Configuring SUDO On AIX
Configuring SUDO On AIX
Configuring SUDO On AIX
Question/Issue:
How is a functional account (funcacct) configured to leverage sudo on an AIX system.
Solution:
1) In this FAQ the functional user id on the AIX system is funcacct. 2) In our environment we utilized sudo rpm package which can be downloaded from IBM: http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/alpha.html 3) IBMs rpm package installs sudo in the /usr/bin directory. 4) In order to work sudo must be setuid root in order to work, so you must issue the following command: chmod 4111 /usr/bin/sudo 5) Create the functional account (funcacct) and set its password: useradd -c "Functional Account" -m funcacct passwd funcacct; pwdadm -c 6) Log in to your AIX system as root and cat /etc/sudoers to view the current file 7) Use visudo to edit /etc/sudoers and add the following lines at the end of the file: a. funcacct ALL=(root) NOPASSWD: /usr/bin/passwd funcacct ALL=(root) NOPASSWD: /usr/bin/pwdadm b. For 2.3.761 and later versions add this additional line: funcacct ALL=(root) NOPASSWD: /bin/sed c. For versions prior to 2.3.761 add this additional line: funcacct ALL=(root) NOPASSWD: /bin/grep hit esc, type :wq! to save the file and exit vi 8) Use vi to edit the /etc/ssh/sshd_config file and either modify or add the following lines:
PermitUserEnvironment yes hit esc, type :wq! to save the file and exit vi 9) Restart the ssh daemon on the AIX system 10) Log into your PAR or eGP and go to the AIX system that youve configured to be managed by the functional account (funcacct) you created. 11) On the systems Detail tab in the Delegation Prefix field type sudo. (If there is no delegation prefix field see instructions below). 12) When you have the AIX system properly configured in PAR and have clicked Save Changes click Test System and you should receive a successful message. For PAR/eGP versions prior to 2.2.752 that do not have the Delegation Prefix field 1) Log in as funcacct and create a bin directory within the home directory of your functional account and place three scripts in it. mkdir bin cd bin vi grep within the grep file add the following line: sudo /bin/grep $1 $2 $3 $4 hit esc, type :wq! to save the file and exit vi vi passwd within the passwd file add the following line: sudo /usr/bin/passwd $1 hit esc, type :wq! to save the file and exit vi vi pwdadm within the pwdadm file add the following line: sudo /usr/bin/pwdadm $1 $2 hit esc, type :wq! to save the file and exit vi 2) Adjust permissions on the three scripts
chmod +x passwd chmod +x pwdadm chmod +x grep 3) Create the .ssh directory for your functional account and create an environment file within it. mkdir .ssh cd .ssh vi environment Within the environment file add the following: PATH=/path to funcacct home directory/bin:/usr/local/bin:/bin:/usr/bin hit esc, type :wq! to save the file and exit vi