[sudo-users] sudo -l not enough to determine what can be done
Andreas Hasenack
ahasenack at terra.com.br
Sat May 12 13:13:22 EDT 2007
In my tests seems that the output of "sudo -l" cannot be interpreted correctly
without knowing the defaults from sudoers.
This is my simple test case:
/etc/sudoers:
[root at duo ~]# grep -vE '^(#|$)' /etc/sudoers
root ALL=(ALL) NOPASSWD: ALL
andreas ALL=(ALL) NOPASSWD: /sbin/service cups restart
andreas ALL=(ALL) /sbin/service smartd restart
In ldap, I have this in defaults:
dn: cn=defaults,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: authenticate
Now sudo -l shows:
$ sudo -l
User andreas may run the following commands on this host:
(ALL) NOPASSWD: /sbin/service cups restart
(ALL) /sbin/service smartd restart
Which is basically a copy of /etc/sudoers. Correct.
Now i change the default in ldap to !authenticate. sudo -l becomes this:
$ sudo -l
User andreas may run the following commands on this host:
(ALL) /sbin/service cups restart
(ALL) /sbin/service smartd restart
So, this output is clearly not enough for me to determine whan I can do in
terms of needing a password or not (and probably other stuff).
Is this a bug? Feature? Design/implementation issue? I think in all cases
sudo -l should show what is actually going to be used.
More information about the sudo-users
mailing list