From chris at encs.concordia.ca Sat Nov 1 10:29:48 2008 From: chris at encs.concordia.ca (Chris O'Regan) Date: Sat, 01 Nov 2008 10:29:48 -0400 Subject: [sudo-users] sudo can't find an executable in my $PATH! In-Reply-To: <200810311747.03824.repsons@gmail.com> References: <200810311747.03824.repsons@gmail.com> Message-ID: <490C67DC.6040004@encs.concordia.ca> > Simply I have script "doit" in /opt/scripts and I want to execute it as roon > by typing "sudo doit". /opt/scripts is in $PATH both of root and my user. > It doesn't works! Thing this simple has nearly turned out in a nightmare just > in trying to make it work and looking for what is wrong :( > Please answer. Can you send the output of "sudo doit" as well as "sudo -l"? Also, what are the file permissions of "doit"? Chris From chris at encs.concordia.ca Sat Nov 1 14:16:15 2008 From: chris at encs.concordia.ca (Chris O'Regan) Date: Sat, 01 Nov 2008 14:16:15 -0400 Subject: [sudo-users] sudo can't find an executable in my $PATH! In-Reply-To: <200811011843.16809.repsons@gmail.com> References: <200810311747.03824.repsons@gmail.com> <490C67DC.6040004@encs.concordia.ca> <200811011843.16809.repsons@gmail.com> Message-ID: <490C9CEF.6040108@encs.concordia.ca> > Oh, good to see, someone saw this. I was doing more "research" on the > problem and it is in the fact, that $PATH variable gets modified by > sudo! I set sudoers to preserve PATH, but no good. > > env and "sudo env" gives me different things! Why is that? It's hard to say exactly what it happening in your case because you have not forwarded the output of "sudo doit" and "sudo -l". It could be something as simple as not setting the PATH in the right place. Sudo does clean up the environment before running the command. How much depends on how it is configured. Suffice to say this is a good thing because sudo can be a dangerous command. Chris From repsons at gmail.com Sat Nov 1 12:43:16 2008 From: repsons at gmail.com (=?utf-8?q?K=C4=81rlis_Repsons?=) Date: Sat, 1 Nov 2008 19:43:16 +0300 Subject: [sudo-users] sudo can't find an executable in my $PATH! In-Reply-To: <490C67DC.6040004@encs.concordia.ca> References: <200810311747.03824.repsons@gmail.com> <490C67DC.6040004@encs.concordia.ca> Message-ID: <200811011843.16809.repsons@gmail.com> On Saturday 01 November 2008 16:29:48 Chris O'Regan wrote: > > Simply I have script "doit" in /opt/scripts and I want to execute it as > > roon by typing "sudo doit". /opt/scripts is in $PATH both of root and my > > user. It doesn't works! Thing this simple has nearly turned out in a > > nightmare just in trying to make it work and looking for what is wrong :( > > Please answer. > > Can you send the output of "sudo doit" as well as "sudo -l"? Also, what > are the file permissions of "doit"? > > > Chris Oh, good to see, someone saw this. I was doing more "research" on the problem and it is in the fact, that $PATH variable gets modified by sudo! I set sudoers to preserve PATH, but no good. env and "sudo env" gives me different things! Why is that? -- K?rlis Repsons From Todd.Miller at courtesan.com Sun Nov 2 12:59:40 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sun, 02 Nov 2008 12:59:40 -0500 Subject: [sudo-users] sudo can't find an executable in my $PATH! In-Reply-To: Your message of "Sat, 01 Nov 2008 19:43:16 +0300." <200811011843.16809.repsons@gmail.com> References: <200810311747.03824.repsons@gmail.com> <490C67DC.6040004@encs.concordia.ca> <200811011843.16809.repsons@gmail.com> Message-ID: <200811021759.mA2HxehK001090@core.courtesan.com> In message <200811011843.16809.repsons at gmail.com> so spake =?utf-8?q?K=C4=81rlis_Repsons?