From ms at artcom-gmbh.de Tue Mar 1 07:02:35 2005 From: ms at artcom-gmbh.de (Martin =?iso-8859-1?Q?Schr=F6der?=) Date: Tue Mar 1 07:02:58 2005 Subject: [sudo-users] [sudosh] Problems on SuSE 9.2 Message-ID: <20050301140235.GZ20102@blau.artcom-gmbh.de> Hi, I'm trying to run sudosh on SuSE 9.2 amd64. Compile went mostly well: --------------------------- Configuration summary: ====================== Host type................: Perl.....................: /usr/bin/perl CC.......................: gcc CFLAGS...................: -g -O2 Package..................: sudosh Version..................: 1.4.3 Log directory............: /var/log/sudosh Installation prefix......: /usr/local man directory............: /usr/local/man --------------------------- > make make all-recursive make[1]: Entering directory `/home/ms/tmp/sudosh-1.4.3' Making all in src make[2]: Entering directory `/home/ms/tmp/sudosh-1.4.3/src' if gcc -DHAVE_CONFIG_H -I. -I. -I.. -g -O2 -MT sudosh.o -MD -MP -MF ".deps/sudosh.Tpo" -c -o sudosh.o sudosh.c; \ then mv -f ".deps/sudosh.Tpo" ".deps/sudosh.Po"; else rm -f ".deps/sudosh.Tpo"; exit 1; fi sudosh.c: In function `findms': sudosh.c:360: warning: cast to pointer from integer of different size gcc -g -O2 -o sudosh sudosh.o make[2]: Leaving directory `/home/ms/tmp/sudosh-1.4.3/src' make[2]: Entering directory `/home/ms/tmp/sudosh-1.4.3' make[2]: Leaving directory `/home/ms/tmp/sudosh-1.4.3' make[1]: Leaving directory `/home/ms/tmp/sudosh-1.4.3' --------------------------- But when I do sudo sudosh, I get --------------------------- > sudo sudosh open slave pty: Bad address open pty failed: Illegal seek --------------------------- What's wrong here? Terminal is an xterm. Thanks in advance Martin -- Martin Schr?der, ms@artcom-gmbh.de ArtCom GmbH, Lise-Meitner-Str 5, 28359 Bremen, Germany Voice +49 421 20419-44 / Fax +49 421 20419-10 http://www.artcom-gmbh.de From bob at proulx.com Tue Mar 1 09:03:06 2005 From: bob at proulx.com (Bob Proulx) Date: Tue Mar 1 09:03:22 2005 Subject: [sudo-users] Execution permission denied In-Reply-To: <20050301060507.GB23849@dementia.proulx.com> References: <20050228224950.GD19986@dementia.proulx.com> <20050301052336.15315.qmail@web25802.mail.ukl.yahoo.com> <20050301060507.GB23849@dementia.proulx.com> Message-ID: <20050301160306.GA31085@dementia.proulx.com> > Bob Proulx wrote: > > This is getting off-topic for the list, but... And so discussion moved off. But this part is back on topic... > > It might be easiest to compile sudo on the machine. It compiles > > easily on hpux. lars ebeling wrote: > I have downloaded the source and got compilation errors. > # make > gcc -c -I. -I. -O2 -D_PATH_SUDOERS=\"/etc/sudoers\" -D_PATH_SUDOERS_TMP > =\"/etc/sudoers.tmp\" -DSUDOERS_UID=0 -DSUDOERS_GID=0 -DSUDOERS_MODE=0440 getsp > wuid.c > In file included from getspwuid.c:50: > /usr/include/shadow.h:42: error: conflicting types for 'getspnam' > /usr/include/prot.h:650: error: previous declaration of 'getspnam' was here > /usr/include/shadow.h:42: error: conflicting types for 'getspnam' > /usr/include/prot.h:650: error: previous declaration of 'getspnam' was here > *** Error exit code 1 I am not sure what is up with that. On my installation I see: grep getspnam /usr/include/prot.h /usr/include/shadow.h /usr/include/prot.h:extern struct spwd *getspnam __((const char *)); /usr/include/shadow.h: extern struct spwd * getspnam(const char *); I suspect a problem with your GCC installation. It compiles for me with gcc-3.3 fine. Try using the native compiler. At least as of 1.6.5 I know it still compiles using the bundled HP-UX compiler because I just tried it. And if you have the ANSI compiler installed so much the better. ./configure CC=cc > Sorry only mistakes it's not a D370 it's D330. kernel is > /stand/vmunix: PA-RISC1.1 executable -not stripped . The old sudo > was for pa-risc 2.0 I think the D330 is the PA-7300 cpu (although not sure) which is a PA-RISC-1.1 cpu. PA-RISC-2.0 came in with the PA-8000 cpu. Bob From Todd.Miller at courtesan.com Tue Mar 1 13:00:20 2005 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue Mar 1 13:00:41 2005 Subject: [sudo-users] Execution permission denied In-Reply-To: Your message of "Tue, 01 Mar 2005 09:03:06 MST." <20050301160306.GA31085@dementia.proulx.com> References: <20050228224950.GD19986@dementia.proulx.com> <20050301052336.15315.qmail@web25802.mail.ukl.yahoo.com> <20050301060507.GB23849@dementia.proulx.com> <20050301160306.GA31085@dementia.proulx.com> Message-ID: <200503012000.j21K0LO2008329@xerxes.courtesan.com> IIRC the OpenSSH folks had a similar problem with this. I suspect it is a bug either introduced or fixed by some HP-UX patch since my 11.11 system doesn't exhibit it either, though I don't have it turned on at the moment (and I am at work) so I can't check. If memory serves, prot.h is not included directly but rather is included by other system includes. Passing the --with-pam flag to configure may work around the problem. - todd