root equivalent user on AIX ? Use sudo!


So I got several AIX boxes hosting Oracle EBS. Since the company that I work for is obliged to follow SOX 404 standard, and that means no root password sharing for each administrators. Hence, I need to create a user for each administrators, and grant them a root equivalent right.

One approach to do this on Linux (and HP-UX) box is by changing each administrator account UID number to 0, essentially making all login from those account to be forwarded to root. The problem with this approach is that those account will use all config and history or log files of the root account. For example, when you look at .history file, you won’t be able to tell which user perform what, since all activity from each account will be recorded as if it was performed by root.

What I can do is to use sudo, that will allow you to delegate root access to certain user or group of user. Here is a little how to on installing sudo.

  1. Get the source here , as of the time of writing the current stable one is 1.7.2p1
  2. Since You will need to compile sudo from the source, make sure the C compiler is installed, and can be called. You can purchase a license for C compiler from IBM, or you can always use the good old GCC. To check, simply type “cc”.
    if the output is similar to this :

    # cc
    ksh: cc:  not found.

    Then either the C compiler is not installed, or simply that it is not on your path. In my case it was the later. “cc” from the xlC compiler was installed on “/usr/vac/bin”. So what you can do is either create a symlink of “cc” to “/usr/sbin” or “/sbin”, or to add “/usr/vac/bin” to your path. To temporarily ad “/usr/vac/bin” to your path, type the following :

    # export PATH=$PATH:/usr/vac/bin

    Test it by running “cc -qversion” if you’re running the xlC compiler, or “cc –version” if you are using GCC.

    # cc -qversion
    IBM XL C/C++ Enterprise Edition for AIX, V9.0
    Version: 09.00.0000.0000
  3. Untar the source, and then compile.
    # gunzip sudo-1.7.2p1.tar.gz
    # tar xvf sudo-1.7.2p1.tar
    # cd sudo-1.7.2p1
    # ./configure
    # make
    # make install

    The steps above should install sudo executables, sudo in /usr/local/bin and visudo in /usr/local/sbin. I believe that both directories are not on your $PATH. for ease of use, create a symlink for both of the executables :

    # ln -s /usr/local/bin/sudo /usr/bin/sudo
    # ln -s /usr/local/sbin/visudo /usr/sbin/visudo

    You can also download the RPM package here, and use RPM to install sudo, by doing:

    # rpm -ivh sudo-1.6.9p23-2noldap.aix5.3.ppc.rpm
  4. I assume that all account that will be used by administrator team has already been created. The correct way of creating user account is by using “smit user”. Put all administrators account in one group, in my case “wheel”. To do this, use “smit group”
    # smit group

    Go to “Add a Group”, put “wheel” on Group Name. Go to USER List and press F4 or Escape+4 to get the list of available user. Mark each administrator accounts with F7 or Escape+7. If you’re done, press Enter

  5. Find and edit the /etc/sudoers configuration using visudo
    # visudo

    uncomment the following line :

    %wheel ALL=(ALL) ALL

    Save. Log out from the root account.

We’re done 🙂 To use sudo,  simply login as your non-root account, and do “sudo command-name”. For example, to create a folder /opt/sources using sudo, type :

$ sudo mkdir /opt/sources

Update:

I’ve written a bit more on how to use sudo. Do check it out.


Advertisements

2 Comments Add yours

  1. mazmade says:

    Mantap Bro..AIX..lom pernah megang..pengen..eh horny dink ma AIX..wakakkaka

    gw seh ga mau capek..langsung aje

    #vipw aka #vi /etc/passwd
    ganti deh UID ma GID ama 0:0 wakakakka..ada gak di AIX?maklum ga perah megang

    akhirsya edit sudoers juga ya bro..hihihihi..ALL ALL pula…

    1. Ikhsan says:

      Kalo versi sebelumnya bisa edit uid dan gid Mad. Di 5.3 kalo gw edit uid dan gid, ujung2nya malah tetep minta password root 😀 Lagian kalo uid dan gid-nya dimask ke root, auditnya jadi susah, .history (.bash_history kalo di rhel) jadi nyampur, antara root dan account lain dgn uid 0. Dengan sudo, tiap account kan jadi kepisah .history nya hehe

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s