= (repsons): > I was doing more "research" on the problem and it is in the fact, > that $PATH variable gets modified by sudo! I set sudoers to preserve > PATH, but no good. > > env and "sudo env" gives me different things! Why is that? Sudo will remove some potentially dangerous variables from the environment, as described in the manual. However, it does not modify PATH unless configured to do so at compile time via the --with-ignore-dot and/or --with-secure-path configure options. It is possible that your vendor has enabled the secure path option, in which case sudo will only look for commands in a hard-coded path. You can run "sudo sudo -V | grep PATH" and see if there is a line in the output similar to: Value to override user's $PATH with: /usr/bin:/usr/sbin If so, the mystery is solved. Unfortunately, there is no way to override this value at runtime, though you can certainly rebuild sudo without secure path enabled. - todd From Marylou.Kohlmeier at canyons.edu Mon Nov 3 16:52:36 2008 From: Marylou.Kohlmeier at canyons.edu (Kohlmeier, Marylou) Date: Mon, 3 Nov 2008 13:52:36 -0800 Subject: [sudo-users] sudo can't find an executable in my $PATH! In-Reply-To: <200811021759.mA2HxehK001090@core.courtesan.com> References: <200810311747.03824.repsons@gmail.com><490C67DC.6040004@encs.concordia.ca><200811011843.16809.repsons@gmail.com> <200811021759.mA2HxehK001090@core.courtesan.com> Message-ID: <3CF163158B00244D8E1581BF5F5C05B306190B9D@exchange1.Staff.Canyons.edu> Does anybody have a "sudoers file" sample that I can look at? I'm trying to set-up our sudoers and would like to have a sample, if possible. Any help provided will be appreciated. Thank you. Marylou Kohlmeier MIS Department *(661-362-3707)Voice *(661-362-5157)Fax *Email: marylou.kohlmeier at canyons.edu "I cannot teach anybody anything, I can only make them think " Socrates -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Todd C. Miller Sent: Sunday, November 02, 2008 10:00 AM To: K?rlis Repsons Cc: sudo-users at sudo.ws Subject: Re: [sudo-users] sudo can't find an executable in my $PATH! In message <200811011843.16809.repsons at gmail.com> so spake =?utf-8?q?K=C4=81rlis_Repsons?= (repsons): > I was doing more "research" on the problem and it is in the fact, > that $PATH variable gets modified by sudo! I set sudoers to preserve > PATH, but no good. > > env and "sudo env" gives me different things! Why is that? Sudo will remove some potentially dangerous variables from the environment, as described in the manual. However, it does not modify PATH unless configured to do so at compile time via the --with-ignore-dot and/or --with-secure-path configure options. It is possible that your vendor has enabled the secure path option, in which case sudo will only look for commands in a hard-coded path. You can run "sudo sudo -V | grep PATH" and see if there is a line in the output similar to: Value to override user's $PATH with: /usr/bin:/usr/sbin If so, the mystery is solved. Unfortunately, there is no way to override this value at runtime, though you can certainly rebuild sudo without secure path enabled. - todd ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From repsons at gmail.com Mon Nov 3 09:12:09 2008 From: repsons at gmail.com (=?utf-8?q?K=C4=81rlis_Repsons?=) Date: Mon, 3 Nov 2008 17:12:09 +0300 Subject: [sudo-users] sudo can't find an executable in my $PATH! In-Reply-To: <200811021759.mA2HxehK001090@core.courtesan.com> References: <200810311747.03824.repsons@gmail.com> <200811011843.16809.repsons@gmail.com> <200811021759.mA2HxehK001090@core.courtesan.com> Message-ID: <200811031612.10057.repsons@gmail.com> On Sunday 02 November 2008 19:59:40 you wrote: > In message <200811011843.16809.repsons at gmail.com> > > so spake =?utf-8?q?K=C4=81rlis_Repsons?