From dhanks at gmail.com Sat Mar 5 23:46:19 2005 From: dhanks at gmail.com (Doug Hanks) Date: Sat Mar 5 23:46:31 2005 Subject: [sudo-users] Sudosh 1.4.4 is now available Message-ID: <82a71f8a05030522466f08226b@mail.gmail.com> Sudosh version 1.4.4 is now available. http://freshmeat.net/projects/sudosh/ http://sourceforge.net/projects/sudosh/ (freshmeat is slow on file releases; sf is always current) Major updates since version 1.4.3: o Critical bug fix. Changed the way sudosh handles LOGDIR permissions. o Added bash_profile o Added Redhat specfile. -- - Doug Hanks = dhanks(at)gmail(dot)com From lx at redundancy.redundancy.org Tue Mar 8 11:15:07 2005 From: lx at redundancy.redundancy.org (David Thiel) Date: Tue Mar 8 11:15:13 2005 Subject: [sudo-users] sudo + ldap security Message-ID: <20050308181507.GB93230@redundancy.redundancy.org> Greetings, I'm considering using LDAP to store sudo configuration data, but I can't see any way to keep any user of a sudo-controlled machine from browsing that data in LDAP. With regular sudoers, I at least have the assurance that users can only read rules that apply to them personally, and that the whole of that data can only be read by root. Has anyone found any clever ways to mitigate this? Thanks, David From Chris.Martino at tsysprepaid.com Tue Mar 8 15:18:01 2005 From: Chris.Martino at tsysprepaid.com (Chris Martino) Date: Tue Mar 8 16:18:20 2005 Subject: [sudo-users] sudo & LDAP (not working) Message-ID: Hello, I'm trying to get sudoers into LDAP and I'm mostly there. Everything has been ported across and /etc/ldap.conf setup but testing it with a simple 'sudo -u user ls' fails. Here's my output: server:/home/chris # sudo -u chris ls LDAP Config Summary =================== host 127.0.0.1 port 389 ldap_version 3 sudoers_base ou=Sudoers,o=TSYS,c=US binddn (anonymous) bindpw (anonymous) ssl on =================== ldap_init(127.0.0.1,389) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) ldap_bind() ok found:cn=defaults,ou=Sudoers,o=TSYS,c=US ldap sudoOption: 'ignore_local_sudoers' ldap search '(|(sudoUser=root)(sudoUser=%root)(sudoUser=%root)(sudoUser=%wheel)(sudoUser=%wheel)(sudoUser=%priv)(sudoUser=%pkcs11)(sudoUser=%pkcs11)(sudoUser=%perldb2)(sudoUser=ALL))' found:cn=root,ou=Sudoers,o=TSYS,c=US ldap sudoHost 'ALL' ... MATCH! ldap sudoCommand 'ALL' ... MATCH! ldap search 'sudoUser=+*' user_matches=-1 host_matches=-1 sudo_ldap_check(0)=0x04 Sorry, user root is not allowed to execute '/bin/ls' as chris on server. Any ideas what's going on here? Here's what my LDAP schema looks like for the sudoers OU: # Sudoers, TSYS, US dn: ou=Sudoers,o=TSYS,c=US ou: Sudoers objectClass: top objectClass: organizationalUnit # defaults, Sudoers, TSYS, US dn: cn=defaults,ou=Sudoers,o=TSYS,c=US objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: ignore_local_sudoers # root, Sudoers, TSYS, US dn: cn=root,ou=Sudoers,o=TSYS,c=US objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoHost: ALL sudoCommand: ALL # %users, Sudoers, TSYS, US dn: cn=%users,ou=Sudoers,o=TSYS,c=US objectClass: top objectClass: sudoRole cn: %users sudoUser: %users sudoHost: ALL sudoCommand: ALL Any help is greatly appreciated! Thanks, Chris From aaron777 at gmail.com Wed Mar 9 19:37:59 2005 From: aaron777 at gmail.com (Aaron Spangler) Date: Wed Mar 9 20:04:52 2005 Subject: Fwd: [sudo-users] sudo & LDAP (not working) In-Reply-To: <1db25077050309091078410db7@mail.gmail.com> References: <1db25077050309091078410db7@mail.gmail.com> Message-ID: <1db25077050309183732cf01b7@mail.gmail.com> The RunAs user did not match. By default Sudo allows non-root users to run stuff as root. If you want root to run as a user other than root, add 'sudoRunAs: chris' or 'sudoRunAs: ALL' to the role cn=root,ou=Sudoers,o=TSYS,c=US. Hope this helps. -Aaron On Tue, 08 Mar 2005 17:18:01 -0500, Chris Martino wrote: > Hello, > > I'm trying to get sudoers into LDAP and I'm mostly there. Everything has > been ported across and /etc/ldap.conf setup but testing it with a simple > 'sudo -u user ls' fails. Here's my output: > > server:/home/chris # sudo -u chris ls > LDAP Config Summary > =================== > host 127.0.0.1 > port 389 > ldap_version 3 > sudoers_base ou=Sudoers,o=TSYS,c=US > binddn (anonymous) > bindpw (anonymous) > ssl on > =================== > ldap_init(127.0.0.1,389) > ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) > ldap_bind() ok > found:cn=defaults,ou=Sudoers,o=TSYS,c=US > ldap sudoOption: 'ignore_local_sudoers' > ldap search > '(|(sudoUser=root)(sudoUser=%root)(sudoUser=%root)(sudoUser=%wheel)(sudoUser=%wheel)(sudoUser=%priv)(sudoUser=%pkcs11)(sudoUser=%pkcs11)(sudoUser=%perldb2)(sudoUser=ALL))' > found:cn=root,ou=Sudoers,o=TSYS,c=US > ldap sudoHost 'ALL' ... MATCH! > ldap sudoCommand 'ALL' ... MATCH! > ldap search 'sudoUser=+*' > user_matches=-1 > host_matches=-1 > sudo_ldap_check(0)=0x04 > Sorry, user root is not allowed to execute '/bin/ls' as chris on server. > > Any ideas what's going on