[Freeipa-users] sudo 'run as' question
Stephen Benjamin
stbenjam at redhat.com
Sun Feb 9 21:35:13 UTC 2014
----- Original Message -----
> From: "William Muriithi" <william.muriithi at gmail.com>
> To: freeipa-users at redhat.com
> Sent: Sunday, February 9, 2014 10:13:50 PM
> Subject: [Freeipa-users] sudo 'run as' question
>
> Afternoon,
>
> I have an application that use the account image as service account. I can
> su to the account 'image' and start or stop it fine. No root privilege
> needed. So I am not trying to set it up so that other developers can be
> able to restart it through sudo and that's when I realized I am missing
> something about sudo.
>
> The problem is under "run as" usage. When I look at man page, it imply that
> "run as" account don't need to be root. Quoting the man page.
>
> Begin quote:
> sudo allows a permitted user to execute a command as the superuser or
> another user, as specified by the security policy. End quote:
>
> On FreeIPA, I have a sudo rule called developers with necessary hostgroups
> and usergroups. At the bottom is a section titled "AS WHOM" and that's
> where I am having a problem. If I use root under RunAs Users section, it
> works. If I substitute root with account image, I get the following error.
>
> [william at dev18-yyz-int ~]$ sudo service imageserver stop
> [sudo] password for william:
> Sorry, user william is not allowed to execute '/sbin/service imageserver
> stop' as root on dev18-yyz-int.jamar.loc.
You need to specify the user, because the default for sudo is root.
sudo -u image <command>
Although, this won't work - your init script is using runuser, which an
unprivileged user can't use.
HTH.
Stephen
More information about the Freeipa-users
mailing list