Install and configure sudo in AIX

Share Button

sudo is an utility that helps in “executing  a command as another user”

 

Download the rpm package of sudo from :

http://www.perzl.org/aix/index.php?n=Main.Sudo

or

http://www.courtesan.com/sudo/download.html

then transfer the package to your server using any FTP client (I prefer FileZilla and WinSCP) .

Then install the package :

# rpm -ivh sudo-1.6.7p5-3.aix5.1.ppc.rpm
sudo                        ##################################################

and check it:
# rpm -qa |grep sudo
sudo-1.6.7p5-3
sudo1

Installing sudo in AIX is successfully done and the rest of the work is to edit the configuration file  .

 

To confirm the version of installed sudo utility on your system ,run the following command which also gives you a lot of info from the security prospective :

# sudo -V
Sudo version 1.6.7p5

Authentication methods: ‘aixauth’
Syslog facility if syslog is being used for logging: auth
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore ‘.’ in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5 minutes
Password prompt timeout: 5 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user’s: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /tmp/.odus
Default password prompt: Password:
Default user to run commands as: root
Path to the editor for use by visudo: /usr/bin/vi
Environment variables to check for sanity:
        LANGUAGE
        LANG
        LC_*
Environment variables to remove:
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        LIBPATH
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        IFS
When to require a password for ‘list’ pseudocommand: any
When to require a password for ‘verify’ pseudocommand: all
Local IP address and netmask pairs:
        10.10.20.20 / 0xffffff00

 

You can open and edit the configuration file by 2 ways/commands :

1) # vi /etc/sudoers

2) #visudo

NOTE: both of the above commands open the configuration file of sudo.

the following is the sudo config file before editing it:

# sudoers file.
#
# This file MUST be edited with the ‘visudo’ command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

The most basic form of a sudo entry in sudoers is:

<user> <host> = <user to alias> <password required> < command to run>

 

Example 1 :

To enable the user amer to run all the commands without password ,add the following line to the config file :

amer         ALL=(ALL)       NOPASSWD: ALL

then switch to user amer to check the if the config works and reflect what we configured :

# su – amer

$ whoami
amer

$ sudo -l
User amer may run the following commands on this host:
    (ALL) NOPASSWD: ALL                 

That means the user amer can run all the commands without password !

Example 2:

let the user amer to run shutdown and asking him for a password :

add the following line in the config file:

amer         ALL=(ALL)       NOPASSWD: /usr/sbin/shutdown

then switch

#su – amer

$whoami

amer

$ sudo -l
User amer may run the following commands on this host:
    (ALL) NOPASSWD: /usr/sbin/shutdown

the output is self-explanatory

 

Example 3

We want to enable the user amer2 to run the command stopsrc and startsrc:

add the following line to the configuration file :

amer2         ALL=(ALL)       NOPASSWD:/usr/bin/stopsrc , /usr/bin/startsrc

Oops,as a reminder : to get the full path of any commands ,run the following

# which stopsrc
/usr/sbin/stopsrc

Then switch to the user amer2 to check the config :

# su – amer2

$ sudo -l
User amer2 may run the following commands on this host:
    (ALL) NOPASSWD: /usr/bin/stopsrc
    (ALL) NOPASSWD: /usr/bin/startsrc

let`s check the ability of user amer2 to run stopsrc and startsrc :

 

$ lssrc -s aso
Subsystem         Group            PID          Status
 aso                                            inoperative

$ startsrc -s aso
ksh: startsrc: 0403-006 Execute permission denied.

Don`t forget to add the command sudo ;-)

$ sudo startsrc -s aso
0513-059 The aso Subsystem has been started. Subsystem PID is 7274734.

$ sudo stopsrc -s aso
0513-004 The Subsystem or Group, aso, is currently inoperative.

 

Sudo Logs:

To redirect sudo logs to a specific files (/var/log/sudo.log),add the following 2 lines in the config files:

Defaults               syslog=auth
Defaults               logfile=/var/log/sudo.log

then

#touch /var/log/sudo.log

now , each sudo logs will be redirected in /var/log/sudo.log

let`s check an excerpt from my test machine :

# tail -f /var/log/sudo.log
Jul  9 06:24:56 : amer2 : TTY=pts/1 ; PWD=/ ; USER=root ;
    COMMAND=/usr/bin/stopsrc -s aso
Jul  9 06:25:07 : amer2 : TTY=pts/1 ; PWD=/ ; USER=root ;
    COMMAND=/usr/bin/startsrc -s aso

the logs are self-explanatory ,right?

 

 

I am done , I hope you find that article is beneficial and simple ,Don`t hesitate to contact me if you need any further assistant !

Share Button

Leave a Comment


three × 3 =


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>