aix:aix_sudo
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
aix:aix_sudo [2021/06/09 00:22] manu |
aix:aix_sudo [2023/08/17 01:02] (current) manu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== SUDO options ====== | ====== SUDO options ====== | ||
| + | |||
| + | Use **sudo -l** to list your privileges | ||
| + | |||
| + | Use visudo instead of vi to edit a sudoers file | ||
| + | # visudo -f /etc/sudoers.d/oracle_priv | ||
| + | | ||
| + | Check syntax on a file: | ||
| + | <cli prompt='#'> | ||
| + | root@SERVER1:/ # visudo -cf /etc/sudoers | ||
| + | >>> sudoers file: syntax error, line 95 <<< | ||
| + | parse error in /etc/sudoers near line 95 | ||
| + | </cli> | ||
| + | |||
| + | <cli prompt='#'> | ||
| + | root@SERVER2:/ # visudo -cf /etc/sudoers | ||
| + | /etc/sudoers: parsed OK | ||
| + | /etc/sudoers.d/generic: parsed OK | ||
| + | /etc/sudoers.d/hosts-system: parsed OK | ||
| + | </cli> | ||
| If you want to use LDAP integrating with sudo, install sudo_ids from RPM package, add also the option into /etc/netsvc.conf | If you want to use LDAP integrating with sudo, install sudo_ids from RPM package, add also the option into /etc/netsvc.conf | ||
| <cli prompt='>'> | <cli prompt='>'> | ||
| - | root@SERVER:/:=>tail -3 /etc/netsvc.conf | + | root@SERVER:/:=> tail -3 /etc/netsvc.conf |
| hosts=local4,bind4 | hosts=local4,bind4 | ||
| sudoers=ldap | sudoers=ldap | ||
| </cli> | </cli> | ||
| + | Here are options from /etc/sudoers or /etc/sudoers.d/* | ||
| <code> | <code> | ||
| ## | ## | ||
| Line 58: | Line 78: | ||
| </code> | </code> | ||
| - | Example to rotate mailbox | + | Example to rotate sulog |
| <cli> | <cli> | ||
| - | /var/spool/mail/* | + | /var/log/sudo.log |
| { | { | ||
| monthly | monthly | ||
| rotate 2 | rotate 2 | ||
| - | olddir /var/log/news/old | ||
| missingok | missingok | ||
| } | } | ||
| </cli> | </cli> | ||
| + | |||
| + | For full debug sudo: | ||
| + | Create a file **/etc/sudo.conf** | ||
| + | <cli prompt='#'> | ||
| + | [root@aix01]/root# cat /etc/sudo.conf | ||
| + | Debug sudo /var/log/sudo_debug all@debug | ||
| + | </cli> | ||
| + | |||
| + | Create the log file **/var/log/sudo_debug** | ||
| + | |||
| + | And test...very verbose !!! | ||
| ===== AIX ldap configuration ===== | ===== AIX ldap configuration ===== | ||
| Line 236: | Line 266: | ||
| further configuration | further configuration | ||
| - | This configuration is a basic one. It’s better to modify the configuration file /etc/security/ldap/ldap.cfg to better match your environment. | + | This configuration is a basic one. It’s better to modify the configuration file **/etc/security/ldap/ldap.cfg** to better match your environment. |
| Here an example of a more complex configuration: | Here an example of a more complex configuration: | ||
| Line 294: | Line 324: | ||
| sudo configuration | sudo configuration | ||
| - | Since a few months, IBM provides a sudo package with IBM Directory Server ldap + ssl support. The package is named sudo_ids. The minimum version is 1.8.20. | + | Since a few months, IBM provides a sudo package with IBM Directory Server ldap + ssl support. The package is named **sudo_ids**. The minimum version is 1.8.20. |
| If you installed yum on AIX(highly recommended), the installation is really easy: | If you installed yum on AIX(highly recommended), the installation is really easy: | ||
| Line 334: | Line 364: | ||
| You can also check if the sudo binary were built with ldap support by running this command: | You can also check if the sudo binary were built with ldap support by running this command: | ||
| - | <cli> | + | <cli prompt='#'> |
| # sudo -V|grep ldap | # sudo -V|grep ldap | ||
| Configure options: --prefix=/opt/freeware --sbindir=/opt/freeware/sbin --mandir=/opt/freeware/share/man --docdir=/opt/freeware/share/doc/sudo_ids-1.8.20p2 --with-logging=syslog --with-aixauth --with-logfac=auth --without-pam --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf | Configure options: --prefix=/opt/freeware --sbindir=/opt/freeware/sbin --mandir=/opt/freeware/share/man --docdir=/opt/freeware/share/doc/sudo_ids-1.8.20p2 --with-logging=syslog --with-aixauth --with-logfac=auth --without-pam --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf | ||
| Line 341: | Line 371: | ||
| </cli> | </cli> | ||
| - | It will also give you the place of the ldap configuration file for sudo. Here it’s /etc/sudo-ldap.conf. | + | It will also give you the place of the ldap configuration file for sudo. Here it’s **/etc/sudo-ldap.conf**. |
| This configuration file is pretty simple to understand: | This configuration file is pretty simple to understand: | ||
| Line 364: | Line 394: | ||
| In production, it’s better to store the bind dn password in the /etc/ldap.secret file. | In production, it’s better to store the bind dn password in the /etc/ldap.secret file. | ||
| - | It’s also mandatory to modify the /etc/netsvc.conf file to allow sudo to use LDAP. | + | It’s also mandatory to modify the **/etc/netsvc.conf** file to allow sudo to use LDAP. |
| <cli> | <cli> | ||
| sudoers = files, ldap | sudoers = files, ldap | ||
| </cli> | </cli> | ||
| + | Example of syntax for /etc/sudoers file | ||
| + | %wheel ALL=(ALL) NOPASSWD: ALL | ||
| + | user01 ALL=NOPASSWD:/usr/sbin/lsdev | ||
| + | | ||
aix/aix_sudo.1623190964.txt.gz · Last modified: 2021/06/09 00:22 by manu
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
