Somebody noticed that with the "old" sudo (the one which was downloaded), i.e. sudo 1.8.21p2 005-nokrb it happened that when having an entry like this in /etc/sudoers
JOHNDOE ALL = (PRODUSER) NOPASSWD: /u/produser/bin/daily_cleanup.sh
and then user JOHNDOE does
sudo -u PRODUSER /u/produser/bin/daily_cleanup.sh
the following error messages pop up:
sudo: unable to change to runas uid (189, 189): EDC5139I Operation not permitted.
sudo: unable to execute /u/produser/bin/daily_cleanup.sh: EDC5139I Operation not permitted.
The same time in syslog there pops up an ICH408I message
ICH408I USER(JOHNDOE ) GROUP(BASE ) NAME(DOE, JOHN )
BPX.DAEMON CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE
If user JOHNDOE gets READ access to BPX.DAEMON then above sudo command works fine.
Questions:
1. Is this a known error?
2. If yes is it fixed in the forthcoming sudo_nokrb package which Vladimir said will be available by end of June?
Thanks,
Manfred
------------------------------
Manfred Lotz
IBM
------------------------------
Sorry, I didn't carefully read the other threads.
From what I found in other threads it seems I can expect that the new sudo (without kerberos) build will fix this.
--
Manfred
------------------------------
Manfred Lotz
IBM
------------------------------
Sorry, I didn't carefully read the other threads.
From what I found in other threads it seems I can expect that the new sudo (without kerberos) build will fix this.
--
Manfred
------------------------------
Manfred Lotz
IBM
------------------------------
Hi there,
Here my feedback regarding installation and testing of sudo_nokrb
1. Installation
Installed via: conda install --channel zoss-appdev sudo_nokrb
I had to manually adjust the sudo binary as it lacked the proper permissions and the correct
extattr settings
2. Tests
2a. Running sudo -l
Works ok but the ICH408I messages complaining about missing READ access to BPX.DAEMON
appears twice.
2b. Running: sudo su -
The command works but the same as above. Two ICH408I mesesages in the syslog.
2c. Running: sudo -u JOHNDOE uname -a
The command works and important. Here I don't see any ICH408I message in the syslog.
--
Manfred
------------------------------
Manfred Lotz
IBM
------------------------------
Hi there,
Here my feedback regarding installation and testing of sudo_nokrb
1. Installation
Installed via: conda install --channel zoss-appdev sudo_nokrb
I had to manually adjust the sudo binary as it lacked the proper permissions and the correct
extattr settings
2. Tests
2a. Running sudo -l
Works ok but the ICH408I messages complaining about missing READ access to BPX.DAEMON
appears twice.
2b. Running: sudo su -
The command works but the same as above. Two ICH408I mesesages in the syslog.
2c. Running: sudo -u JOHNDOE uname -a
The command works and important. Here I don't see any ICH408I message in the syslog.
--
Manfred
------------------------------
Manfred Lotz
IBM
------------------------------
Additonal remark: Above tests were don on a z/OS 2.3 system.
I reran the tests on a z/OS 2.4 system and now the ICH408I message appeared only once in those cases where it appeared twice on z/OS 2.3
------------------------------
Manfred Lotz
IBM
------------------------------
Additonal remark: Above tests were don on a z/OS 2.3 system.
I reran the tests on a z/OS 2.4 system and now the ICH408I message appeared only once in those cases where it appeared twice on z/OS 2.3
------------------------------
Manfred Lotz
IBM
------------------------------
Thanks for your feedback Manfred!
We've added that ICH408I message issue to our backlog and should eventually fix it, even though it seems to be pretty harmless.
Regarding the lack of permissions and extended attributes on the sudo binary, that's the way it's supposed to work - first you install sudo and make sure everything is good and safe, and only then you (or even a different person) define it to program control.
Regards,
Vladimir
------------------------------
Vladimir Ein
Rocket Software
------------------------------