here? Here's what my LDAP schema looks like for > the sudoers OU: > > # Sudoers, TSYS, US > dn: ou=Sudoers,o=TSYS,c=US > ou: Sudoers > objectClass: top > objectClass: organizationalUnit > > # defaults, Sudoers, TSYS, US > dn: cn=defaults,ou=Sudoers,o=TSYS,c=US > objectClass: top > objectClass: sudoRole > cn: defaults > description: Default sudoOption's go here > sudoOption: ignore_local_sudoers > > # root, Sudoers, TSYS, US > dn: cn=root,ou=Sudoers,o=TSYS,c=US > objectClass: top > objectClass: sudoRole > cn: root > sudoUser: root > sudoHost: ALL > sudoCommand: ALL > > # %users, Sudoers, TSYS, US > dn: cn=%users,ou=Sudoers,o=TSYS,c=US > objectClass: top > objectClass: sudoRole > cn: %users > sudoUser: %users > sudoHost: ALL > sudoCommand: ALL > > Any help is greatly appreciated! > > Thanks, > Chris > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > From gessyfis at yahoo.com.br Wed Mar 9 11:38:37 2005 From: gessyfis at yahoo.com.br (Gessy Caetano da Silva Junior) Date: Thu Mar 10 09:54:21 2005 Subject: [sudo-users] access conrol for directories Message-ID: <422F42AD.203@yahoo.com.br> -- |====================================| | .~. | | / v \ Seja GNU/Linux! | | /( )\ Gessy caetano J?nior | | ^^-^^ | | Gentoo Linux | |====================================| From brad_clark at hermanmiller.com Thu Mar 10 13:59:23 2005 From: brad_clark at hermanmiller.com (Brad Clark) Date: Thu Mar 10 13:59:13 2005 Subject: [sudo-users] Brad Clark/Herman Miller is out of the office. Message-ID: I will be out of the office starting 03/10/2005 and will not return until 03/11/2005. I will respond to your message when I return. If you need assistance before I return, please contact Jim Razmus at (616) 654-5655. For OpenView specific issues, please contact Kristie Phillips at (616) 654-7525. From hbo at egbok.com Fri Mar 11 00:02:18 2005 From: hbo at egbok.com (Howard Owen) Date: Fri Mar 11 01:33:50 2005 Subject: [sudo-users] RE: SUDOSCRIPT V2.1.2 's New Switch "-" Issue ???? In-Reply-To: <25391C0C6E62094F8C34DDF0B904870602480A0F@hkgmail6.corp.oocl.com> References: <25391C0C6E62094F8C34DDF0B904870602480A0F@hkgmail6.corp.oocl.com> Message-ID: <1110524538.8797.60.camel@owen.egbok.com> (CC to sudo-users. This is correspondence with a sudoscript user on HP-UX. He's run into problems using the '-' switch in sudoshell. It works like 'su -' when the shell is bash. Apparently, it doesn't work with ksh. The CC is to harness collective wisdom on how (or if) this might be overcome.) Eric, HP-UX is supported because a user was interested enough to do the port. Of course shells other than bash are supported. But this latest feature doesn't seem to work in ksh. It only works in bash because I stumbled across the behavior I described, when $HOME is set to some other directory, and you crack a new shell, bash looks for startup files there. Apparently ksh doesn't. I know of no other way to get this behavior, since sudoscript is actually running sudo, which in turn runs script to invoke the shell. Before I added the feature in 2.1.2, the documented behavior was (and still is, in fact) found in the SUDOCONFIG file: "User Environment Sudoscript uses the script(1) command to log activity in the shell. This means that the shell is actually executed by script(1), not sudoshell or sudo. There is therefore no way to get an effect such as that produced by "su - oracle". That is, the shell will have the user's original environment, and not that of the oracle user." When I get a chance, I'll look at ksh on Solaris and Linux to see if it indeed behaves as you indicate. If it does, I'm afraid there's not much I can do to change it. It's an architectural drawback of gluing seperate tools together to make something new. While that is in the best Unix tradition, and has advantages, (such as leveraging well debugged and widely ported applications like sudo(1) and script(1) instead of reinventing the wheel, new bugs and all,) It also leaves you with less control than if you were doing all the work yourself in a unified app. Along those lines, there is a new tool called "sudosh" by Doug Hanks. He's replaced the script(1) portion with his own C code. This allows for better logging among other things. It could mean that he could provide the feature you are looking for more easily that could sudoscript, if he hasn't in fact already done so: http://freshmeat.net/projects/sudosh/ http://sourceforge.net/projects/sudosh/ For the record, I think there is room for both sudoscript and sudosh. The two architectures both have advantages and drawbacks, some of which I've outlined above. On Fri, 2005-03-11 at 14:05 +0800, eric.mui@oocl.com wrote: > Hi Howard, > > Many Thanks for prompt reply. > I 've tried > > /opt/sudoscript/bin/ss -u oracle - > > but seems still does not load /.profile even if I've changed > directory to the before executing ss. > > Do you mean the tested supporting shell is bash only for V212 but all > along sudoscript does support Solaris and HP