= (repsons): > > I was doing more "research" on the problem and it is in the fact, > > that $PATH variable gets modified by sudo! I set sudoers to preserve > > PATH, but no good. > > > > env and "sudo env" gives me different things! Why is that? > > Sudo will remove some potentially dangerous variables from the > environment, as described in the manual. However, it does not > modify PATH unless configured to do so at compile time via the > --with-ignore-dot and/or --with-secure-path configure options. > > It is possible that your vendor has enabled the secure path option, > in which case sudo will only look for commands in a hard-coded path. > You can run "sudo sudo -V | grep PATH" and see if there is a line > in the output similar to: > > Value to override user's $PATH with: /usr/bin:/usr/sbin > > If so, the mystery is solved. Unfortunately, there is no way > to override this value at runtime, though you can certainly > rebuild sudo without secure path enabled. > > - todd Thank you man! You was right, gentoo has --with-secure-path! Grrr... Bugzilla is my next bus stop (should be an USE flag for that). -- K?rlis Repsons From Marylou.Kohlmeier at canyons.edu Tue Nov 4 09:59:47 2008 From: Marylou.Kohlmeier at canyons.edu (Kohlmeier, Marylou) Date: Tue, 4 Nov 2008 06:59:47 -0800 Subject: [sudo-users] sudoers set-up Message-ID: <3CF163158B00244D8E1581BF5F5C05B306190BA5@exchange1.Staff.Canyons.edu> Hi, Do you think somebody can provide assistance in setting-up my sudoers? I'm a new user and would like to set-up my sudoers file. Thank you, Marylou Kohlmeier P | Please think before you print. MIS Department *(661-362-3707)Voice *(661-362-5157)Fax *Email: marylou.kohlmeier at canyons.edu "I cannot teach anybody anything, I can only make them think " Socrates From edwardspl at ita.org.mo Tue Nov 4 11:28:46 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Wed, 05 Nov 2008 00:28:46 +0800 Subject: [sudo-users] Quota function Message-ID: <4910783E.9080103@ita.org.mo> Dear All, Is there config sample for using Quota function ( cmd of quota and edquota ) ? For user's bash_profile : PATH=$PATH:/sbin:/usr/sbin:/usr/local/bin For running with visudo : HOST = NOPASSWD: /usr/sbin/edquota, /usr/bin/quota For home directory : [manager at xxx ~]$ ls -l -h /home/aquota.* -rw-r--r-- 1 root root 10K Nov 4 23:32 /home/aquota.group -rw-r--r-- 1 root root 10K Nov 4 23:32 /home/aquota.user [manager at xxx ~]$ BUT the result : [manager at xxxx ~]$ sudo quota -v edward Password: [manager at xxxx ~]$ sudo edquota -p qwe -u zxc Password: NEED password ??? So, what misstake I had ? Many thank for your help ! Edward. From russell+sudo-users at loosenut.com Tue Nov 4 14:23:25 2008 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Tue, 4 Nov 2008 11:23:25 -0800 Subject: [sudo-users] sudoers set-up In-Reply-To: <3CF163158B00244D8E1581BF5F5C05B306190BA5@exchange1.Staff.Canyons.edu> References: <3CF163158B00244D8E1581BF5F5C05B306190BA5@exchange1.Staff.Canyons.edu> Message-ID: <20081104192325.GW20652@fubar.loosenut.com> On Tue, Nov 04, 2008 at 06:59:47AM -0800, Kohlmeier, Marylou wrote: > Do you think somebody can provide assistance in setting-up my sudoers? > I'm a new user and would like to set-up my sudoers file. It would probably help to have a slight bit more info about your environment, such as platform and uses/intentions for sudo (ie. how are you planning on using it?). On most UN*X platforms, "man sudoers" should give you a lot of ideas and a few examples... the sudo distribution also tends to come with a file called "sample.sudoers" or "sudoers.example" or similar (been a while since I've looked at it, sorry). -- Russell M. Van Tassell russell at loosenut.com "You know, Crystal Meth... you have to be a special kind of 'stupid' to do that drug. I would never do a drug that involves rednecks and science." - Kathleen Madigan (Last Comic Standing - 2007) From Marylou.Kohlmeier at canyons.edu Tue Nov 4 14:26:52 2008 From: Marylou.Kohlmeier at canyons.edu (Kohlmeier, Marylou) Date: Tue, 