sesudo

Executes commands that require superuser authority on behalf of a regular user.
SYNOPSIS
sesudo [[ -h ] | [command [parameters]]
DESCRIPTION
The sesudo command borrows the permissions of another user (known as the target user) to perform one or more commands. This enables regular users to perform actions that require superuser authority, such as the mount command. The rules governing the user's authority to perform the command are defined in the SUDO class.

Notes

• You must define the access rules for the user in the SUDO class. The definition may specify commands that the user can use and commands that the user is prohibited from using.
• The output depends on the command that is being executed. Error messages are sent to the standard error device (stderr), usually defined as the terminal screen.
• To execute the sudo command, the user should specify the following command at the UNIX shell prompt:

  sesudo profile_name
  

• You can choose whether the command is displayed before it is executed. The default value is that commands are not displayed. To display commands, change the value in the echo_command token in the sesudo section of the seos.ini file.

Arguments

-h

Displays the help screen.

command [parameters]

Specifies the command that is to be performed on behalf of the user. The command name must be the name of a record in the SUDO class. Multiple parameters can be specified, provided they are separated by spaces.

Prerequisites: Define SUDO Commands

Several steps must be performed before it is possible to use the sesudo command. The first step needs to be done only once. Other steps need to be done every time a new user is given the authority to execute the sesudo command, or every time a new profile is defined in the SUDO class.

1. Define the sesudo program as a trusted setuid program owned by root. This step only needs to be done once per TACF installation. The format of the command is:

   newres PROGRAM /usr/seos/bin/sesudo defaccess(NONE)
   

2. Give a user the authority to execute the sesudo program. Do this once for every user who is entitled to this authority. The format of the command is:

   authorize PROGRAM /usr/seos/bin/sesudo/uid(user_name)
   

3. Permit the user to surrogate to the target user using the sesudo program. Do this for every user who should have this authority, and do it for every target user ID that you want to make available to the user. The format of the command is:

   authorize SURROGATE USER.root uid(user_name) \
   via(pgm(/usr/seos/bin/sesudo))
   

4. Define new records in the SUDO class for every command to be executed by users. For each command script, you can define permitted and forbidden parameters, permitted users, and password protection. If no parameters are specified as permitted or prohibited, then all parameters are permitted. The format of the command is:

   newres SUDO profile_name \
   data('cmd[;[prohibited-params][;permitted-params]]')
   

   
   A command can have prohibited and permitted parameters for each operand. The prohibited parameters and the permitted parameters for each operand are separated by the pipe symbol (|). The format is:
   
   

   newres SUDO profile_name \
   data('cmd;pro1|pro2|...|proN;per1|per2|...|perN')
   

   
   sesudo checks each parameter entered by the user in the following manner:
   
   1. Test if parameter number N matches permitted parameter N. (If permitted parameter N does not exist, the last permitted parameter is used.)
   2. Test if parameter number N matches prohibited parameter N. (If prohibited parameter N does not exist, the last prohibited parameter is used.)
   
   Only if all the parameters match permitted parameters, and none match prohibited parameters, does sesudo execute the command.
5. Permit the user to access the profile that has been defined in the SUDO class. Do this for every profile a user should be able to access. The format of the command is:

   authorize SUDO profile_name uid(user_name)
   

   If defacess is none, specify each user who is granted permission with the authorize command. If defaccess is not set otherwise, use the authorize command to specify each user to whom access is forbidden.
6. The sesudo command can display the command before executing it. Display depends on the value in the echo_command token in the [sesudo] section of the seos.ini file. The default value calls for no display, but the value can be changed.
7. The output of the sesudo command depends on the command being performed. Error messages are sent to the standard error device (stderr), usually defined as the terminal's screen.

SUDO Record: Parameters and Variables

The special parameters used in connection with the SUDO record are explained in the following list:

profile_name

The name the security administrator gives to the superuser command.

cmd

The superuser command that a normal user can execute.

prohibited parameters

The parameters that you prohibit the regular user from invoking. These parameters may contain patterns or variables.

permitted parameters

The parameters that you specifically allow the regular user to invoke. These parameters may contain patterns or variables.

Prohibited and permitted parameters may also contain variables as described in the following list:

$A

Alphabetic value

$G

Existing TACF group name

$H

Home path pattern of the user

$N

Numeric value

$O

Executor's user name

$U

Existing TACF user name

$f

Existing file name

$g

Existing UNIX group name

$h

Existing host name

$r

Existing UNIX file name with UNIX read permission

$u

Existing UNIX user name

$w

Existing UNIX file name with UNIX write permission

$x

Existing UNIX file name with UNIX exec permission

Return Value

Each time the sesudo command runs, it returns one of the following values:

-2

Target user not found, or command interrupted

-1

Password error

0

Execution successful

10

Problem with usage of parameters

20

Target user error

30

Authorization error

EXAMPLES

1. If you do not allow any parameters, define the profile in the following way:

   newres SUDO profile_name data('cmd;*')
   

2. If you want to allow the user to invoke the name parameter, do the following:

   newres SUDO profile_name data('cmd;;NAME')
   

   In the previous example, the only parameter the user can enter is NAME.
3. If you want to prevent the user from using -9 and -HUP but you permit the user to use all other parameters, do the following:

   newres SUDO profile_name data('cmd;-9 -HUP;*')
   

4. If there are two prohibited parameters, the first is the UNIX user name and the second is the UNIX group name, and there are two permitted parameters, the first can be numeric and the second can be alphabetic, enter the following:

   newres SUDO profile_name \
   data('cmd;$u | $g ;$N | $A')
   

   The user cannot enter the UNIX user name, but can enter a numeric parameter for the first operand; and the user cannot enter the UNIX group name but can enter an alphabetic parameter for the second operand.
5. If there are several prohibited parameters for several operands in the command, enter the following:

   newres SUDO profile_name \
   data('cmd;pro1 pro2 | pro3 pro4 | pro5 pro6')
   

   pro1 and pro2 are the prohibited parameters of the first operand of the command; pro3 and pro4 are the prohibited parameters of the second operand of the command; and pro5 and pro6 are the prohibited parameters of the third operand of the command.