which don't have bash ?? I > wonder ? > > Where else can I get help I suppose should there be quite numbers of > sudoscript end-users who 're using HP or Solaris platforms, right ? > > Many thanks!!!! > > -----Original Message----- > From: Howard Owen [mailto:hbo@egbok.com] > Sent: Friday, March 11, 2005 12:38 PM > To: ERIC MUI (IT-ISD-OOCL/HKG) > Subject: Re: SUDOSCRIPT V2.1.2 's New Switch "-" Issue ???? > > I don't have an HP-UX environment in which to test, so I'm not > completely sure what the trouble is. I can think of two possibilities. > First, as I say in the RELEASENOTES file: > > New Option to sudoshell > ======================= > The"-" option has been added to ss/sudoshell. This sets the $HOME > environment variable to that of the user ss will become. This causes the > shall (bash, at least) to load the target user's environment instead of > the calling user's. > > The notation "bash, at least" means that it may not work the same way > with ksh. The trick I use is to set the $HOME environment variable to > the home directory of the user ss will become. With bash, this causes > the new shell to source the new user's .profile or .bash_profile. It's > quite possible that ksh doesn't behave this way. > > The other (faint) possibility is that the order of the parameters in the > sudoers file may matter. In ss, I place the dash at the end of the > command string if I have to reexec myself. You have it before the -u. It > might work if you change the command to read, following your example, > > oracle /opt/sudoscript/bin/ss -u oracle - > > I don't hold out a lot of hope for this, but it might help. > > Good luck, and let me know what you find. > > On Fri, 2005-03-11 at 09:31 +0800, eric.mui@oocl.com wrote: > > Hi Howard, > > > > I 've tried to use the new switch "-" on the Sudoscript V2.1.2 > > but I still find the ss or sudoshell logon session still do > > not obtain the user shell environment variables just as it > > happens on the previoius version V.2.1.1. for some reason ?? > > > > For example, the $PATH and LD_LIBRARY_PATH still has been > > reset to minimal after ss or sudoshell to a userid. > > > > * Is my syntax correct as shown below ?? > > * Any other advise on the possiblities where I've gone > > wrong ?? > > > > > > > > <$SUDO_BIN>/bin/sudo -u <$SU_ID> < > > $SUDOSHELL_BIN>/bin/ss - -u <$SU_ID> > > > > E.g. /opt/sudo/bin/sudo -u > > oracle /opt/sudoscript/bin/ss - -u oracle > > > > > > The Platforms and Versions I 'm testing on :- > > > > * HP-UX 11i > > * Sudo V168p4 > > * Sudoscript V2.1.2 > > * ksh, sh > > > > > > Very appreciate if you could give me some help. Many Thanks in advance > > > !!!! > > > > > > IMPORTANT NOTICE > > Email from OOCL is confidential and may be legally privileged. If it > > is not intended for you, please delete it immediately unread. The > > internet cannot guarantee that this communication is free of viruses, > > interception or interference and anyone who communicates with us by > > email is taken to accept the risks in so doing. Without limitation, > > OOCL and its affiliates accept no liability whatsoever and howsoever > > arising in connection with the use of this email. Under no > > circumstances shall this email constitute a binding agreement to carry > > > or for provision of carriage services by OOCL, which is subject to the > > > availability of carrier's equipment and vessels and the terms and > > conditions of OOCL's standard bill of lading which is also available > > at http://www.oocl.com. -- Howard Owen RHCE, BMOC, GP "Even if you are on the right EGBOK Consultants Linux Architect track, you'll get run over if you hbo@egbok.com +1-650-218-2216 just sit there." - Will Rogers From dhanks at gmail.com Fri Mar 11 08:54:47 2005 From: dhanks at gmail.com (Doug Hanks) Date: Fri Mar 11 09:21:34 2005 Subject: [sudo-users] Sudosh 1.4.6 is now availale Message-ID: <82a71f8a050311075441f40c0@mail.gmail.com> Sudosh version 1.4.6 is now available. http://freshmeat.net/projects/sudosh/ http://sourceforge.net/projects/sudosh/ (freshmeat is slow on file releases; sf is always current) Major updates since version 1.4.4: o Added manpages for sudosh(1) and sudosh-replay(8) o Changed the HOME environment variable to the targeted user's home directory from /etc/passwd so that when the user's shell is called it will pick up the correct .profile and other shell related files. -- - Doug Hanks = dhanks(at)gmail(dot)com From bob at proulx.com Fri Mar 11 09:29:03 2005 From: bob at proulx.com (Bob Proulx) Date: Fri Mar 11 09:29:11 2005 Subject: [sudo-users] RE: SUDOSCRIPT V2.1.2 's New Switch "-" Issue ???? In-Reply-To: <1110524538.8797.60.camel@owen.egbok.com> References: <25391C0C6E62094F8C34DDF0B904870602480A0F@hkgmail6.corp.oocl.com> <1110524538.8797.60.camel@owen.egbok.com> Message-ID: <20050311162903.GC3791@dementia.proulx.com> Howard Owen wrote: > When I get a chance, I'll look at ksh on Solaris and Linux to see if it Note that on most GNU/Linux systems /bin/ksh is not the AT&T ksh but is instead pdksh, public domain ksh, a clone. It has improved significantly in recent years. But is a different source tree and really should be considered a different shell entirely from AT&T ksh for purposes of looking at compatibility. > > New Option to sudoshell > > ======================= > > The"-" option has been added to ss/sudoshell. This sets the $HOME > > environment variable to that of the user ss will become. This causes the > > shall (bash, at least) to load the target user's environment instead of > > the calling user's. > > > > The notation "bash, at least" means that it may not work the same way > > with ksh. The trick I use is to set the $HOME environment variable to > > the home directory of the user ss will become. With bash, this causes > > the new shell to source the new user's .profile or .bash_profile. It's > > quite possible that ksh doesn't behave this way. The important point that I did not see explicitly made there is that a shell that looks at its own name (by looking at argv[0]) and finds that it starts with a "-" (such as -sh, or -ksh, or -bash) will consider itself a login shell. As a login shell it will source login environment configuration files such as .bash_profile, .profile, etc. > > The other (faint) possibility is that the order of the parameters in the > > sudoers file may matter. In ss, I place the dash at the end of the > > command string if I have to reexec myself. You have it before the -u. It > > might work if you change the command to read, following your example, I am not a sudoshell user and can't really comment further. But if the end shell is launched with a leading dash then the login environment should be loaded. It should be possible to see this in a 'ps -ef' listing which shows the full command line. You should see the leading dash there. Here is an example of a login shell. bob 3051 3038 0 Mar02 pts/0 00:00:00 -bash > > > For example, the $PATH and LD_LIBRARY_PATH still has been > > > reset to minimal after ss or sudoshell to a userid. HP-UX does not use LD_LIBRARY_PATH. HP-UX uses SHLIB_PATH. But it is only in effect if the executable binary has been chatr'd to enable "shared library dynamic path search". Also note that ksh has the following related behavior. -p Disables processing of the $HOME/.profile file and uses the file /etc/suid_profile instead of the ENV file. This mode is on whenever the effective uid (gid) is not equal to the real uid (gid). Turning this off causes the effective uid and gid to be set to the real uid and gid. Bob From dhanks at gmail.com Fri Mar 11 21:34:16 2005 From: dhanks at gmail.com (Doug Hanks) Date: Fri Mar 11 22:01:09 2005 Subject: [sudo-users] Sudosh 1.4.7 is now available Message-ID: <82a71f8a0503112034345bec26@mail.gmail.com> Sudosh version 1.4.7 is now available. http://freshmeat.net/projects/sudosh/ http://sourceforge.net/projects/sudosh/ (freshmeat is slow on file releases; sf is always current) Major updates since version 1.4.6: o Corrected incorrect HOME environment variable. -- - Doug Hanks = dhanks(at)gmail(dot)com From pierre-yves.ritschard at oxalide.com Wed Mar 16 02:45:10 2005 From: pierre-yves.ritschard at oxalide.com (Pierre-Yves Ritschard) Date: Wed Mar 16 03:49:12 2005 Subject: [sudo-users] sudo -s giving login shell Message-ID: <42380026.1040607@oxalide.com> hi I'm using sudo version 1.6.8p6 on the latest openbsd snapshot. I'm using the ksh shell and the system wide config is stored in /etc/profile. Users here are accustommed to using sudo -s to get a root shell. But it doesn't load the /etc/profile as sudo doesn't load a login shell. sudo ksh -l works fine but I'm wondering if there is a way of making sudo -s start a login shell. Thanks for your time. From Todd.Miller at courtesan.com Wed Mar 16 09:36:56 2005 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed Mar 16 09:37:05 2005 Subject: [sudo-users] sudo -s giving login shell In-Reply-To: Your message of "Wed, 16 Mar 2005 10:45:10 +0100." <42380026.1040607@oxalide.com> References: <42380026.1040607@oxalide.com> Message-ID: <200503161636.j2GGau4u016919@xerxes.courtesan.com> In message <42380026.1040607@oxalide.com> so spake Pierre-Yves Ritschard (pierre-yves.ritschard): > Users here are accustommed to using sudo -s to get a root shell. > But it doesn't load the /etc/profile as sudo doesn't load a login shell. > sudo ksh -l works fine but I'm wondering if there is a way of making > sudo -s start a login shell. In sudo 1.6.8 and above you can use "sudo -i" for this. - todd From Angela.Ladino at extra.net.co Tue Mar 15 16:26:08 2005 From: Angela.Ladino at extra.net.co (Ladino, Angela (Getronics)) Date: Wed Mar 16 09:37:34 2005 Subject: [sudo-users] Sudo Message-ID: <0255E1A297DFC84FB8B1D55F3E206C7161247D@xtrnet12x2.xtrnet12.extra.net.co> Hi, I have a problem with sudo in Solaris 9. When I run it I get "Sorry, sudo must be setuid root." and sudo quits. I review the possible solutions in the page FAQ but the problem continue. The others machines has Solaris 6 and solaris 8 but I do not have problem. Can you help me please ?? Angela Patricia Ladino M. System & Applications Administrator Getronics Tel: (57-1) 628- 4117 E-mail: angela.ladino@extra.net.co From bob at proulx.com Wed Mar 16 09:44:07 2005 From: bob at proulx.com (Bob Proulx) Date: Wed Mar 16 09:44:14 2005 Subject: [sudo-users] Sudo In-Reply-To: <0255E1A297DFC84FB8B1D55F3E206C7161247D@xtrnet12x2.xtrnet12.extra.net.co> References: <0255E1A297DFC84FB8B1D55F3E206C7161247D@xtrnet12x2.xtrnet12.extra.net.co> Message-ID: <20050316164407.GC4776@dementia.proulx.com> Ladino, Angela (Getronics) wrote: > I have a problem with sudo in Solaris 9. When I run it I get "Sorry, > sudo must be setuid root." and sudo quits. I review the possible > solutions in the page FAQ but the problem continue. The others machines > has Solaris 6 and solaris 8 but I do not have problem. > Can you help me please ?? Before anyone would know enough to help we would need some more information from you about the installation of sudo on your system. How was it installed? Was this something you compiled and installed yourself? Or did you install a precompiled package? What is the current permissions on 'sudo'? What is the output of the following command? ls -l /usr/bin/sudo Bob From pierre-yves.ritschard at oxalide.com Wed Mar 16 09:47:57 2005 From: pierre-yves.ritschard at oxalide.com (Pierre-Yves Ritschard) Date: Wed Mar 16 09:52:20 2005 Subject: [sudo-users] sudo -s giving login shell In-Reply-To: <200503161636.j2GGau4u016919@xerxes.courtesan.com> References: <42380026.1040607@oxalide.com> <200503161636.j2GGau4u016919@xerxes.courtesan.com> Message-ID: <4238633D.5070700@oxalide.com> Todd C. Miller wrote: > In message <42380026.1040607@oxalide.com> > so spake Pierre-Yves Ritschard (pierre-yves.ritschard): > > >>Users here are accustommed to using sudo -s to get a root shell. >>But it doesn't load the /etc/profile as sudo doesn't load a login shell. >>sudo ksh -l works fine but I'm wondering if there is a way of making >>sudo -s start a login shell. > > > In sudo 1.6.8 and above you can use "sudo -i" for this. > > - todd Well actually I wasn't exactly looking for this, but I since after looking at the source there really is no way to do this, I'll be going with -i (which i had seen in the manpage already). I was looking at something that would append -l to the current shell spawning. Thanks anyway, it works for me. From Edward.Schernau at CITIZENSBANK.com Wed Mar 16 09:51:51 2005 From: Edward.Schernau at CITIZENSBANK.com (Schernau, Ed) Date: Thu Mar 17 08:41:21 2005 Subject: [sudo-users] Re: Sudo Message-ID: <094A54F06096D949BBA6CB76D2369E950EBE1661@ntmsri06.citfg.com> "Sorry, sudo must be setuid root." This means that sudo must be setuid root. Ed Sorry about the attached signature, it's appended by Information Security. ----------------------------------------- Use of email is inherently insecure. Confidential information, including account information, and personally identifiable information, should not be transmitted via email, or email attachment. In no event shall Citizens or any of its affiliates accept any responsibility for the loss, use or misuse of any information including confidential information, which is sent to Citizens or its affiliates via email, or email attachment. Citizens does not guarantee the accuracy of any email or email attachment, that an email will be received by Citizens or that Citizens will respond to any email. This email message is confidential and/or privileged. It is to be used by the intended recipient only. Use of the information contained in this email by anyone other than the intended recipient is strictly prohibited. If you have received this message in error, please notify the sender immediately and promptly destroy any record of this email. From Angela.Ladino at extra.net.co Wed Mar 16 15:04:24 2005 From: Angela.Ladino at extra.net.co (Ladino, Angela (Getronics)) Date: Thu Mar 17 08:41:24 2005 Subject: [sudo-users] Sudo Message-ID: <0255E1A297DFC84FB8B1D55F3E206C7161248D@xtrnet12x2.xtrnet12.extra.net.co> Hi Bob, Thank you for your help. 1. I installed sudo-1.5.9p3-sol7-sparc-local 2. ---s--x--x 1 bin bin 59008 Aug 15 1999 sudo Regards, Angela Patricia Ladino M. System & Applications Administrator Getronics Tel: (57-1) 628- 4117 E-mail: angela.ladino@extra.net.co -----Original Message----- From: Bob Proulx [mailto:bob@proulx.com] Sent: Mi?rcoles, 16 de Marzo de 2005 11:44 a.m. To: Ladino, Angela (Getronics) Cc: sudo-users@sudo.ws Subject: Re: [sudo-users] Sudo Ladino, Angela (Getronics) wrote: > I have a problem with sudo in Solaris 9. When I run it I get "Sorry, > sudo must be setuid root." and sudo quits. I review the possible > solutions in the page FAQ but the problem continue. The others > machines has Solaris 6 and solaris 8 but I do not have problem. > Can you help me please ?? Before anyone would know enough to help we