sudo rights to unlock user id during odd hrs (210 Views)
Reply
Super Advisor
zxcv
Posts: 226
Registered: ‎04-09-2010
Message 1 of 3 (210 Views)
Accepted Solution

sudo rights to unlock user id during odd hrs

Hi Team ,

i have to give sudo rights to my prodctn team to unlock users only during odd hrs.

# Host Aliases
Host_Alias HR=uranus

# User Aliases
User_Alias EDI=unlockid

# Command Aliases

Cmnd_Alias COMMAND1=/usr/lbin/modprpw -kl


# User Privilege section

EDI HR=NOPASSWD: COMMAND1

Defaults:unlockid timestamp_timeout=0

 

 

When i chk it by logging through unlockid i getba msg saying ;

 

"Sorry, user unlockid is not allowed to execute '/usr/lbin/modprpw -kl test' as root on uranus"

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 2 of 3 (200 Views)

Re: sudo rights to unlock user id during odd hrs

If the Cmnd_Alias includes options, the user is now allowed to run the command only with the exact options specified in the alias specification, and nothing else.

 

If no options are included in the allowed command, then the user is allowed the run the command with any options.

If you want to allow running a command through sudo with no options, you would have to add an empty set of quotes:

 

Cmnd_Alias ALLOWED_ONLY_WITHOUT_OPTIONS=/some/command ""

 

In order to require options -kl but allow anything after that, you must add a wildcard to the Cmnd_Alias line.

 

I would also use meaningful alias names, i.e.:

...
Cmnd_Alias UNLOCKUSERS=/usr/lbin/modprpw -kl *

# User Privilege section

EDI HR=NOPASSWD: UNLOCKUSERS
...

 

 

 

 

 

MK
Super Advisor
zxcv
Posts: 226
Registered: ‎04-09-2010
Message 3 of 3 (182 Views)

Re: sudo rights to unlock user id during odd hrs

Thanks Matti.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.