<div dir="ltr">Now that you put that, we may not get much from that approach.<div><br></div><div>What we really want is for a group to be able to run commands as the vips user.</div><div><br></div><div>The idea here is that only one user is given permission to run commands on Suse VM as super user without pw.</div><div><br></div><div>The members of the group puppet-folks should be able to run commands either as that vips user or scripts owned by vips should be runnable by the members of the group.</div><div><br></div><div>-Narahari</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 31, 2015 at 7:43 PM, Alex Carver <span dir="ltr"><<a href="mailto:agcarver+ale@acarver.net" target="_blank">agcarver+ale@acarver.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">What is this going to get you? If they can become the vips user then<br>
they can go up one more link in the chain and be root for anything.<br>
You're gaining nothing by allowing them to become the unrestricted vips<br>
user. You might as well give them direct sudo access.<br>
<div><div class="h5"><br>
On 2015-03-31 16:40, Narahari 'n' Savitha wrote:<br>
> Friends:<br>
><br>
> Thank You folks for your time and reading this email.<br>
><br>
> Here is the scenario<br>
><br>
> I have a machine with a user call vips<br>
><br>
> This vips user has sudo on the box to do pretty much anything<br>
> vips ALL = (ALL) NOPASSWD:ALL<br>
><br>
> I have two other users narahari and zikka<br>
><br>
> narahari and zikka belong to puppet-folks user group<br>
><br>
> pupppet-folks:x:2100:narahari,zikka<br>
><br>
><br>
> The entry in the sudoers file is<br>
> %pupppet-folks ALL = (vips) ALL<br>
><br>
> .......<br>
><br>
> When I login as narahari on to the box, and I try the following command<br>
><br>
> narahari@cdl-pid-c1-02:~> sudo su -u virtual<br>
> narahari's password:<br>
> Sorry, user narahari is not allowed to execute '/bin/su -u virtual' as root<br>
> on cdl-pid-c1-02.<br>
><br>
> I am at a loss. The idea is that either narahari or zikka logs in they<br>
> should be able to get to a shell for the vips user.<br>
><br>
> If not the shell, at least something like sudo su -u vips bash -c<br>
> "/home/vips/cool/loveTheWorld.sh"<br>
><br>
> Please provide some thoughts or if I am going about this the wrong way<br>
> correct me please.<br>
><br>
> -Narahari<br>
><br>
><br>
><br>
</div></div>> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div><br></div>