would need some more information from you about the installation of sudo on your system. How was it installed? Was this something you compiled and installed yourself? Or did you install a precompiled package? What is the current permissions on 'sudo'? What is the output of the following command? ls -l /usr/bin/sudo Bob From Todd.Miller at courtesan.com Thu Mar 17 08:47:44 2005 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu Mar 17 08:47:58 2005 Subject: [sudo-users] Sudo In-Reply-To: Your message of "Wed, 16 Mar 2005 17:04:24 EST." <0255E1A297DFC84FB8B1D55F3E206C7161248D@xtrnet12x2.xtrnet12.extra.net.co> References: <0255E1A297DFC84FB8B1D55F3E206C7161248D@xtrnet12x2.xtrnet12.extra.net.co> Message-ID: <200503171547.j2HFlieT031433@xerxes.courtesan.com> In message <0255E1A297DFC84FB8B1D55F3E206C7161248D@xtrnet12x2.xtrnet12.extra.ne t.co> so spake "Ladino, Angela (Getronics)" (Angela.Ladino): > 1. I installed sudo-1.5.9p3-sol7-sparc-local > > 2. ---s--x--x 1 bin bin 59008 Aug 15 1999 sudo Sudo needs to be owned by root, not bin. To fix: # chown root /path/to/sudo # chmod 4111 /path/to/sudo Where /path/to/sudo corresponds to the location you have the sudo binary installed. However, be aware that sudo 1.5.9p3 is quite old. You should really be running a more up to date version (current is 1.6.8p7). - todd From dhanks at gmail.com Tue Mar 22 22:52:18 2005 From: dhanks at gmail.com (Doug Hanks) Date: Wed Mar 23 00:39:09 2005 Subject: [sudo-users] Sudosh 1.4.8 is now available Message-ID: <82a71f8a050322215253e7c1b2@mail.gmail.com> Sudosh version 1.4.8 is now available. http://freshmeat.net/projects/sudosh/ http://sourceforge.net/projects/sudosh/ (freshmeat is slow on file releases; sf is always current) Major updates since version 1.4.7: o Cleaned sudosh environment and transferred TERM variable. -- - Doug Hanks = dhanks(at)gmail(dot)com From justin at VLAMea.com Thu Mar 24 09:21:35 2005 From: justin at VLAMea.com (Justin Albstmeijer) Date: Thu Mar 24 09:23:12 2005 Subject: [sudo-users] sudo-1.6.8p7 + ldaps + self signed vertificate Message-ID: <57550.195.241.5.2.1111681295.squirrel@wmail.websystems.nl> sudo (--with ldap) works fine as long as I don't use SSL for LDAP. I get the same error as with ldapsearch when not setting "TLS_REQCERT allow" in /etc/openldap/ldap.conf. Ldapsearch works fine now, but sudo still is not working with this option set. Any idea? ------- TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ------- From justin at VLAMea.com Thu Mar 24 23:44:59 2005 From: justin at VLAMea.com (Justin Albstmeijer) Date: Thu Mar 24 23:46:36 2005 Subject: [sudo-users] sudo-1.6.8p7 + ldaps + self signed vertificate Message-ID: <32827.62.194.92.14.1111733099.squirrel@wmail.websystems.nl> sudo was build against openldap on the client I'm testing on. Please let me know if you need additional information. Justin > Did you build sudo against OpenLDAP or another LDAP SDK? If you built it against OpenLDAP, it sounds like we will need to add some > configuration parameters that allow you to specify where your trusted certificate signers are. > > -Aaron > > > On Thu, 24 Mar 2005 17:21:35 +0100 (CET), Justin Albstmeijer > wrote: >> >> sudo (--with ldap) works fine as long as I don't use SSL for LDAP. >> >> I get the same error as with ldapsearch when not setting "TLS_REQCERT allow" in /etc/openldap/ldap.conf. Ldapsearch works fine now, but sudo still is not working with this option set. >> >> Any idea? >> >> ------- >> TLS certificate verification: Error, self signed certificate >> TLS trace: SSL3 alert write:fatal:unknown CA >> TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. >> ------- >> >> ____________________________________________________________ >> sudo-users mailing list >> For list information, options, or to unsubscribe, visit: >> http://www.sudo.ws/mailman/listinfo/sudo-users >> > > From hp_devender at yahoo.co.uk Sun Mar 27 12:32:11 2005 From: hp_devender at yahoo.co.uk (Devender Khatana) Date: Sun Mar 27 13:32:28 2005 Subject: [sudo-users] Problems running sudo commands Message-ID: <20050327193211.15714.qmail@web26104.mail.ukl.yahoo.com> Hi, I am working on a HP L2000 System running HPUx 11i. But I am unable to find anything like sudo in any of the system directories.Is this a seperate product that I need to install seperately ? Regards, Devender --------------------------------- Do you Yahoo!? Yahoo! Small Business - Try our new resources site! From Todd.Miller at courtesan.com Sun Mar 27 16:00:15 2005 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sun Mar 27 16:00:22 2005 Subject: [sudo-users] Problems running sudo commands In-Reply-To: Your message of "Sun, 27 Mar 2005 20:32:11 +0100." <20050327193211.15714.qmail@web26104.mail.ukl.yahoo.com> References: <20050327193211.15714.qmail@web26104.mail.ukl.yahoo.com> Message-ID: <200503272300.j2RN0FZw031591@xerxes.courtesan.com> In message <20050327193211.15714.qmail@web26104.mail.ukl.yahoo.com> so spake Devender Khatana (hp_devender): > I am working on a HP L2000 System running HPUx 11i. But I am unable to find a > nything like sudo in any of the system directories.Is this a seperate product > that I need to install seperately ? HP-UX does not bundle sudo, you must install it separately. There is a binary distribution available from ftp://ftp.sudo.ws/pub/sudo/binaries/ or you can get a set of binaries from http://hpux.cs.utah.edu/ - todd From Jaeger at harthosp.org Mon Mar 28 13:00:00 2005 From: Jaeger at harthosp.org (Dana Jaeger) Date: Mon Mar 28 14:00:45 2005 Subject: [sudo-users] Is there a version of sudo for AIX 5200-05 Message-ID: Hi, Is there a version of sudo for AIX 5.2.0.0 - 05? If so where might I find it. Thanks Dana Jaeger Hartford Hospital jaeger@harthosp.org From Todd.Miller at courtesan.com Mon Mar 28 14:14:42 2005 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon Mar 28 14:14:52 2005 Subject: [sudo-users] Is there a version of sudo for AIX 5200-05 In-Reply-To: Your message of "Mon, 28 Mar 2005 15:00:00 EST." References: Message-ID: <200503282114.j2SLEgCq030629@xerxes.courtesan.com> In message so spake "Dana Jaeger" (Jaeger): > Is there a version of sudo for AIX 5.2.0.0 - 05? If so where might I > find it. Sudo runs fine on AIX 5.2.x. You can either download the source from ftp://ftp.sudo.ws/pub/sudo/ and build it yourself or download a binary package from http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html - todd From justin at VLAMea.com Tue Mar 29 06:03:14 2005 From: justin at VLAMea.com (Justin Albstmeijer) Date: Tue Mar 29 06:05:18 2005 Subject: [sudo-users] sudo-1.6.8p7 + ldaps + self signed certificate In-Reply-To: <32827.62.194.92.14.1111733099.squirrel@wmail.websystems.nl> References: <32827.62.194.92.14.1111733099.squirrel@wmail.websystems.nl> Message-ID: <58642.195.241.5.2.1112101394.squirrel@wmail.websystems.nl> Works for me now.. "tls_checkpeer no" should be default, but I still had to set it in /etc/ldap.conf. # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is "no" #tls_checkpeer yes tls_checkpeer no >>> sudo (--with ldap) works fine as long as I don't use SSL for LDAP. >>> >>> I get the same error as with ldapsearch when not setting "TLS_REQCERT > allow" in /etc/openldap/ldap.conf. Ldapsearch works fine now, but sudo > still is not working with this option set. >>> >>> Any idea? >>> >>> ------- >>> TLS certificate verification: Error, self signed certificate >>> TLS trace: SSL3 alert write:fatal:unknown CA >>> TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS > trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't > connect. >>> ------- >>> >>> ____________________________________________________________ >>> sudo-users mailing list >>> For list information, options, or to unsubscribe, visit: >>> http://www.sudo.ws/mailman/listinfo/sudo-users >>> >> >> > > > > From kingomountains at yahoo.com Mon Mar 28 15:27:41 2005 From: kingomountains at yahoo.com (SB) Date: Tue Mar 29 10:13:14 2005 Subject: [sudo-users] question about sudo Message-ID: <20050328222741.54520.qmail@web50904.mail.yahoo.com> Is there an option in sudo where you can find out if a user has any sudo access? OR for individual users to run a sudo -l to see if they have any sudo access without having to type a password in. Would be very useful for audit purposes. Please advise. Thank you SB THOSE ARE MY PRINCIPLES, IF YOU DON'T LIKE THEM I HAVE OTHERS - Groucho --------------------------------- Do you Yahoo!? Yahoo! Sports - Sign up for Fantasy Baseball. From bob at proulx.com Tue Mar 29 10:24:05 2005 From: bob at proulx.com (Bob Proulx) Date: Tue Mar 29 10:24:15 2005 Subject: [sudo-users] question about sudo In-Reply-To: <20050328222741.54520.qmail@web50904.mail.yahoo.com> References: <20050328222741.54520.qmail@web50904.mail.yahoo.com> Message-ID: <20050329172405.GA25454@dementia.proulx.com> SB wrote: > Is there an option in sudo where you can find out if a user has any > sudo access? OR for individual users to run a sudo -l to see if they > have any sudo access without having to type a password in. > > Would be very useful for audit purposes. > > Please advise. I asked a similar question. Here is the thread. I believe it will help you as well. http://www.sudo.ws/pipermail/sudo-users/2005-January/002326.html Todd answered that with a suggestion to use "testsudoers" from the distribution. Bob From k-cruse at ti.com Thu Mar 31 10:52:44 2005 From: k-cruse at ti.com (Cruse, Kevin) Date: Thu Mar 31 10:52:58 2005 Subject: [sudo-users] Only change a password for a specific account Message-ID: <401474236EEB4C4F8D76A2DED54C901B01AC40F7@dlee2k06-bk.itg.ti.com> Hello, I am wanting to set up my sudoers file so a particular user can only change the password on a particular account, will the following example work? Cmnd_Alias ACCTS=/usr/sbin/usermod [!-]?*, /usr/sbin/usermod -D?*, /usr/bin/passwd # Application account for User =ACCTS Kevin Cruse Internet & Naming Services team k-cruse@ti.com 214-567-8010