1Jul

How to use SUDO Runas alias?

1 Jul 2016 TMS

Usually SUDO used by non-superuser to run command with root privileges. But in few scenario application/commands stick with it native user. Even with root user privileges it won’t work as expected. For example to run any oracle commands you need to be oracle user.

Here consider mission critical application “xapp1” and it uses user “app1”. Allowing others to login as app1 will result in trouble. The secure way is to allow user to execute limited commands as app1 user. Various use case and options given here.

Example 1

Jenny    ALL = (app1)   /opt/xapp1/bin/status

User Jenny will be able to query application status and nothing else. You must use “-u” switch of sudo command to define runas user.

#sudo –u app1 /opt/xapp1/bin/status

Instead of user you can define UID by prefix “#” hash symbol.

#505     ALL  = (app1)    /opt/xapp1/bin/status

Refer group by using “%” percentage symbol as prefix. So the users whoever member of group Jenny will get similar privilege.

%Jenny     ALL  =  (app1)   /opt/xapp1/bin/status

Example 2 

Runas_Alias        XAPP_USERS    =  app1, app9, xapp

Jenny    ALL  = (XAPP_USERS)     /opt/xapp1/bin/status, /opt/xapp1/bin/start

User Jenny can run above said commands as any of user defined in runas alias “XAPP_USERS”.

Jenny    ALL  = (XAPP_USERS:XAPP_USERS)         /opt/xapp1/bin/status, /opt/xapp1/bin/createdb, /opt/xapp1/bin/modifydb

Now user can run commands as preferred user and group. You may use “-g” switch of sudo command to define group.

#sudo –u app1 –g xapp /opt/xapp1/bin/createdb

Example 3

Command alias and User alias can be incorporated together with runas.

Cmnd_Alias   XAPP_CMDS  =  cmnd1, cmnd2, cmnd3

User_Alias     L2_TEAM  =  ram, ran, iron, stel, rock

L2_TEAM             ALL  =  (XAPP_USERS)    XAPP_CMDS

The users defined in L2_TEAM alias can run commands defined in XAPP_CMDS as users defined in XAPP_USERS alias.

Tip of the day

The effective sudo privileges of user can be listed using “-l” switch of sudo command. It works only for the users whoever enrolled in sudo configuration file.

By default it report current logged user privileges. With “-U” you can define username (only from root).

#sudo –l

#sudo –l –U user1