Re: [Freeipa-users] sudo 'run as' question
- Original Message - > From: "William Muriithi" > To: freeipa-users@redhat.com > Sent: Sunday, February 9, 2014 10:13:50 PM > Subject: [Freeipa-users] sudo 'run as' question > > Afternoon, > > I have an application that use the account image as service account. I can > su to the account 'image' and start or stop it fine. No root privilege > needed. So I am not trying to set it up so that other developers can be > able to restart it through sudo and that's when I realized I am missing > something about sudo. > > The problem is under "run as" usage. When I look at man page, it imply that > "run as" account don't need to be root. Quoting the man page. > > Begin quote: > sudo allows a permitted user to execute a command as the superuser or > another user, as specified by the security policy. End quote: > > On FreeIPA, I have a sudo rule called developers with necessary hostgroups > and usergroups. At the bottom is a section titled "AS WHOM" and that's > where I am having a problem. If I use root under RunAs Users section, it > works. If I substitute root with account image, I get the following error. > > [william@dev18-yyz-int ~]$ sudo service imageserver stop > [sudo] password for william: > Sorry, user william is not allowed to execute '/sbin/service imageserver > stop' as root on dev18-yyz-int.jamar.loc. You need to specify the user, because the default for sudo is root. sudo -u image Although, this won't work - your init script is using runuser, which an unprivileged user can't use. HTH. Stephen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] sudo 'run as' question
Afternoon, I have an application that use the account image as service account. I can su to the account 'image' and start or stop it fine. No root privilege needed. So I am not trying to set it up so that other developers can be able to restart it through sudo and that's when I realized I am missing something about sudo. The problem is under "run as" usage. When I look at man page, it imply that "run as" account don't need to be root. Quoting the man page. Begin quote: sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. End quote: On FreeIPA, I have a sudo rule called developers with necessary hostgroups and usergroups. At the bottom is a section titled "AS WHOM" and that's where I am having a problem. If I use root under RunAs Users section, it works. If I substitute root with account image, I get the following error. [william@dev18-yyz-int ~]$ sudo service imageserver stop [sudo] password for william: Sorry, user william is not allowed to execute '/sbin/service imageserver stop' as root on dev18-yyz-int.jamar.loc. [william@dev18-yyz-int ~]$ ls -al /etc/init.d/imageserver -rwxr-xr-x. 1 image image 1014 Jan 9 15:38 /etc/init.d/imageserver [william@dev18-yyz-int ~]$ cat /etc/init.d/imageserver #! /bin/sh start(){ echo "Starting imageserver.." eval "runuser - image -c '/usr/local/bin/imageserver.sh &'" } stop(){ echo "Stopping imageserver.." PIDNUMBER=`ps aux | grep imaginserver | grep -v grep | awk '{print $2}'` echo $PIDNUMBER eval "runuser - image -c 'kill -9 $PIDNUMBER'" } [william@dev18-yyz-int ~]$ ls -al /usr/local/bin/imageserver.sh -rwxr--r--. 1 image image 89 Jan 9 15:36 /usr/local/bin/imageserver.sh [williamm@dev18-yyz-int ~]$ cat /usr/local/bin/imageserver.sh #!/bin/bash cd /opt/jamar/application/imaginserver nohup ant run > /dev/null 2>&1 & Is it possible to use sudo without first needing to go through root momentary. I suspect this should be possible as sudo "run as" facility wouldn't then make sense otherwise . So, it would work as follows: William -> image Instead of: William -> root -> image. Appreciate any advice in advance William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users