From erlingre at gmail.com Mon Dec 1 02:30:46 2008 From: erlingre at gmail.com (Erling Ringen Elvsrud) Date: Mon, 1 Dec 2008 08:30:46 +0100 Subject: [sudo-users] Sudo + LDAP (Red Hat Directory Server) Message-ID: <664c5a070811302330j1b0353fbh33c9bf8122d7b8f@mail.gmail.com> Hello list, I want to store sudoers in LDAP and have a Red Hat Directory Server. I try to import the schema (Iplanet)described in README.LDAP (from the sudo 1.6.8p12 SRPM-file): [root at testserver schema]# cat 99sudoers.ldif dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substring sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substrings Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4. 1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466. 115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466. 115.121.1.26 X-ORIGIN 'SUDO' ) objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoComm and $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' ) [root at testserver schema]# service dirsrv restart Shutting down dirsrv: testserver... [ OK ] Starting dirsrv: testserver...[01/Dec/2008:08:25:40 +0100] - Entry "cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substring" required attribute "objectclass" missing [ OK ] [root at testserver schema]# Do you have any suggestions for where to start debugging? Thanks, Erling From valdemirs at gmail.com Mon Dec 1 09:48:25 2008 From: valdemirs at gmail.com (Valdemir Santos) Date: Mon, 1 Dec 2008 12:48:25 -0200 Subject: [sudo-users] Sudo in Tru64 error Message-ID: I made a Sudo installation in an AlphaServer with Tru64 , but when trying run Sudo I get: sudo: There are no authentication methods compiled into sudo! Can you help me ? Thanks From janfrode at tanso.net Mon Dec 1 03:01:53 2008 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Mon, 1 Dec 2008 09:01:53 +0100 Subject: [sudo-users] Sudo + LDAP (Red Hat Directory Server) References: <664c5a070811302330j1b0353fbh33c9bf8122d7b8f@mail.gmail.com> Message-ID: On 2008-12-01, Erling Ringen Elvsrud wrote: > Hello list, > > I want to store sudoers in LDAP and have a Red Hat Directory Server. > I try to import the schema (Iplanet)described in README.LDAP (from the > sudo 1.6.8p12 SRPM-file): I wonder if it's maybe just a ldif file formatting issue.. Here's my 99user.ldif-entries for sudo, on RHEL5, with centos-ds-8.0.0-1.4.el5: --------------------------------------------------- objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ su doOption $ description ) X-ORIGIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who ma y run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) imper sonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121. 1.26 X-ORIGIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.26 X-ORIGIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) f ollowed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121. 1.26 X-ORIGIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who ma y run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SY NTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'SUDO' 'user defined' ) ) --------------------------------------------------- I think the rules are max 80 chars per line, and the following line needs to start with a blank -- if it's the same line. But try pasting the above into your 99user.ldif exactly as formatted above, and see if that helps. -jf From Todd.Miller at courtesan.com Tue Dec 2 09:02:53 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 02 Dec 2008 09:02:53 -0500 Subject: [sudo-users] Sudo in Tru64 error In-Reply-To: Your message of "Mon, 01 Dec 2008 12:48:25 -0200." References: Message-ID: <200812021402.mB2E2r1j029082@core.courtesan.com> In message so spake "Valdemir Santos" (valdemirs): > I made a Sudo installation in an AlphaServer with Tru64 , but when trying > run Sudo I get: > > sudo: There are no authentication methods compiled into sudo! There is a bug in the configure script. If you edit the config.h file and change the line: /* #undef HAVE_SIA */ To: #define HAVE_SIA 1 and then recompile it should work. - todd From valdemirs at gmail.com Tue Dec 2 12:20:16 2008 From: valdemirs at gmail.com (Valdemir Santos) Date: Tue, 2 Dec 2008 15:20:16 -0200 Subject: [sudo-users] Sudo and DOD Message-ID: I?m looking ffor any report or document showing Sudo being used by DOD ( Department of Defense). Thanx From erlingre at gmail.com Wed Dec 3 02:10:11 2008 From: erlingre at gmail.com (Erling Ringen Elvsrud) Date: Wed, 3 Dec 2008 08:10:11 +0100 Subject: [sudo-users] Sudo + LDAP (Red Hat Directory Server) In-Reply-To: References: <664c5a070811302330j1b0353fbh33c9bf8122d7b8f@mail.gmail.com> Message-ID: <664c5a070812022310i4f887f56v24efb72087b5848c@mail.gmail.com> On 12/1/08, Jan-Frode Myklebust wrote: > On 2008-12-01, Erling Ringen Elvsrud wrote: > > Hello list, > > > > I want to store sudoers in LDAP and have a Red Hat Directory Server. > > I try to import the schema (Iplanet)described in README.LDAP (from the > > sudo 1.6.8p12 SRPM-file): > > I wonder if it's maybe just a ldif file formatting issue.. Here's my > 99user.ldif-entries for sudo, on RHEL5, with centos-ds-8.0.0-1.4.el5: Thanks for you reply. I also found a schema file for Fedora DS which just recently was added to their CVS: http://cvs.fedoraproject.org/viewvc/ldapserver/ldap/schema/60sudo.ldif?revision=1.1&root=dirsec&view=markup Erling From friiz at dunaweb.hu Thu Dec 4 10:21:19 2008 From: friiz at dunaweb.hu (friiz) Date: Thu, 4 Dec 2008 16:21:19 +0100 (CET) Subject: [sudo-users] little problem Message-ID: <43577.82.131.181.62.1228404079.squirrel@www.dunaweb.hu> Hi! Somebody cuold explain me why i am asked for the password, when i try to run "check_load" nagios at www4:/usr/lib/nagios/plugins$ whoami nagios nagios at www4:/usr/lib/nagios/plugins$ sudo -l User nagios may run the following commands on this host: (root) NOPASSWD: /usr/lib/nagios/plugins/* nagios at www4:/usr/lib/nagios/plugins$ ls -la total 192 drwxrwxrwx 3 root root 4096 2008-12-04 15:31 . drwxr-xr-x 3 root root 4096 2008-07-22 15:40 .. -rwxr-xr-x 1 root root 106776 2008-07-23 12:47 check_disk -rwxr-xr-x 1 root root 23736 2008-12-04 15:31 check_load -rwxr-xr-x 1 root root 14111 2008-07-23 12:47 check_ntp drwxr-xr-x 2 root root 4096 2008-09-10 21:09 publishing -rwxr-xr-x 1 root root 2463 2008-07-23 12:47 utils.pm nagios at www4:/usr/lib/nagios/plugins$ sudo ./check_disk check_disk: Could not parse arguments Usage: check_disk -w limit -c limit [-W limit] [-K limit] {-p path | -x device} [-C] [-E] [-e] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r path ] [-t timeout] [-u unit] [-v] [-X type] nagios at www4:/usr/lib/nagios/plugins$ sudo ./check_load [sudo] password for nagios: Sorry, user nagios is not allowed to execute './check_load' as root on www4.xxxweb.com. nagios at www4:/usr/lib/nagios/plugins$ cp ./check_load ./check_disk3 nagios at www4:/usr/lib/nagios/plugins$ ls -la total 216 drwxrwxrwx 3 root root 4096 2008-12-04 16:16 . drwxr-xr-x 3 root root 4096 2008-07-22 15:40 .. -rwxr-xr-x 1 root root 106776 2008-07-23 12:47 check_disk -rwxr-xr-x 1 nagios nagios 23736 2008-12-04 16:16 check_disk3 -rwxr-xr-x 1 root root 23736 2008-12-04 15:31 check_load -rwxr-xr-x 1 root root 14111 2008-07-23 12:47 check_ntp drwxr-xr-x 2 root root 4096 2008-09-10 21:09 publishing -rwxr-xr-x 1 root root 2463 2008-07-23 12:47 utils.pm nagios at www4:/usr/lib/nagios/plugins$ sudo ./check_disk3 check_load: Could not parse arguments Usage:check_load [-r] -w WLOAD1,WLOAD5,WLOAD15 -c CLOAD1,CLOAD5,CLOAD15 nagios at www4:/usr/lib/nagios/plugins$ thanks friiz From Todd.Miller at courtesan.com Thu Dec 4 11:53:00 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 04 Dec 2008 11:53:00 -0500 Subject: [sudo-users] little problem In-Reply-To: Your message of "Thu, 04 Dec 2008 16:21:19 +0100." <43577.82.131.181.62.1228404079.squirrel@www.dunaweb.hu> References: <43577.82.131.181.62.1228404079.squirrel@www.dunaweb.hu> Message-ID: <200812041653.mB4Gr0oP026935@core.courtesan.com> What version of sudo are you running? This sounds like a bug that was fixed in sudo 1.6.9. - todd From tony.chamberlain at lemko.com Thu Dec 4 11:37:15 2008 From: tony.chamberlain at lemko.com (tony.chamberlain at lemko.com) Date: Thu, 04 Dec 2008 16:37:15 +0000 Subject: [sudo-users] little problem Message-ID: -----Original Message----- From: friiz [mailto:friiz at dunaweb.hu] Sent: Thursday, December 4, 2008 09:21 AM To: sudo-users at sudo.ws Subject: [sudo-users] little problem Hi! Somebody cuold explain me why i am asked for the password, when i try to run "check_load" nagios at www4:/usr/lib/nagios/plugins$ whoami nagios nagios at www4:/usr/lib/nagios/plugins$ sudo -l User nagios may run the following commands on this host: (root) NOPASSWD: /usr/lib/nagios/plugins/* nagios at www4:/usr/lib/nagios/plugins$ ls -la total 192 drwxrwxrwx 3 root root 4096 2008-12-04 15:31 . drwxr-xr-x 3 root root 4096 2008-07-22 15:40 .. -rwxr-xr-x 1 root root 106776 2008-07-23 12:47 check_disk -rwxr-xr-x 1 root root 23736 2008-12-04 15:31 check_load -rwxr-xr-x 1 root root 14111 2008-07-23 12:47 check_ntp drwxr-xr-x 2 root root 4096 2008-09-10 21:09 publishing -rwxr-xr-x 1 root root 2463 2008-07-23 12:47 utils.pm nagios at www4:/usr/lib/nagios/plugins$ sudo ./check_disk check_disk: Could not parse arguments Usage: check_disk -w limit -c limit [-W limit] [-K limit] {-p path | -x device} [-C] [-E] [-e] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r path ] [-t timeout] [-u unit] [-v] [-X type] nagios at www4:/usr/lib/nagios/plugins$ sudo ./check_load [sudo] password for nagios: Sorry, user nagios is not allowed to execute './check_load' as root on www4.xxxweb.com. nagios at www4:/usr/lib/nagios/plugins$ cp ./check_load ./check_disk3 nagios at www4:/usr/lib/nagios/plugins$ ls -la total 216 drwxrwxrwx 3 root root 4096 2008-12-04 16:16 . drwxr-xr-x 3 root root 4096 2008-07-22 15:40 .. -rwxr-xr-x 1 root root 106776 2008-07-23 12:47 check_disk -rwxr-xr-x 1 nagios nagios 23736 2008-12-04 16:16 check_disk3 -rwxr-xr-x 1 root root 23736 2008-12-04 15:31 check_load -rwxr-xr-x 1 root root 14111 2008-07-23 12:47 check_ntp drwxr-xr-x 2 root root 4096 2008-09-10 21:09 publishing -rwxr-xr-x 1 root root 2463 2008-07-23 12:47 utils.pm nagios at www4:/usr/lib/nagios/plugins$ sudo ./check_disk3 check_load: Could not parse arguments Usage:check_load [-r] -w WLOAD1,WLOAD5,WLOAD15 -c CLOAD1,CLOAD5,CLOAD15 nagios at www4:/usr/lib/nagios/plugins$ thanks friiz ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users what about sudo /usr/lib/nagios/plugins/check_load From Todd.Miller at courtesan.com Thu Dec 4 13:58:58 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 04 Dec 2008 13:58:58 -0500 Subject: [sudo-users] sudo 1.7.0rc8 available Message-ID: <200812041858.mB4IwwjH027905@core.courtesan.com> This is the eighth and hopefully final release candidate of sudo version 1.7.0. Unless a show stopper is found, sudo 1.7.0 will be released on Dec. 8th. I'd like this release candidate to get as much testing as possible so if you are able to test it in your environment (and inform me of any issues you run into) I'd really appreciate it. Download links: http://www.sudo.ws/sudo/dist/beta/sudo-1.7.0rc8.