[sudo-users] FW: sudoers anomaly

Seul, Jeffrey JeffreySeul at officemax.com
Wed Jul 16 14:45:55 EDT 2008 

If your situation is like mine, even though the user is lectured, the
command still works.

If I remove all but the particular rule that I'm trying to test at the
moment and clear my cache dir, the sudo -u <user>
expected_nopasswd_command , works like a charm with no password required


our sudo version is behind the times, 1.6.8.p9 


-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of Wood, Mike
Sent: Wednesday, July 16, 2008 1:09 PM
To: sudo-users at sudo.ws
Subject: [sudo-users] FW: sudoers anomaly

I have a similar problem (Sudo version 1.6.9p13).
-
A user complained that he couldn't execute a certain command.  Sudo -l
shows he should be able to.  Specifically from sudo -l:
(root) NOPASSWD: /usr/tivoli/tsm/client/ba/*/start_dsmc,
/usr/tivoli/tsm/client/ba/bin/dsmc

Unfortunately, he gets "lectured".

Now if I delete a Host_Alias that it COMPLETELY UNRELATED, it then works
fine.

Additionally, if I su - to the account from root, it works fine (whether
I edit Host_aliases or not.

I'm completely baffled.

Mike Wood
UNIX System Administrator
Kinetic Concepts Inc.
5751 NW Parkway
San Antonio, TX, 78249
 
E-mail:  mike.wood at kci1.com
Office:  (210) 255-6382
Mobile:  (210) 825-5134
 
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com [mailto:sudo-users-
> bounces at courtesan.com] On Behalf Of Jeffrey Seul
> Sent: Tuesday, July 15, 2008 10:08 AM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] sudoers anomaly
> 
> I've just gone through and created a nice unified sudoers file (that
will
> work for us until we can get to 1.7 and use the local includes
instead) -
> however I'm noticing some issues and I believe it's to do with the
> runas_aliases and hoping you can help me -
> 
> If I set up a user with something like this -
> 
> # Oracle Administrators
> %dba ALL=(ORACLE_USERS) NOPASSWD: !SHELLS, !BAD_CMDS, ALL
> 
> and then define a large (more than 30 objects) Runas_Alias (obviously
it
> comes befor the group permission) -
> 
> Runas_Alias ORACLE_USERS=orabp2, orabwd, orabwq, orabwx, oraep2,
oraepd,
> oraepq, oraev1, oraevd, oramdd, oramdt, orapr2, orapt2, oraptd,
oraptq,
> orartd, orartq, orarts, orartt, orasb1, orasm2, orawm1, orawm2,
orawm3,
> orawmd, orawmq, orawms, orawmt, patrol, precise, orabix, orasrx,
orasmx,
> oraxix
> 
> 
> the user, even if they're in the dba group, will be prompted for
password
> and they'll yet be allowed to execute the command
> 
> If I shorten the list of users in the Runas_Alias, and wait the
cursory
> amount of time or clear my cache directory entry, it will no longer
prompt
> me for password
> 
> Any thoughts?
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
************************************************************************
*****
"CONFIDENTIALITY NOTICE:  This transmission (including any
accompanying attachments) is confidential, is intended only for the
individual or entity named above, and is likely to contain privileged, 
proprietary and confidential information that is exempt from disclosure 
requests under applicable law.  If you are not the intended recipient, 
you are hereby notified that any disclosure, copying, distribution, use 
of or reliance upon any of the information contained in this
transmission
is strictly prohibited.  Any inadvertent or unauthorized disclosure
shall 
not compromise or waive the confidentiality of this transmission or any 
applicable attorney-client privilege. 

If you have received this transmission in error, please immediately 
notify us at postmaster at kci1.com."


Kinetic Concepts, Inc.

************************************************************************
******

____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list