SUMMARY: can't do "sudo -s" on hardened box

From: Gold Sun <goldsun8_at_yahoo.com.sg> Date: Fri Apr 15 2005 - 12:30:49 EDT · This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:45 EST

Hi,

Thanks to all the helpful replies : just fyi I've been
using "visudo" instead of just "vi /etc/sudoers" all these
while & a couple of people suggested that using vi can
corrupt sudoers file such that it will refuse to work.

However, it's Bill Steeple who got the "spot-on" answer
(which I've appended below).  I thought "!SHELLS" in
the /etc/sudoers file is just a comment/remark but it's not.

Thanks,
G Sun

=====================================

Doesn't your sudoers file state...

%helpdesk ALL=ALL, !SHELLS

Anyone in the HELPDESK group cannot run anything in the SHELLS file and 
since you are using  'sudo -s' which calls SUDO and passes the SHELL 
command to it, you are basically stating that the user 9gohpo (who is in 
the group smcadmin and helpdesk) will not be able to run any of the 
shells listed in the /etc/shells file.

remove your user account from the HELPDESK group and then try it again.  
This should remove the more restrictive settings you have for the 
HELPDESK group.

Bill

---------------Original Message---------------

From: Gold Sun [mailto:goldsun8@yahoo.com.sg]
Sent: Thu 4/14/2005 8:39 PM
To: sunmanagers@sunmanagers.org
Cc: 
Subject: Partial Summary: can't do  "sudo -s" on hardened box
Hi All,

The problem is my colleague's id on the same server
is OK (ie he could do 'sudo -s').

Yes, /usr/bin/ksh is in /etc/shells :
# more shells
/bin/sh
/bin/csh
/bin/ksh
/usr/bin/sh
/usr/bin/csh
/usr/bin/ksh
/bin/false
/sbin/sh
/usr/local/bin/bash

I've also tried Frank's suggestion in /etc/sudoers :
root ALL=(ALL) ALL
9gohpo ALL=(ALL) ALL
%smcadmin ALL=ALL
%helpdesk ALL=ALL, !SHELLS

but I'm still getting the message :
Sorry, user 9gohpo is not allowed to execute '/usr/bin/ksh' as
root on sp01qtt02ist5s5
when doing 'sudo -s'

Is there some daemon that I must restart for it to take
effect?  I've placed my id under both smcadmin &
helpdesk groups in /etc/group

Thanks
G Sun

 Yahoo! Mobile
- Download the latest ringtones, games, and more!
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers