I create a group "support" and a user myuser:
puppet apply -e "group {'support': ensure => present,}
puppet apply -e "user {'myuser': ensure => present, gid => 'support', managehome => true}"
then I edit my sudoers file:
visudo -f /etc/sudoers
and I enter
Runas_Alias SOA = soa, soa2, soa3 %support osb-vagrant= (SOA) /opt/oracle/usr/*
"%support" means "any member of the support group"
"osb-vagrant=" means "only when the operator is logged on this hostname"
"(SOA)" means "only if the operator runs the command with a sudo -u soa|soa2|soa3 command"
"/opt/oracle/usr/*" means "operator can run any script in /opt/oracle/usr/ directory"
If you want to allow the operator to run the command without having to supply his password:
%support osb-vagrant= (SOA) NOPASSWD: /opt/oracle/usr/*now if you "sudo su - myuser" and run "sudo -u soa /opt/oracle/usr/somescript.sh", you will be able to run the script impersonating the user "soa".
sudo is incredibly flexible
No comments:
Post a Comment