Executes commands that require superuser authority on behalf of a regular user.
sesudo [[ -h ] | [command [parameters]]
The sesudo command borrows the permissions of another user (known as the target user) to perform one or more commands. This enables regular users to perform actions that require superuser authority, such as the mount command. The rules governing the user's authority to perform the command are defined in the SUDO class.
- You must define the access rules for the user in the SUDO class. The definition may specify commands that the user can use and commands that the user is prohibited from using.
- The output depends on the command that is being executed. Error messages are sent to the standard error device (stderr), usually defined as the terminal screen.
- To execute the sudo command, the user should specify the
following command at the UNIX shell prompt:
- You can choose whether the command is displayed before it is executed. The default value is that commands are not displayed. To display commands, change the value in the echo_command token in the sesudo section of the seos.ini file.
- Displays the help screen.
- command [parameters]
- Specifies the command that is to be performed on behalf of the user. The command name must be the name of a record in the SUDO class. Multiple parameters can be specified, provided they are separated by spaces.
- Define the sesudo program as a trusted setuid
program owned by root. This step only needs to be done once
per TACF installation. The format of the command is:
newres PROGRAM /usr/seos/bin/sesudo defaccess(NONE)
- Give a user the authority to execute the sesudo program.
Do this once for every user who is entitled to this authority. The
format of the command is:
authorize PROGRAM /usr/seos/bin/sesudo/uid(user_name)
- Permit the user to surrogate to the target user using the
sesudo program. Do this for every user who should have this
authority, and do it for every target user ID that you want to make available
to the user. The format of the command is:
authorize SURROGATE USER.root uid(user_name) \ via(pgm(/usr/seos/bin/sesudo))
- Define new records in the SUDO class for every command to be executed by
users. For each command script, you can define permitted and forbidden
parameters, permitted users, and password protection. If no parameters
are specified as permitted or prohibited, then all parameters are
permitted. The format of the command is:
newres SUDO profile_name \ data('cmd[;[prohibited-params][;permitted-params]]')
A command can have prohibited and permitted parameters for each operand. The prohibited parameters and the permitted parameters for each operand are separated by the pipe symbol (|). The format is:
newres SUDO profile_name \ data('cmd;pro1|pro2|...|proN;per1|per2|...|perN')
sesudo checks each parameter entered by the user in the following manner:
- Test if parameter number N matches permitted parameter N. (If permitted parameter N does not exist, the last permitted parameter is used.)
- Test if parameter number N matches prohibited parameter N. (If prohibited parameter N does not exist, the last prohibited parameter is used.)
Only if all the parameters match permitted parameters, and none match prohibited parameters, does sesudo execute the command.
- Permit the user to access the profile that has been defined in the SUDO
class. Do this for every profile a user should be able to
access. The format of the command is:
authorize SUDO profile_name uid(user_name)If defacess is none, specify each user who is granted permission with the authorize command. If defaccess is not set otherwise, use the authorize command to specify each user to whom access is forbidden.
- The sesudo command can display the command before executing it. Display depends on the value in the echo_command token in the [sesudo] section of the seos.ini file. The default value calls for no display, but the value can be changed.
- The output of the sesudo command depends on the command being performed. Error messages are sent to the standard error device (stderr), usually defined as the terminal's screen.
- The name the security administrator gives to the superuser command.
- The superuser command that a normal user can execute.
- prohibited parameters
- The parameters that you prohibit the regular user from invoking. These parameters may contain patterns or variables.
- permitted parameters
- The parameters that you specifically allow the regular user to invoke. These parameters may contain patterns or variables.
- Alphabetic value
- Existing TACF group name
- Home path pattern of the user
- Numeric value
- Executor's user name
- Existing TACF user name
- Existing file name
- Existing UNIX group name
- Existing host name
- Existing UNIX file name with UNIX read permission
- Existing UNIX user name
- Existing UNIX file name with UNIX write permission
- Existing UNIX file name with UNIX exec permission
- Target user not found, or command interrupted
- Password error
- Execution successful
- Problem with usage of parameters
- Target user error
- Authorization error
- If you do not allow any parameters, define the profile in the following
newres SUDO profile_name data('cmd;*')
- If you want to allow the user to invoke the name parameter, do the
newres SUDO profile_name data('cmd;;NAME')In the previous example, the only parameter the user can enter is NAME.
- If you want to prevent the user from using -9 and
-HUP but you permit the user to use all other parameters, do
newres SUDO profile_name data('cmd;-9 -HUP;*')
- If there are two prohibited parameters, the first is the UNIX user name
and the second is the UNIX group name, and there are two permitted parameters,
the first can be numeric and the second can be alphabetic, enter the
newres SUDO profile_name \ data('cmd;$u | $g ;$N | $A')The user cannot enter the UNIX user name, but can enter a numeric parameter for the first operand; and the user cannot enter the UNIX group name but can enter an alphabetic parameter for the second operand.
- If there are several prohibited parameters for several operands in the
command, enter the following:
newres SUDO profile_name \ data('cmd;pro1 pro2 | pro3 pro4 | pro5 pro6')pro1 and pro2 are the prohibited parameters of the first operand of the command; pro3 and pro4 are the prohibited parameters of the second operand of the command; and pro5 and pro6 are the prohibited parameters of the third operand of the command.