4 Nov 2008 11:26:52 -0800 Subject: [sudo-users] sudoers set-up In-Reply-To: <20081104192325.GW20652@fubar.loosenut.com> References: <3CF163158B00244D8E1581BF5F5C05B306190BA5@exchange1.Staff.Canyons.edu> <20081104192325.GW20652@fubar.loosenut.com> Message-ID: <3CF163158B00244D8E1581BF5F5C05B306190BB2@exchange1.Staff.Canyons.edu> We would to use "sudo" so we don't have to give out our root password to our staff. We are on HP-UX 11.23 Itanium. I've been trying to configure our "sudoers" and still having problem. When I try to use the command "sudo -l", I get the error: sudo - must be setuid root Marylou -----Original Message----- From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com] Sent: Tuesday, November 04, 2008 11:23 AM To: Kohlmeier, Marylou Cc: sudo-users at sudo.ws Subject: Re: [sudo-users] sudoers set-up On Tue, Nov 04, 2008 at 06:59:47AM -0800, Kohlmeier, Marylou wrote: > Do you think somebody can provide assistance in setting-up my sudoers? > I'm a new user and would like to set-up my sudoers file. It would probably help to have a slight bit more info about your environment, such as platform and uses/intentions for sudo (ie. how are you planning on using it?). On most UN*X platforms, "man sudoers" should give you a lot of ideas and a few examples... the sudo distribution also tends to come with a file called "sample.sudoers" or "sudoers.example" or similar (been a while since I've looked at it, sorry). -- Russell M. Van Tassell russell at loosenut.com "You know, Crystal Meth... you have to be a special kind of 'stupid' to do that drug. I would never do a drug that involves rednecks and science." - Kathleen Madigan (Last Comic Standing - 2007) From russell+sudo-users at loosenut.com Tue Nov 4 14:43:52 2008 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Tue, 4 Nov 2008 11:43:52 -0800 Subject: [sudo-users] sudoers set-up In-Reply-To: <3CF163158B00244D8E1581BF5F5C05B306190BB2@exchange1.Staff.Canyons.edu> References: <3CF163158B00244D8E1581BF5F5C05B306190BA5@exchange1.Staff.Canyons.edu> <20081104192325.GW20652@fubar.loosenut.com> <3CF163158B00244D8E1581BF5F5C05B306190BB2@exchange1.Staff.Canyons.edu> Message-ID: <20081104194352.GY20652@fubar.loosenut.com> On Tue, Nov 04, 2008 at 11:26:52AM -0800, Kohlmeier, Marylou wrote: > We would to use "sudo" so we don't have to give out our root password to > our staff. We are on HP-UX 11.23 Itanium. > > I've been trying to configure our "sudoers" and still having problem. > When I try to use the command "sudo -l", I get the error: sudo - must be > setuid root Well, one thing to think about "as a direct substitute for su" is the following: sudo su passwd root ...or simple "sudo passwd -u root" ...so, it's not quite just a drop-in replacement for not distributing the root password, in my honest opinion (though I understand many folks seem to use it this way -- at least you get logging, even if that logging only really contains a list of every time someone got a root shell). As far as the setuid problem, you'll just need to add the setuid bit to the binary ("chmod 4111 /path/to/sudo"). You might find this link handy, too: http://sudo.ws/sudo/troubleshooting.html Regards, Russell -- Russell M. Van Tassell russell at loosenut.com Did you ever notice that when you blow in a dog's face, he gets mad at you, but when you take him on a car ride, he sticks his head out the window? From ccx110 at coventry.ac.uk Thu Nov 6 09:46:51 2008 From: ccx110 at coventry.ac.uk (Rachael Brown) Date: Thu, 6 Nov 2008 14:46:51 -0000 Subject: [sudo-users] Compiling sudo-1-7 Message-ID: <881F54DCA3F26C4696683605F62B4022081E9F68@VSEXMS-03.coventry.ac.uk> I am trying to compile sudo and getting the following error configure: error: no acceptable C compiler found in $PATH See `config.log' for more details. I have attached the config.log -------------------------------------------------------- NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: sudo.txt URL: From mdione at except.com.ar Thu Nov 6 17:12:30 2008 From: mdione at except.com.ar (Marcos Dione) Date: Thu, 6 Nov 2008 20:12:30 -0200 Subject: [sudo-users] bug? sudo -l output Message-ID: <20081106221230.GB17439@except.com.ar> first of all, I'm not subscribed to the list, so please CC: me the answers. today I spent some time figuring out why a user could invoke sudo without it asking him any password. I (wrongly) used sudo -l to see what things he could do, and the output was as follows: User javier may run the following commands on this host: (ALL) ALL (root) NOPASSWD: /sbin/halt ... which is what I already knew peeking into the sudoers file. now, the user was in the default exempt group (which, by the way, is not mentioned at all in the manpage, and I completely forgot about it). so, could ib be that the -l option or any other one could tell about this? -- Marcos Dione | |/_ [ ?? - ronin ] | .(_) mdione at except.com.ar | http://except.com.ar/ From Todd.Miller at courtesan.com Fri Nov 7 09:15:42 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 07 Nov 2008 09:15:42 -0500 Subject: [sudo-users] Compiling sudo-1-7 In-Reply-To: Your message of "Thu, 06 Nov 2008 14:46:51 GMT." <881F54DCA3F26C4696683605F62B4022081E9F68@VSEXMS-03.coventry.ac.uk> References: <881F54DCA3F26C4696683605F62B4022081E9F68@VSEXMS-03.coventry.ac.uk> Message-ID: <200811071415.mA7EFgj2031393@core.courtesan.com> It looks like configure was unable to find gcc or cc in your path. Do you have a C compiler installed? If so, where is it located? - todd From chris at encs.concordia.ca Fri Nov 7 12:02:04 2008 From: chris at encs.concordia.ca (Chris O'Regan) Date: Fri, 07 Nov 2008 12:02:04 -0500 Subject: [sudo-users] segfault with v1.7r3 Message-ID: <4914748C.5040202@encs.concordia.ca> I am experiencing a problem with sudo v1.7rc3. When I run sudo the first time, it works, but it segfaults if I run again. I can work around the problem by running "sudo -k" or waiting until my timestamp expires. What's strange is that I can reproduce the problem on some systems, but not on others (all are pretty much identical, running RHEL3 with the same patches and configuration). I do not experience the problem if I have logged into my account from root via "su" ("su chris", no "-", does not work with "su - chris"). I've also tested with the v1.7rc2 binary and it is fine, too. Any ideas? Chris From Todd.Miller at courtesan.com Fri Nov 7 12:21:16 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 07 Nov 2008 12:21:16 -0500 Subject: [sudo-users] segfault with v1.7r3 In-Reply-To: Your message of "Fri, 07 Nov 2008 12:02:04 EST." <4914748C.5040202@encs.concordia.ca> References: <4914748C.5040202@encs.concordia.ca> Message-ID: <200811071721.mA7HLGau020618@core.courtesan.com> If you run configure with the --disable-pam-session flag does that change the behavior? - todd From chris at encs.concordia.ca Fri Nov 7 12:44:04 2008 From: chris at encs.concordia.ca (Chris O'Regan) Date: Fri, 07 Nov 2008 12:44:04 -0500 Subject: [sudo-users] segfault with v1.7r3 In-Reply-To: <200811071721.mA7HLGau020618@core.courtesan.com> References: <4914748C.5040202@encs.concordia.ca> <200811071721.mA7HLGau020618@core.courtesan.com> Message-ID: <49147E64.1070305@encs.concordia.ca> Todd C. Miller wrote: > If you run configure with the --disable-pam-session flag does that > change the behavior? > > - todd No, still segfaulting, however after setting --with-tty-tickets, it segfaults immediately after prompting me for my password. That is, sudo does not work at all. But it is creating the ticket, running sudo subsequently segfaults without prompting for a password. Hope this helps narrow down