Our DBA came to me and said he was having some problems with sudo. A little background, we recently upgraded our test systems to the latest version of RedHat Enterprise Linux. We have a pretty complicated setup with Oracle and Fujitsu NetCOBOL and a lot of customizations for our site. My latest round of updates with the systems prompted me to enact a new baseline security policy. One of the features of this new baseline policy is that it requires us going to a new procedure for issuing super user commands... Used to we'd just su, as thats how it had always been done here on HPUX and other UNIX Operating Systems. With little separation of duty due to such a small staff, the DBA and others have all frequently pitched in to help with administration tasks.
Anyway, enforcing su provides a lot of benefit, even if it does mean we have to change the way we're doing some things. Our system relies a lot upon environment variables being carried over from one environ to the other, and some of our system users and the tasks they perform depend largely upon those envars. So, it came to pass that there is a directive in the sudoers file that allows (or, by default, disallows) environment variables passing through with sudo execution. This is "Default env_reset" - Changed to "Default !env_reset" to say ! = NO! Don't reset the envars when using sudo!
This solved our issue, and the DBA was able to complete the upgrades.
Monday, September 14, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment