Skip to main content

sudo - why do you torture me so.. ;-)

sudo is certainly one of the most important aspects of *nix administration.
Recently I had been tasked with allowing a number of individual users (which we could have created an OS group to contain) to sudo to another user, without a password.  That user should then be able to run some specific commands, also without a password.

NOTE:  If you happen across this post, and know of a better way to do this, feel free to correct me.  This just happened to have worked for me and seemed clean and easy to follow.

This is what I had come up with:


/* Allow APPUSERS (techies) to
        su to approot without a password
    Allow approot to
        run specific commands without a password
        on APPHOSTS (localhost)
*/

[root@localhost ~] # adduser approot
[root@localhost ~] # visudo

## TESTING
## ALIASES
Host_Alias      APPHOSTS = cypher,cypher.matrix.private
User_Alias      APPUSERS = techies,user1
Cmnd_Alias      APPCMND = /usr/bin/systemctl restart ntpd.service, /bin/cat /etc/shadow
Cmnd_Alias     APPSUDOALL = ALL

## SUDO COMMANDS
APPUSERS ALL = NOPASSWD: /bin/su - approot
approot APPHOSTS = NOPASSWD: APPCMND, APPSUDOALL

[root@cypher ~]# su - techies
-bash-4.2$ sudo /bin/su - approot
[approot@cypher ~]$ sudo cat /etc/shadow
root:$6$zH.........



Labels:

Comments

Post a Comment

Popular posts from this blog

PXE boot a LiveCD image

Summary: I have wanted to build a kickstart environment which hosted a "rescue CD" or LiveCD to allow you to boot over the network after you blew your stuff up and needed to repair a few things.  Today I have worked through a method of doing so, with the help of the people who published a succinct script with the Red Hat Enterprise Virtualization Hypervisor.  (the script will be at the bottom of this post - if I have somehow not followed the GPL, please let me know and I will correct whatever is necessary) NOTE/Warning: The boot will fail due the initrd being too large (645mb).  I'm not sure how to proceed.  This procedure worked for RHEVh, because it is quite a bit smaller.  Hopefully I can report back with progress on this? :-$ Procedure: download your LiveCD image to /export/isos/RESCUE/Fedora-16-i686-Live-Desktop.iso # cd /var/tmp # vi livecd-iso-to-pxeboot (populate the file with the script shown below) # chmod 754 ./livecd-iso-to-pxeb...
2 comments
Read more

"Error getting authority: Error initializing authority: Could not connect: No such file or directory (g-io-error-quark, 1)"

"Error getting authority: Error initializing authority: Could not connect: No such file or directory (g-io-error-quark, 1)" One issue that may cause this to arise is if you managed to break your /etc/fstab We had an engineer add a line with the intended options of "nfsvers=3" but instead added "-onfsvers=3" and it broke the system fairly catastrophically.
Post a Comment
Read more

P2V using dd for KVM-QEMU guest

Preface: I have certainly not exhaustively tested this process.  I had a specific need and found a specific solution that worked. Situation:  I was issued a shiny new laptop running Red Hat Enterprise Linux 7 (with Corp VPN, certs, Authentication configuration, etc...)  The image was great, but I needed more flexibility on my bare metal.  So, my goal was to P2V the corporate image so I could just run it as a VM. * Remove corporate drive and install new SSD * install corp drive in external USB-3 case * Install RHEL 7 on new SSD * dd old drive to a disk-image file in a temp location which will be an image which is the same size as your actual drive (unless you have enough space in your destination to contain a temp and converted image) * convert the raw disk-image to a qcow file while pushing it to the final location - this step should reduce the disk size - however, I believe it will only reduce/collapse zero-byte blocks (not just free space - i.e. if you de...
1 comment
Read more