Previous Topic: Enable User Impersonation ProtectionNext Topic: Defining SUDO Records (Task Delegation)

Endpoint Administration Guide for WindowsProtecting AccountsSetting Up the Surrogate DO Facility

Setting Up the Surrogate DO Facility

Operators, production personnel, and end users often need to perform tasks that only the superuser can perform.

The traditional solution is to supply all these users with the superuser's password, which compromises the security of the site. The secure alternative - keeping the password secret - results in the system administrator being overloaded with legitimate requests from users to perform routine tasks.

The Surrogate DO (sesudo) utility solves this dilemma. It allows users to perform actions that are defined in the SUDO class, where each record contains a script, specifies which users and groups can run the script, and lends them the necessary permissions for the purpose.

For example, to define a SUDO resource that starts the "Print Spooler" service as if the user were System, enter the following selang command:

newres SUDO StartSpooler data("net start spooler")

This newres command defines StartSpooler as a protected action that some users may receive System authority to perform.

Important! In the data property, use a full absolute path name. A relative path name could accidentally execute a Trojan horse program planted in an unprotected directory.

In addition, users can be authorized to perform the StartSpooler action by using the authorize command. For example, to allow the user operator1 to start the "Print Spooler" service, enter the following selang command:

authorize SUDO StartSpooler uid(operator1)

You can also explicitly prevent a user from performing the protected action by using the authorize command. For example, to prevent the user operator2 from starting the "Print Spooler" service, enter the selang command:

authorize SUDO StartSpooler uid(operator2) access(None)

Executing the sesudo utility performs the protected action. For example, the user operator1 would start the "Print Spooler" service using the following command:

sesudo -do StartSpooler

The sesudo utility first checks whether the user is authorized to perform the SUDO action and then, provided the user is authorized to the resource, executes the command script defined in the resource. In the case of our example, sesudo checks whether operator1 is authorized to perform the StartSpooler action and then invokes the command "net start spooler" with System credentials.

Note: For more information about the sesudo utility, see the Reference Guide.