Skip to Main Content
Forums

Infrastructure Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

sudo configuration for script

Hello,

I have a wrapper script that I am trying to build/execute, which has two different sub scripts, which run as two separate users.

Purpose is to mask the contents of the script and allow the user to execute utlrp.sql, which requires sys level privs to execute.

User FORD logs in, and executes the wrapper script, wrapper.sh

The wrapper script presents it's content in menu format.  Here is what the wrapper.sh

A   execute one.sql

B   execute two.sql and three.sql

C   execute three.sql

  • A
    • one.sql
      • requires no specific credentials
  • B
    • two.sql
      • REQUIRES FORD credentials to execute.
      • has logid check at beginning and kicks you out if you aren't the FORD user.
    • three.sql
      • requires "ORACLE" credentials to log in and execute utilrp.sql -- which requires to log in as sys for execution.
  • C
    • three.sql
      • Same as above, but only runs the utlrp.sql script.

So I edited sudousers (VISUDO) to implement the neccessary privs. (shown in RED)

## Runas alias
Runas_Alias     DB = oracle
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw  # Ask for the password of the target user
# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
## Read drop-in files from /usr/local/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /usr/local/etc/sudoers.d
FORD ALL = (ALL) NOPASSWD: /export/home/oracle/wrapper.sh
FORD ALL = (DB) NOPASSWD: /oracle/12c/bin/sqlplus

(I have also tried the second entry NOT using runas_alias with exact same results)

If I execute a sudo -l from the command line, it shows:

$ sudo -l
User ford may run the following commands on falcon:
    (ALL) NOPASSWD: /export/home/oracle/wrapper.sh
    (oracle) NOPASSWD: /oracle/12c/bin/sqlplus

Here is where I'm stuck.   From my understanding, for the user to execute this via the sudo functionality, the main wrapper command would be executed as such:

sudo wrapper.sh.   It prompts me for the menu as desired.  When I choose A, it doesn't see user FORD...and kicks me out.

When I choose B or C, it works fine.  It executes the second one fine, and logs in as sys executing the utlrp.sql.

So my question is this:   Is there a way to configure the sudo set up so that user FORD executes the wrapper, passes user FORD to menu item A, but only passes it's self as the ORACLE user to menu items B or C?

Thanks.
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jan 3 2017
Added on Dec 6 2016
#oracle-solaris, #solaris-10
0 comments
655 views