[sudo-users] FW: sudoers anomaly

Wood, Mike Mike.Wood at kci1.com
Wed Jul 16 14:08:50 EDT 2008 

I have a similar problem (Sudo version 1.6.9p13).
-
A user complained that he couldn't execute a certain command.  Sudo -l
shows he should be able to.  Specifically from sudo -l:
(root) NOPASSWD: /usr/tivoli/tsm/client/ba/*/start_dsmc,
/usr/tivoli/tsm/client/ba/bin/dsmc

Unfortunately, he gets "lectured".

Now if I delete a Host_Alias that it COMPLETELY UNRELATED, it then works
fine.

Additionally, if I su - to the account from root, it works fine (whether
I edit Host_aliases or not.

I'm completely baffled.

Mike Wood
UNIX System Administrator
Kinetic Concepts Inc.
5751 NW Parkway
San Antonio, TX, 78249
 
E-mail:  mike.wood at kci1.com
Office:  (210) 255-6382
Mobile:  (210) 825-5134
 
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com [mailto:sudo-users-
> bounces at courtesan.com] On Behalf Of Jeffrey Seul
> Sent: Tuesday, July 15, 2008 10:08 AM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] sudoers anomaly
> 
> I've just gone through and created a nice unified sudoers file (that
will
> work for us until we can get to 1.7 and use the local includes
instead) -
> however I'm noticing some issues and I believe it's to do with the
> runas_aliases and hoping you can help me -
> 
> If I set up a user with something like this -
> 
> # Oracle Administrators
> %dba ALL=(ORACLE_USERS) NOPASSWD: !SHELLS, !BAD_CMDS, ALL
> 
> and then define a large (more than 30 objects) Runas_Alias (obviously
it
> comes befor the group permission) -
> 
> Runas_Alias ORACLE_USERS=orabp2, orabwd, orabwq, orabwx, oraep2,
oraepd,
> oraepq, oraev1, oraevd, oramdd, oramdt, orapr2, orapt2, oraptd,
oraptq,
> orartd, orartq, orarts, orartt, orasb1, orasm2, orawm1, orawm2,
orawm3,
> orawmd, orawmq, orawms, orawmt, patrol, precise, orabix, orasrx,
orasmx,
> oraxix
> 
> 
> the user, even if they're in the dba group, will be prompted for
password
> and they'll yet be allowed to execute the command
> 
> If I shorten the list of users in the Runas_Alias, and wait the
cursory
> amount of time or clear my cache directory entry, it will no longer
prompt
> me for password
> 
> Any thoughts?
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
*****************************************************************************
"CONFIDENTIALITY NOTICE:  This transmission (including any
accompanying attachments) is confidential, is intended only for the
individual or entity named above, and is likely to contain privileged, 
proprietary and confidential information that is exempt from disclosure 
requests under applicable law.  If you are not the intended recipient, 
you are hereby notified that any disclosure, copying, distribution, use 
of or reliance upon any of the information contained in this transmission
is strictly prohibited.  Any inadvertent or unauthorized disclosure shall 
not compromise or waive the confidentiality of this transmission or any 
applicable attorney-client privilege. 

If you have received this transmission in error, please immediately 
notify us at postmaster at kci1.com."


Kinetic Concepts, Inc.

******************************************************************************

More information about the sudo-users mailing list