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.0rc8.tar.gz What's new in Sudo 1.7.0? * Rewritten parser that converts sudoers into a set of data structures. This eliminates a number of ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. It also adds support for per-command Defaults specifications. * Sudoers now supports a #include facility to allow the inclusion of other sudoers-format files. * Sudo's -l (list) flag has been enhanced: o applicable Defaults options are now listed o a command argument can be specified for testing whether a user may run a specific command. o a new -U flag can be used in conjunction with "sudo -l" to allow root (or a user with "sudo ALL") list another user's privileges. * A new -g flag has been added to allow the user to specify a primary group to run the command as. The sudoers syntax has been extended to include a group section in the Runas specification. * A uid may now be used anywhere a username is valid. * The "secure_path" run-time Defaults option has been restored. * Password and group data is now cached for fast lookups. * The file descriptor at which sudo starts closing all open files is now configurable via sudoers and, optionally, the command line. * Visudo will now warn about aliases that are defined but not used. * The -i and -s command line flags now take an optional command to be run via the shell. Previously, the argument was passed to the shell as a script to run. * Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos. * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.: sudoers: ldap files to check LDAP, then /etc/sudoers. The default is "files", even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. * Support for /etc/environment on AIX and Linux. If sudo is run with the -i flag, the contents of /etc/environment are used to populate the new environment that is passed to the command being run. * If no terminal is available or if the new -A flag is specified, sudo will use a helper program to read the password if one is configured. Typically, this is a graphical password prompter such as ssh-askpass. * A new Defaults option, "mailfrom" that sets the value of the "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used. * A new Defaults option, "env_file" that refers to a file containing environment variables to be set in the command being run. * A new flag, -n, may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required. * If sudo needs to prompt for a password and it is unable to disable echo (and no askpass program is defined), it will refuse to run unless the "visiblepw" Defaults option has been specified. * Prior to version 1.7.0, hitting enter/return at the Password: prompt would exit sudo. In sudo 1.7.0 and beyond, this is treated as an empty password. To exit sudo, the user must press ^C or ^D at the prompt. * visudo will now check the sudoers file owner and mode in -c (check) mode when the -s (strict) flag is specified. From stevetucknott at yahoo.co.uk Thu Dec 4 14:05:07 2008 From: stevetucknott at yahoo.co.uk (Steve T) Date: Thu, 04 Dec 2008 19:05:07 +0000 Subject: [sudo-users] sudo 1.7.0rc8 available In-Reply-To: <200812041858.mB4IwwjH027905@core.courtesan.com> References: <200812041858.mB4IwwjH027905@core.courtesan.com> Message-ID: <1228417507.3468.210.camel@localhost.localdomain> Todd, Sorry to be a pain - but I see that secure_path has been restored - does that then explain my issue with the environment being lost, irrespective of the settings in the sudoers file (refer thread Fc9 sudo 1.6.9p13 - env_reset and PATH env var)? On Thu, 2008-12-04 at 13:58 -0500, Todd C. Miller wrote: > This is the eighth and hopefully final release candidate of sudo > version 1.7.0. Unless a show stopper is found, sudo 1.7.0 will be > released on Dec. 8th. > > I'd like this release candidate to get as much testing as possible > so if you are able to test it in your environment (and inform me > of any issues you run into) I'd really appreciate it. > > Download links: > http://www.sudo.ws/sudo/dist/beta/sudo-1.7.0rc8.tar.gz > ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.0rc8.tar.gz > > What's new in Sudo 1.7.0? > > * Rewritten parser that converts sudoers into a set of data structures. > This eliminates a number of ordering issues and makes it possible to > apply sudoers Defaults entries before searching for the command. > It also adds support for per-command Defaults specifications. > > * Sudoers now supports a #include facility to allow the inclusion of other > sudoers-format files. > > * Sudo's -l (list) flag has been enhanced: > o applicable Defaults options are now listed > o a command argument can be specified for testing whether a user > may run a specific command. > o a new -U flag can be used in conjunction with "sudo -l" to allow > root (or a user with "sudo ALL") list another user's privileges. > > * A new -g flag has been added to allow the user to specify a > primary group to run the command as. The sudoers syntax has been > extended to include a group section in the Runas specification. > > * A uid may now be used anywhere a username is valid. > > * The "secure_path" run-time Defaults option has been restored. > > * Password and group data is now cached for fast lookups. > > * The file descriptor at which sudo starts closing all open files is now > configurable via sudoers and, optionally, the command line. > > * Visudo will now warn about aliases that are defined but not used. > > * The -i and -s command line flags now take an optional command > to be run via the shell. Previously, the argument was passed > to the shell as a script to run. > > * Improved LDAP support. SASL authentication may now be used in > conjunction when connecting to an LDAP server. The krb5_ccname > parameter in ldap.conf may be used to enable Kerberos. > > * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf > to specify the sudoers order. E.g.: > sudoers: ldap files > to check LDAP, then /etc/sudoers. The default is "files", even > when LDAP support is compiled in. This differs from sudo 1.6 > where LDAP was always consulted