[Freeipa-users] Managing jboss through sudo

Dmitri Pal dpal at redhat.com
Thu Jan 17 01:18:12 UTC 2013 

On 01/16/2013 07:30 PM, William Muriithi wrote:
> Hello
>
> I am trying to set up dev systems and want to only allow developers to
> modify the jboss directory tree, shutdown and restarting jboss.  This
> is mainly so that they dev system don't deviate from the qa and
> production machines.
>
> The directory permissions are fine, but I am having a problem with
> stopping and restarting jboss.  (We are running jboss on port 80, so
> they would need root permission for it to bind on port 80).  My other
> problem is that the jboss directory path is not the same across
> servers.
>
> The directory path is something like this:
>
>  /opt/xyz/application/jboss/bin/  Where xyz is the different for every server.
>
> So to restart jboss, I would do the following:
>
> cd  /opt/xyz/application/jboss-4.2.3.GA/bin/
> sudo ./shutdown -S
> sudo  nohup ./run.sh -b 0.0.0.0 > /dev/null 2>&1 &
>
> These is what I get when I run the command below from a test account
> with same permission as the developers account.
>  sudo -l
>
> User taccount may run the following commands on this host:
>     (root, %developers)  ./shutdown.sh -S, nohup ./run.sh -b 0.0.0.0 >
> /dev/null 2>&1 &
>
> However, if I try to run either of the two commands, I get an error
> that the account is not allowed to run this command
>
> [taccount at dev4-yyz-int bin]$ pwd
> /opt/xyz/application/jboss/bin
> [taccount at dev4-yyz-int bin]$ sudo ./shutdown.sh -S
> Sorry, user taccount is not allowed to execute './shutdown.sh -S' as
> root on dev4-yyz-int.example.com.
> [taccount at dev4-yyz-int bin]$ hostname
> dev4-yyz-int.example.com
>
> What am I missing?  Or how would you go about it?
>
> For your information, I can restart it using sudo under another
> account with full permission
>
> sudo -l
>
> User williamm may run the following commands on this host:
>     (root) ALL
>
> Thanks for assistance
>
> Regards.
>
> William
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

You need to give us a bit more info about your setup.
Are you using centrally manged sudo rules from IPA?
What version of IPA?
What is on your client?
What does sudo log show for the failed command?
What is the sudo configuration?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list