Operators, production personnel, and end users often need to perform tasks that only the superuser can perform. These tasks include the following:
The traditional solution is to supply all these users with the superuser's password, which compromises the security of the site. The secure alternative-keeping the password secret-results in the system administrator being overloaded with legitimate requests from users to perform routine tasks.
The Surrogate DO (sesudo) utility solves this dilemma. It allows users to perform actions that are defined in the SUDO class, where each record contains a script, specifies which users and groups can run the script, and lends them the necessary permissions for the purpose.
For example, to define a SUDO resource that mounts a CD‑ROM as if the user were root, enter the following command:
newres SUDO MountCd data('mount /usr/dev/cdrom /cdr') targuid(root)
This newres command defines MountCd as a protected action that some users may receive root authority to perform. This example uses the targuid(root) parameter to show that root is the ID of the target user-the user whose permissions are borrowed. In practice, the parameter would be unnecessary for this example because root is the default target ID for a SUDO record
Important! In the data property, use a full absolute path name. A relative path name could accidentally execute a Trojan horse program planted in an unprotected directory.
In addition, users can be authorized to perform the MountCd action by using the authorize command. For example, to allow the user operator1 to mount the CD‑ROM, enter the following command:
authorize SUDO MountCd uid(operator1)
You can also explicitly prevent a user from performing the protected action by using the authorize command. For example, to prevent the user operator2 from mounting the CD‑ROM, enter the command:
authorize SUDO MountCd uid(operator2) access(None)
Executing the sesudo utility performs the protected action. For example, the user operator1 would mount the CD‑ROM using the following command:
sesudo MountCd
The sesudo utility first checks whether the user is authorized to perform the SUDO action and then, provided the user is authorized to the resource, executes the command script defined in the resource. In the case of our example, sesudo checks whether operator1 is authorized to perform the MountCd action and then invokes the command mount /usr/dev/cdrom /cdr.
If you would like sesudo to request the user's password before executing, define or modify the SUDO record with a command that includes the PASSWORD parameter. If you do not use that parameter, the user's ability to execute the command is based solely on the access rules for the SUDO object.
Note: For more information about the sesudo utility and managing SUDO records (editres command), see the Reference Guide.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|