first. > > * Support for /etc/environment on AIX and Linux. If sudo is run > with the -i flag, the contents of /etc/environment are used to > populate the new environment that is passed to the command being > run. > > * If no terminal is available or if the new -A flag is specified, > sudo will use a helper program to read the password if one is > configured. Typically, this is a graphical password prompter > such as ssh-askpass. > > * A new Defaults option, "mailfrom" that sets the value of the > "From:" field in the warning/error mail. If unspecified, the > login name of the invoking user is used. > > * A new Defaults option, "env_file" that refers to a file containing > environment variables to be set in the command being run. > > * A new flag, -n, may be used to indicate that sudo should not > prompt the user for a password and, instead, exit with an error > if authentication is required. > > * If sudo needs to prompt for a password and it is unable to disable > echo (and no askpass program is defined), it will refuse to run > unless the "visiblepw" Defaults option has been specified. > > * Prior to version 1.7.0, hitting enter/return at the Password: prompt > would exit sudo. In sudo 1.7.0 and beyond, this is treated as > an empty password. To exit sudo, the user must press ^C or ^D > at the prompt. > > * visudo will now check the sudoers file owner and mode in -c (check) > mode when the -s (strict) flag is specified. > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users From Todd.Miller at courtesan.com Thu Dec 4 14:18:17 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 04 Dec 2008 14:18:17 -0500 Subject: [sudo-users] sudo 1.7.0rc8 available In-Reply-To: Your message of "Thu, 04 Dec 2008 19:05:07 GMT." <1228417507.3468.210.camel@localhost.localdomain> References: <200812041858.mB4IwwjH027905@core.courtesan.com> <1228417507.3468.210.camel@localhost.localdomain> Message-ID: <200812041918.mB4JIHqb015968@core.courtesan.com> In message <1228417507.3468.210.camel at localhost.localdomain> so spake Steve T (stevetucknott): > Sorry to be a pain - but I see that secure_path has been restored - does > that then explain my issue with the environment being lost, irrespective > of the settings in the sudoers file (refer thread Fc9 sudo 1.6.9p13 - > env_reset and PATH env var)? Prior to sudo 1.7.0 secure_path is a compile-time option that cannot be overidden in sudoers. Starting with 1.7.0, sudoers is parsed in two stages so secure_path is run-time configurable. Does that answer your question? - todd From stevetucknott at yahoo.co.uk Fri Dec 5 02:12:34 2008 From: stevetucknott at yahoo.co.uk (Steve T) Date: Fri, 05 Dec 2008 07:12:34 +0000 Subject: [sudo-users] sudo 1.7.0rc8 available In-Reply-To: <200812041918.mB4JIHqb015968@core.courtesan.com> References: <200812041858.mB4IwwjH027905@core.courtesan.com> <1228417507.3468.210.camel@localhost.localdomain> <200812041918.mB4JIHqb015968@core.courtesan.com> Message-ID: <1228461155.3468.216.camel@localhost.localdomain> Todd, I'm not sure! All I know is the symptoms. Sudo worked for me since FC4 (not sure which release of sudo that was) as it seemed to keep the user environment when sudo'ing - which in my case is what I wanted as I had a complete environment that was 'required' to run some of my apps. Now under FC9 (sudo 1.6.9p13) the environment gets reset and no matter what settings I try in the sudoers, I get a 'restricted' environment. On Thu, 2008-12-04 at 14:18 -0500, Todd C. Miller wrote: > In message <1228417507.3468.210.camel at localhost.localdomain> > so spake Steve T (stevetucknott): > > > Sorry to be a pain - but I see that secure_path has been restored - does > > that then explain my issue with the environment being lost, irrespective > > of the settings in the sudoers file (refer thread Fc9 sudo 1.6.9p13 - > > env_reset and PATH env var)? > > Prior to sudo 1.7.0 secure_path is a compile-time option that cannot > be overidden in sudoers. Starting with 1.7.0, sudoers is parsed > in two stages so secure_path is run-time configurable. Does that > answer your question? > > - todd From friiz at dunaweb.hu Fri Dec 5 04:07:50 2008 From: friiz at dunaweb.hu (friiz) Date: Fri, 5 Dec 2008 10:07:50 +0100 (CET) Subject: [sudo-users] little problem In-Reply-To: References: Message-ID: <57997.82.131.181.62.1228468070.squirrel@www.dunaweb.hu> > > what about sudo /usr/lib/nagios/plugins/check_load > > > nagios at www4:/usr/lib/nagios/plugins$ sudo ./check_disk check_disk: Could not parse arguments Usage: check_disk -w limit -c limit [-W limit] [-K limit] {-p path | -x device} [-C] [-E] [-e] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r path ] [-t timeout] [-u unit] [-v] [-X type] nagios at www4:/usr/lib/nagios/plugins$ sudo ./check_load [sudo] password for nagios: Sorry, user nagios is not allowed to execute './check_load' as root on www4.xxxweb.hu. nagios at www4:/usr/lib/nagios/plugins$ sudo /usr/lib/nagios/plugins/check_load [sudo] password for nagios: Sorry, user nagios is not allowed to execute '/usr/lib/nagios/plugins/check_load' as root on www4.xxxweb.hu. nagios at www4:/usr/lib/nagios/plugins$ sudo /usr/lib/nagios/plugins/check_disk check_disk: Could not parse arguments Usage: check_disk -w limit -c limit [-W limit] [-K limit] {-p path | -x device} [-C] [-E] [-e] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r path ] [-t timeout] [-u unit] [-v] [-X type] nagios at www4:/usr/lib/nagios/plugins$ dpkg -la |grep sudo ii sudo 1.6.9p10-1ubuntu3.3 Provide limited super user privileges to spe nagios at www4:/usr/lib/nagios/plugins$ sudo -V Sudo version 1.6.9p10 another interesting thing nagios at www4:/usr/lib/nagios/plugins$ sudo ./check_load [sudo] password for nagios: Sorry, user nagios is not allowed to execute './check_load' as root on www4.xxxweb.hu. nagios at www4:/usr/lib/nagios/plugins$ ls -la total 216 drwxrwxrwx 3 root root 4096 2008-12-05 10:03 . drwxr-xr-x 3 root root 4096 2008-07-22 15:40 .. -rwxr-xr-x 1 root root 106776 2008-07-23 12:47 check_disk -rwxr-xr-x 1 root root 23736 2008-07-23 12:47 check_disk2 -rwxr-xr-x 1 nagios nagios 23736 2008-12-04 16:16 check_disk3 -rwxr-xr-x 1 root root 23736 2008-12-04 15:31 check_load -rwxr-xr-x 1 root root 14111 2008-07-23 12:47 check_ntp drwxr-xr-x 2 root root 4096 2008-09-10 21:09 publishing -rwxr-xr-x 1 root root 2463 2008-07-23 12:47 utils.pm nagios at www4:/usr/lib/nagios/plugins$ cp check_load check_load_bug nagios at www4:/usr/lib/nagios/plugins$ ls -la total 240 drwxrwxrwx 3 root root 4096 2008-12-05 10:04 . drwxr-xr-x 3 root root 4096 2008-07-22 15:40 .. -rwxr-xr-x 1 root root 106776 2008-07-23 12:47 check_disk -rwxr-xr-x 1 root root 23736 2008-07-23 12:47 check_disk2 -rwxr-xr-x 1 nagios nagios 23736 2008-12-04 16:16 check_disk3 -rwxr-xr-x 1 root root 23736 2008-12-04 15:31 check_load -rwxr-xr-x 1 nagios nagios 23736 2008-12-05 10:04 check_load_bug -rwxr-xr-x 1 root root 14111 2008-07-23 12:47 check_ntp drwxr-xr-x 2 root root 4096 2008-09-10 21:09 publishing -rwxr-xr-x 1 root root 2463 2008-07-23 12:47 utils.pm nagios at www4:/usr/lib/nagios/plugins$ sudo ./check_load check_load: Could not parse arguments Usage:check_load [-r] -w WLOAD1,WLOAD5,WLOAD15 -c CLOAD1,CLOAD5,CLOAD15 and it's working, but if i delete check_load_bug nagios at www4:/usr/lib/nagios/plugins$ rm check_load_bug nagios at www4:/usr/lib/nagios/plugins$ sudo ./check_load [sudo] password for nagios: Sorry, user nagios is not allowed to execute './check_load' as root on www4.xxxweb.hu. this is an ubuntu hardy 8.04 thanks From Todd.Miller at courtesan.com Fri Dec 5 13:19:50 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 05 Dec 2008 13:19:50 -0500 Subject: [sudo-users] sudo 1.7.0rc8 available In-Reply-To: Your message of "Fri, 05 Dec 2008 07:12:34 GMT." <1228461155.3468.216.camel@localhost.localdomain> References: <200812041858.mB4IwwjH027905@core.courtesan.com> <1228417507.3468.210.camel@localhost.localdomain> <200812041918.mB4JIHqb015968@core.courtesan.com> <1228461155.3468.216.camel@localhost.localdomain> Message-ID: <200812051819.mB5IJonb020253@core.courtesan.com> In message <1228461155.3468.216.camel at localhost.localdomain> so spake Steve T (stevetucknott): > All I know is the symptoms. Sudo worked for me since FC4 (not sure which > release of sudo that was) as it seemed to keep the user environment when > sudo'ing - which in my case is what I wanted as I had a complete > environment that was 'required' to run some of my apps. Now under FC9 > (sudo 1.6.9p13) the environment gets reset and no matter what settings I > try in the sudoers, I get a 'restricted' environment. Starting with sudo 1.6.9 the environment is reset by default. To disable that you need a line like: Default !env_reset in sudoers. However, the spec file in sudo-1.6.9p13-7.fc9.src.rpm runs configure with: --with-secure-path="/sbin:/bin:/usr/sbin:/usr/bin" so even with environment resetting disable, the PATH will still be replaced. You could just grab the srpm, remove that bit from the spec file and run rpmbuild to create yourself an rpm without that option. - todd From valdemirs at gmail.com Sat Dec 6 05:41:48 2008 From: valdemirs at gmail.com (Valdemir Santos) Date: Sat, 6 Dec 2008 08:41:48 -0200 Subject: [sudo-users] Permiting user use vi Message-ID: Is there any way to permit sudo's user use vi but doesn't escape to the shell ? From russell+sudo-users at loosenut.com Sat Dec 6 06:12:58 2008 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Sat, 6 Dec 2008 03:12:58 -0800 Subject: [sudo-users] Permiting user use vi In-Reply-To: References: Message-ID: <20081206111258.GP13956@fubar.loosenut.com> On Sat, Dec 06, 2008 at 08:41:48AM -0200, Valdemir Santos wrote: > Is there any way to permit sudo's user use vi but doesn't escape to the > shell ? As silly/simple as this sounds... use a version of vi (or another editor for that matter) that permits you to restrict/remove shell escapes. Something like "vim" (Vi IMproved) should be able to do this for you... -- Russell M. Van Tassell russell at loosenut.com "Entropy isn't what it used to be." From Todd.Miller at courtesan.com Sat Dec 6 09:00:17 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sat, 06 Dec 2008 09:00:17 -0500 Subject: [sudo-users] Permiting user use vi In-Reply-To: Your message of "Sat, 06 Dec 2008 08:41:48 -0200." References: Message-ID: <200812061400.mB6E0Hbl017495@core.courtesan.com> In message so spake "Valdemir Santos" (valdemirs): > Is there any way to permit sudo's user use vi but doesn't escape to the > shell ? You can give them access to "sudoedit" instead which will make a copy of the file as the user and invoke the editor on that instead. That way any shell escape is run as the user and not root. - todd From valdemirs at gmail.com Thu Dec 11 07:14:05 2008 From: valdemirs at gmail.com (Valdemir Santos) Date: Thu, 11 Dec 2008 10:14:05 -0200 Subject: [sudo-users] Sudo script Message-ID: Is there any way to create a script like this: john> sudo script john> pwd john> ifconfig -a john> ls -l to permit use root account and log all commands ? From valdemirs at gmail.com Thu Dec 11 09:35:40 2008 From: valdemirs at gmail.com (Valdemir Santos) Date: Thu, 11 Dec 2008 12:35:40 -0200 Subject: [sudo-users] Sudoers symbol assign Message-ID: Is there any way in sudoers file to create a symbol like this: vi=/bin/rvi From Radesh_Singh at ml.com Thu Dec 11 09:41:33 2008 From: Radesh_Singh at ml.com (Singh, Radesh (GTS)) Date: Thu, 11 Dec 2008 09:41:33 -0500 Subject: [sudo-users] Sudoers symbol assign In-Reply-To: References: Message-ID: <1F083E3510811D4B82611186F74DB1C1D80962@MLNYA20MB010.amrs.win.ml.com> Hi Valdemir, In general, if you'd like to alias a command, you can define one as such: Cmnd_Alias ALIAS=/path/to/command Then allow your user / group to run the command. Thanks, Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Valdemir Santos Sent: Thursday, December 11, 2008 9:36 AM To: sudo-users Subject: [sudo-users] Sudoers symbol assign Is there any way in sudoers file to create a symbol like this: vi=/bin/rvi ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users -------------------------------------------------------------------------- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. -------------------------------------------------------------------------- From valdemirs at gmail.com Mon Dec 15 06:25:25 2008 From: valdemirs at gmail.com (Valdemir Santos) Date: Mon, 15 Dec 2008 09:25:25 -0200 Subject: [sudo-users] Sudo and cd Message-ID: Why I cannot use the command "cd" with Sudo ? From Todd.Miller at courtesan.com Mon Dec 15 07:19:18 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 15 Dec 2008 07:19:18 -0500 Subject: [sudo-users] Sudo and cd In-Reply-To: Your message of "Mon, 15 Dec 2008 09:25:25 -0200." References: Message-ID: <200812151219.mBFCJIhC027261@core.courtesan.com> In message so spake "Valdemir Santos" (valdemirs): > Why I cannot use the command "cd" with Sudo ? >From the troubleshooting guide: Q) When I try to use "cd" with sudo it says "cd: command not found". A) "cd" is a shell built-in command, you can't run it as a command since a child process (sudo) cannot affect the current working directory of the parent (your shell). Q) When I try to use "cd" with sudo the command completes without errors but nothing happens. A) Even though "cd" is a shell built-in command, some operating systems include a /usr/bin/cd command for some reason. A standalone "cd" command is totally useless since a child process (cd) cannot affect the current working directory of the parent (your shell). Thus, "sudo cd /foo" will start a child process, change the directory and immediately exit without doing anything useful. From Chris.Schrimshaw at kub.org Mon Dec 15 06:59:48 2008 From: Chris.Schrimshaw at kub.org (Chris.Schrimshaw at kub.org) Date: Mon, 15 Dec 2008 06:59:48 -0500 Subject: [sudo-users] Configuring the sudoers file for a DBA Message-ID: I need to give access to one of our DBA's to run chfs inside smitty so he can add space to his file system. I want to remove his root access later, but for now, I want to set it up so he can run chfs using smitty, get him used to using it and then yank his root access. What is the best way to set this up using the sudoers file? ABC03537 ALL = (root) NOPASSWD: /usr/bin/su - root (but some how add------- /usr/sbin/chfs) Chris ___________________ Chris Schrimshaw AIX Systems Administrator Office: (865) 558-2017 Fax: (865) 558-2808 From christian.peper at kpn.com Mon Dec 15 08:35:11 2008 From: christian.peper at kpn.com (christian.peper at kpn.com) Date: Mon, 15 Dec 2008 14:35:11 +0100 Subject: [sudo-users] Configuring the sudoers file for a DBA In-Reply-To: References: Message-ID: <459520CEEC42F041A8B0CFBCEE958A1101CDB5F5@KKWNLEX182.kpnnl.local> Chris, Although I have no idea what smitty is... (machine? Program? Tool?) You could also use a jail for this, couldn't you? Search Google for 'jailkit' for an easy way to build them. Also very useful for giving some functions to external people, e.g. over VPN. Using sudo, it'ld be something like: User_Alias DBA=user1,user2,%dbagroup Cmd_Alias TOOL=/usr/bin/chfs Host_Alias ORA=host1, host2, 192.168.0.0/16 DBA ORA = NOPASSWD: TOOL This would the DBA users run the tool on any ORA host as root, without needing the pwd. BTW, this example was made simply by look at the outstanding examples on the sudoers site: http://www.gratisoft.us/sudo/man/sudoers.html#examples Hope it helps! Chris. > -----Original Message----- > From: sudo-users-bounces at courtesan.com > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of > Chris.Schrimshaw at kub.org > Sent: Monday, December 15, 2008 1:00 PM > To: sudo-users at sudo.ws > Subject: [sudo-users] Configuring the sudoers file for a DBA > > I need to give access to one of our DBA's to run chfs inside > smitty so he can add space to his file system. > I want to remove his root access later, but for now, I want > to set it up so he can run chfs using smitty, get him used to > using it and then yank his root access. What is the best way > to set this up using the sudoers file? > > ABC03537 ALL = (root) NOPASSWD: /usr/bin/su - root > (but some > how add------- /usr/sbin/chfs) > > Chris > > ___________________ > Chris Schrimshaw > AIX Systems Administrator > Office: (865) 558-2017 > Fax: (865) 558-2808 > > ____________________________________________________________ > sudo-users mailing list For list > information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > From scarville at landam.com Mon Dec 15 11:52:10 2008 From: scarville at landam.com (Stephen Carville) Date: Mon, 15 Dec 2008 08:52:10 -0800 Subject: [sudo-users] Configuring the sudoers file for a DBA In-Reply-To: References: Message-ID: <200812150852.10779.scarville@landam.com> On Monday 15 December 2008 03:59, Chris.Schrimshaw at kub.org wrote: > I need to give access to one of our DBA's to run chfs inside smitty so he > can add space to his file system. > I want to remove his root access later, but for now, I want to set it up > so he can run chfs using smitty, get him used to using it and then yank > his root access. What is the best way to set this up using the sudoers > file? Long time since I had to support AIX but, IIRC, SMIT is just a wrapper that calls system utilities via a shell to do the actual work. So