I mean, each implementation should work, but I am stumped why knuckles does not? It seems like sudo -u is being ignored? I also tried it with a UID number instead of a userID: knuckles@ttmsd01:/home/knuckles >sudo -u \#1001 /u00/app/oracle/local/bin/hello.sh local Password: Sorry, user knuckles is not allowed to execute '/u00/app/oracle/local/bin/hello.sh' as root on ttmsd01. Request rejected by Privilege Manager Sudo is v1.8.7 on AIX 6.1. Also qpm is part of the equation: knuckles@ttmsd01:/home/knuckles >sudo -V Sudo version 1.8.7 pmplugin policy_plugin 5.6.0 (040) pmplugin io_plugin 5.6.0 (040) Any help is appreciated. I'm stumped. Thank you very much for your time.
That sounds like a bug in QPM4Sudo.
I don't know why I didn't try this sooner, but I unjoined the server from qpm, put the central sudoers file in place locally, and was able to verify that everything works as expected with sudo -u when qpm is taken out of the equation. I will open a support case with Dell. Thanks Todd.
Closing as this was a bug in QPM4Sudo not in sudo itself.