[sudo-users] FW: sudoers anomaly

Wood, Mike Mike.Wood at kci1.com
Wed Jul 16 14:45:47 EDT 2008


In my case, it prompts for a password.  The user enters his password,
and it fails.

Mike Wood
UNIX System Administrator
Kinetic Concepts Inc.
5751 NW Parkway
San Antonio, TX, 78249
 
E-mail:  mike.wood at kci1.com
Office:  (210) 255-6382
Mobile:  (210) 825-5134
 

> -----Original Message-----
> From: Seul, Jeffrey [mailto:JeffreySeul at officemax.com]
> Sent: Wednesday, July 16, 2008 1:46 PM
> To: Wood, Mike; sudo-users at sudo.ws
> Subject: RE: [sudo-users] FW: sudoers anomaly
> 
> If your situation is like mine, even though the user is lectured, the
> command still works.
> 
> If I remove all but the particular rule that I'm trying to test at the
> moment and clear my cache dir, the sudo -u <user>
> expected_nopasswd_command , works like a charm with no password
required
> 
> 
> our sudo version is behind the times, 1.6.8.p9
> 
> 
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com
> [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Wood, Mike
> Sent: Wednesday, July 16, 2008 1:09 PM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] FW: sudoers anomaly
> 
> I have a similar problem (Sudo version 1.6.9p13).
> -
> A user complained that he couldn't execute a certain command.  Sudo -l
> shows he should be able to.  Specifically from sudo -l:
> (root) NOPASSWD: /usr/tivoli/tsm/client/ba/*/start_dsmc,
> /usr/tivoli/tsm/client/ba/bin/dsmc
> 
> Unfortunately, he gets "lectured".
> 
> Now if I delete a Host_Alias that it COMPLETELY UNRELATED, it then
works
> fine.
> 
> Additionally, if I su - to the account from root, it works fine
(whether
> I edit Host_aliases or not.
> 
> I'm completely baffled.
> 
> Mike Wood
> UNIX System Administrator
> Kinetic Concepts Inc.
> 5751 NW Parkway
> San Antonio, TX, 78249
> 
> E-mail:  mike.wood at kci1.com
> Office:  (210) 255-6382
> Mobile:  (210) 825-5134
> 
> > -----Original Message-----
> > From: sudo-users-bounces at courtesan.com [mailto:sudo-users-
> > bounces at courtesan.com] On Behalf Of Jeffrey Seul
> > Sent: Tuesday, July 15, 2008 10:08 AM
> > To: sudo-users at sudo.ws
> > Subject: [sudo-users] sudoers anomaly
> >
> > I've just gone through and created a nice unified sudoers file (that
> will
> > work for us until we can get to 1.7 and use the local includes
> instead) -
> > however I'm noticing some issues and I believe it's to do with the
> > runas_aliases and hoping you can help me -
> >
> > If I set up a user with something like this -
> >
> > # Oracle Administrators
> > %dba ALL=(ORACLE_USERS) NOPASSWD: !SHELLS, !BAD_CMDS, ALL
> >
> > and then define a large (more than 30 objects) Runas_Alias
(obviously
> it
> > comes befor the group permission) -
> >
> > Runas_Alias ORACLE_USERS=orabp2, orabwd, orabwq, orabwx, oraep2,
> oraepd,
> > oraepq, oraev1, oraevd, oramdd, oramdt, orapr2, orapt2, oraptd,
> oraptq,
> > orartd, orartq, orarts, orartt, orasb1, orasm2, orawm1, orawm2,
> orawm3,
> > orawmd, orawmq, orawms, orawmt, patrol, precise, orabix, orasrx,
> orasmx,
> > oraxix
> >
> >
> > the user, even if they're in the dba group, will be prompted for
> password
> > and they'll yet be allowed to execute the command
> >
> > If I shorten the list of users in the Runas_Alias, and wait the
> cursory
> > amount of time or clear my cache directory entry, it will no longer
> prompt
> > me for password
> >
> > Any thoughts?
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
>
************************************************************************
> *****
> "CONFIDENTIALITY NOTICE:  This transmission (including any
> accompanying attachments) is confidential, is intended only for the
> individual or entity named above, and is likely to contain privileged,
> proprietary and confidential information that is exempt from
disclosure
> requests under applicable law.  If you are not the intended recipient,
> you are hereby notified that any disclosure, copying, distribution,
use
> of or reliance upon any of the information contained in this
> transmission
> is strictly prohibited.  Any inadvertent or unauthorized disclosure
> shall
> not compromise or waive the confidentiality of this transmission or
any
> applicable attorney-client privilege.
> 
> If you have received this transmission in error, please immediately
> notify us at postmaster at kci1.com."
> 
> 
> Kinetic Concepts, Inc.
> 
>
************************************************************************
> ******
> 
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
*****************************************************************************
"CONFIDENTIALITY NOTICE:  This transmission (including any
accompanying attachments) is confidential, is intended only for the
individual or entity named above, and is likely to contain privileged, 
proprietary and confidential information that is exempt from disclosure 
requests under applicable law.  If you are not the intended recipient, 
you are hereby notified that any disclosure, copying, distribution, use 
of or reliance upon any of the information contained in this transmission
is strictly prohibited.  Any inadvertent or unauthorized disclosure shall 
not compromise or waive the confidentiality of this transmission or any 
applicable attorney-client privilege. 

If you have received this transmission in error, please immediately 
notify us at postmaster at kci1.com."


Kinetic Concepts, Inc.

******************************************************************************




More information about the sudo-users mailing list