if oracleguy runs SMIT as himself then something like this might work: oracleguy ALL=(root) NOPASSWD:/usr/bin/chfs > ABC03537 ALL = (root) NOPASSWD: /usr/bin/su - root (but some > how add------- /usr/sbin/chfs) -- Stephen Carville Systems Engineer Land America 1.626.667.1450 X1326 ============================================================ Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy. -- Eric Raymond From russell+sudo-users at loosenut.com Mon Dec 15 14:47:02 2008 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Mon, 15 Dec 2008 11:47:02 -0800 Subject: [sudo-users] Sudo script In-Reply-To: References: Message-ID: <20081215194702.GR13956@fubar.loosenut.com> On Thu, Dec 11, 2008 at 10:14:05AM -0200, Valdemir Santos wrote: > Is there any way to create a script like this: > john> sudo script > john> pwd > john> ifconfig -a > john> ls -l > > to permit use root account and log all commands ? Use something like OSH (Operator's Shell). They exist... you just need to look for them. -- Russell M. Van Tassell russell at loosenut.com Incompetence: When you earnestly believe you can compensate for a lack of skill by doublign your efforts, there's no end to what you can't do. From sudo at tizatron.com Tue Dec 16 15:29:48 2008 From: sudo at tizatron.com (Tiz) Date: Tue, 16 Dec 2008 12:29:48 -0800 Subject: [sudo-users] Error trying "make" in Sudo Message-ID: <49480FBC.9080302@tizatron.com> On Thu, 15 May 2008 18:42:42 -0400, Todd C. Miller wrote: > In message > so spake "Valdemir Santos" (valdemirs): > >> I?m receiving this message when trying "make" in solaris: >> >> solaris> make >> >> Undefined first referenced >> symbol in file >> libintl_dgettext pam.o ld: fatal: Symbol referencing >> errors. No output written to sudo > > Someone else had this same issue but I've been unable to reproduce it > myself. If you add -lintl to SUDO_LIBS it should link. > I know this is a dated post but I too have the same issue and cannot find a solution. I just downloaded version 1.6.9p19 and I am trying to compile sudo on my Solaris 10 machine using gcc4. gcc -o sudo check.o env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o interfaces.o logging.o parse.o set_perms.o sudo.o sudo_edit.o tgetpass.o zero_bytes.o sudo_auth.o pam.o sudo.tab.o lex.yy.o alloc.o defaults.o err.o glob.o fnmatch.o memrchr.o snprintf.o getprogname.o -L/usr/local/lib -R/usr/local/lib -lpam -ldl -lintl -lsocket -lnsl Undefined first referenced symbol in file libintl_dgettext pam.o ld: fatal: Symbol referencing errors. No output written to sudo collect2: ld returned 1 exit status *** Error code 1 make: Fatal error: Command failed for target `sudo' I see that -lintl is added the build. I installed SMCexpat, SMCgettxt, SMCliconv and SMClintl. I pointed my configure script to /usr/local/lib with... configure \ --with-editor=vi \ --enable-static \ --with-libpath=/usr/local/lib \ --with-incpath=/usr/local/include Contents of /usr/local/lib. gettext/ libasprintf.a libasprintf.la* libasprintf.so@ libasprintf.so.0@ libasprintf.so.0.0.0* libcharset.a libcharset.la libcharset.so@ libcharset.so.1@ libcharset.so.1.0.0* libexpat.a libexpat.la* libexpat.so@ libexpat.so.0@ libexpat.so.0.4.0* libexpat.so.1@ libexpat.so.1.5.2* libgettextlib-0.14.1.so* libgettextlib.la* libgettextlib.so@ libgettextpo.a libgettextpo.la* libgettextpo.so@ libgettextpo.so.0@ libgettextpo.so.0.1.0* libgettextsrc-0.14.1.so* libgettextsrc.la* libgettextsrc.so@ libiconv.la libiconv.so@ libiconv.so.2@ libiconv.so.2.4.0* libintl.a libintl.la libintl.so@ libintl.so.8@ libintl.so.8.0.2* preloadable_libiconv.so preloadable_libintl.so What am I missing? Tips? -- Regs Tiz From Todd.Miller at courtesan.com Wed Dec 17 09:35:29 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 17 Dec 2008 09:35:29 -0500 Subject: [sudo-users] Error trying "make" in Sudo In-Reply-To: Your message of "Tue, 16 Dec 2008 12:29:48 PST." <49480FBC.9080302@tizatron.com> References: <49480FBC.9080302@tizatron.com> Message-ID: <200812171435.mBHEZTnm011470@core.courtesan.com> You may be linking against the wrong libintl. You should be able to find which one defines libintl_dgettext by doing something like: You could try running configure with --with-libpath=/usr/lib --with-incpath=/usr/include to try and get gcc to use the system libintl. By default, gcc will prefer includes in /usr/local/include over those in /usr/include and libraries in /usr/local/lib over /usr/lib. This is probably what is giving you problems. If you have the Sun C compiler, you could use that instead which doesn't have this brain damaged behavior. If that doesn't help, try to find which lib libintl_dgettext is in. E.g. /usr/ccs/bin/nm /usr/lib/libintl.so | grep libintl_dgettext and /usr/ccs/bin/nm /usr/local/lib/libintl.so | grep libintl_dgettext I would expect it to be in /usr/local/lib/libintl.so. - todd From sudo at tizatron.com Wed Dec 17 14:05:53 2008 From: sudo at tizatron.com (Tiz) Date: Wed, 17 Dec 2008 11:05:53 -0800 Subject: [sudo-users] Error trying "make" in Sudo In-Reply-To: <200812171435.mBHEZTnm011470@core.courtesan.com> References: <49480FBC.9080302@tizatron.com> <200812171435.mBHEZTnm011470@core.courtesan.com> Message-ID: <49494D91.4090606@tizatron.com> Todd C. Miller wrote: > You may be linking against the wrong libintl. You should be > able to find which one defines libintl_dgettext by doing something > like: > > You could try running configure with > > --with-libpath=/usr/lib --with-incpath=/usr/include > > to try and get gcc to use the system libintl. By default, gcc will > prefer includes in /usr/local/include over those in /usr/include > and libraries in /usr/local/lib over /usr/lib. This is probably > what is giving you problems. If you have the Sun C compiler, you > could use that instead which doesn't have this brain damaged behavior. > > If that doesn't help, try to find which lib libintl_dgettext > is in. E.g. > > /usr/ccs/bin/nm /usr/lib/libintl.so | grep libintl_dgettext > > and > > /usr/ccs/bin/nm /usr/local/lib/libintl.so | grep libintl_dgettext > > I would expect it to be in /usr/local/lib/libintl.so. > > - todd Todd, Thanks for the information. Why I did not try my studio12 compiler I do not know. *sigh* I was able to get a clean build using... configure \ --with-editor=vi \ --enable-static \ --with-CC=/opt/studio12/SUNWspro/bin/cc I tried... /usr/ccs/bin/nm /usr/lib/libintl.so | grep libintl_dgettext Nothing. I then tried looking at the lib in /usr/local/lib. I realized that I mistakenly installed the X86 version of the lib. Bummer. I removed all the SMC packages and installed only libintl-3.4.0-sol10-sparc-local /usr/ccs/bin/nm /usr/local/lib/libintl.so | grep libintl_dgettext [276] | 9764| 20|FUNC |GLOB |0 |11 |libintl_dgettext Helps if you install the correct library. :} I then got a clean build with... configure \ --with-editor=vi \ --enable-static \ --with-libpath=/usr/local/lib Worth noting that I pull my gcc compiler out of an NFS shared /opt/csw/gcc4/bin/gcc. Long story - another time, but points to why I need '--with-libpath' since I don't like using LD_LIBRARY_PATH. Trying... /usr/ccs/bin/nm /opt/csw/lib/libintl.so | grep libintl_dgettext Produces no output. Also - a note to Russel: I agree with your take on SMC packages. I have since removed all the SMC packages expat, gettext, etc. Recompiled with studio12 - no issues. Sticking with the studio12 compiler. I also had clean builds on studio11, forte10, forte8 and forte62 with sudo.1.6.9p19. The compile time is short, the compilers were available so I thought I would give them a spin...yada yada yada. Thanks for the help. -- Regs -Tiz From russell+sudo-users at loosenut.com Thu Dec 18 14:22:04 2008 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Thu, 18 Dec 2008 11:22:04 -0800 Subject: [sudo-users] Error trying "make" in Sudo In-Reply-To: <49494D91.4090606@tizatron.com> References: <49480FBC.9080302@tizatron.com> <200812171435.mBHEZTnm011470@core.courtesan.com> <49494D91.4090606@tizatron.com> Message-ID: <20081218192203.GW13956@fubar.loosenut.com> On Wed, Dec 17, 2008 at 11:05:53AM -0800, Tiz wrote: > Why I did not try my studio12 compiler I do not know. *sigh* > > I was able to get a clean build using... Very nice! Great to know it's not broken in some other weird way... ;-) > Also - a note to Russel: > > I agree with your take on SMC packages. I have since removed all the SMC > packages expat, gettext, etc. Recompiled with studio12 - no issues. > > Sticking with the studio12 compiler. Ha! I don't blame you in the least... I would, too. ;-) Glad to know it all worked out for you! -- Russell M. Van Tassell russell at loosenut.com Ask not for whom the tolls. From ayubmaj002 at yahoo.com Fri Dec 19 10:03:36 2008 From: ayubmaj002 at yahoo.com (Ayub Abdullah) Date: Fri, 19 Dec 2008 07:03:36 -0800 (PST) Subject: [sudo-users] Executing and Runnning Commands Recursively Message-ID: <284907.78206.qm@web59903.mail.ac4.yahoo.com> Hello, I would like to give a specific user the ability to run and execute commands recursively?for a given directory and its subdirectory but only specify the top level directory in the sudoers file.? Below is an example of my sudoers file.? I would like to run and execute commands below /usr/openwin/* but at this time i am unable to: User???ALL=/usr/opoenwin/* Thanks, Ayub From ayubmaj002 at yahoo.com Fri Dec 19 15:25:24 2008 From: ayubmaj002 at yahoo.com (Ayub Abdullah) Date: Fri, 19 Dec 2008 12:25:24 -0800 (PST) Subject: [sudo-users] Executing and Runnning Commands Recursively References: <284907.78206.qm@web59903.mail.ac4.yahoo.com> Message-ID: <316523.87755.qm@web59909.mail.ac4.yahoo.com> Hello, Per my request below, any updates? Ayub ________________________________ From: Ayub Abdullah To: sudo-users at sudo.ws Sent: Friday, December 19, 2008 10:03:36 AM Subject: [sudo-users] Executing and Runnning Commands Recursively Hello, I would like to give a specific user the ability to run and execute commands recursively?for a given directory and its subdirectory but only specify the top level directory in the sudoers file.? Below is an example of my sudoers file.? I would like to run and execute commands below /usr/openwin/* but at this time i am unable to: User???ALL=/usr/opoenwin/* Thanks, Ayub ? ? ? ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From Todd.Miller at courtesan.com Fri Dec 19 16:36:57 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 19 Dec 2008 16:36:57 -0500 Subject: [sudo-users] Executing and Runnning Commands Recursively In-Reply-To: Your message of "Fri, 19 Dec 2008 07:03:36 PST." <284907.78206.qm@web59903.mail.ac4.yahoo.com> References: <284907.78206.qm@web59903.mail.ac4.yahoo.com> Message-ID: <200812192136.mBJLawFe031001@core.courtesan.com> In message <284907.78206.qm at web59903.mail.ac4.yahoo.com> so spake Ayub Abdullah (ayubmaj002): > I would like to give a specific user the ability to run and execute > commands recursively?for a given directory and its subdirectory but > only specify the top level directory in the sudoers file.? Below > is an example of my sudoers file.? I would like to run and execute > commands below /usr/openwin/* but at this time I am unable to: > > User???ALL=/usr/openwin/* The '*' in a pathname will not match a '/' so you cannot do this with the existing globbing support in sudo. Depending on how deep the directory structure is, something like this might work: User???ALL=/usr/openwin/*/* However, do you really need to give access to anything other than this? User???ALL=/usr/openwin/bin, /usr/openwin/demo - todd