where the problem may be occurring. Thanks, Chris From christian.peper at kpn.com Mon Nov 10 05:39:01 2008 From: christian.peper at kpn.com (christian.peper at kpn.com) Date: Mon, 10 Nov 2008 11:39:01 +0100 Subject: [sudo-users] Compiling sudo-1-7 In-Reply-To: <200811071415.mA7EFgj2031393@core.courtesan.com> References: <881F54DCA3F26C4696683605F62B4022081E9F68@VSEXMS-03.coventry.ac.uk> <200811071415.mA7EFgj2031393@core.courtesan.com> Message-ID: <459520CEEC42F041A8B0CFBCEE958A1101B6AD2E@KKWNLEX182.kpnnl.local> Rachel, Check if you do have a compiler installed. Not all systems come with one by default. Try 'which cc' or 'which gcc' to check. If it's in a weird directory, the configure script may not be able to find it but can tell it where to look. Using 'yum install gcc' or 'up2date -i gcc' you should be able to install it, if missing. Chris. > -----Original Message----- > From: sudo-users-bounces at courtesan.com > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Todd C. Miller > Sent: Friday, November 07, 2008 3:16 PM > To: Rachael Brown > Cc: sudo-users at sudo.ws > Subject: Re: [sudo-users] Compiling sudo-1-7 > > It looks like configure was unable to find gcc or cc in your path. > Do you have a C compiler installed? If so, where is it located? > > - todd > ____________________________________________________________ > sudo-users mailing list For list > information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > From joel.heenan at gmail.com Sun Nov 9 22:37:36 2008 From: joel.heenan at gmail.com (Joel Heenan) Date: Mon, 10 Nov 2008 14:37:36 +1100 Subject: [sudo-users] test-sudoers.py - Python script to test a sudoers file Message-ID: <843700460811091937v1c130852kf5a4c2647cbed184@mail.gmail.com> I wrote a script that parses a sudoers file and can print out who can run what commands on which hosts. It can also test whether a particular user can run a particular command and return a status code indicating as much. You can find it here: http://www.planetjoel.com/viewarticle/626/test-sudoers.py+-+Test+a+sudoers+file+through+python Joel From russell+sudo-users at loosenut.com Mon Nov 10 14:53:22 2008 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Mon, 10 Nov 2008 11:53:22 -0800 Subject: [sudo-users] Compiling sudo-1-7 In-Reply-To: <459520CEEC42F041A8B0CFBCEE958A1101B6AD2E@KKWNLEX182.kpnnl.local> References: <881F54DCA3F26C4696683605F62B4022081E9F68@VSEXMS-03.coventry.ac.uk> <200811071415.mA7EFgj2031393@core.courtesan.com> <459520CEEC42F041A8B0CFBCEE958A1101B6AD2E@KKWNLEX182.kpnnl.local> Message-ID: <20081110195321.GY20652@fubar.loosenut.com> On Mon, Nov 10, 2008 at 11:39:01AM +0100, christian.peper at kpn.com wrote: > Rachel, > > Check if you do have a compiler installed. Not all systems come with one > by default. Being a Sun box, too... unless you have actually purchased their compiler product and installed it, or bootstrapped gcc or similar, they tend to nicely include a "cc" script that will tell you that cc's not installed (which is *great* for confusing unsuspecting configure scripts). > Try 'which cc' or 'which gcc' to check. > If it's in a weird directory, the configure script may not be able to > find it but can tell it where to look. That might only work if the compiler's already in the path (which, apparently, it's not). Solaris 9, if you installed the optional software, might be in /usr/sfw/bin or similar (of all places), which tends to escape most folks... I think they likely decided on that out-of-the-way place so-as to avoid overwriting /usr/local or /opt or the like, now... > Using 'yum install gcc' or 'up2date -i gcc' you should be able to > install it, if missing. ...that's a redhat/linux thing, AFAIK. Rachael's configure script seems to think it's a Solaris 9 box... /usr/bin/uname -p = sparc /bin/uname -X = System = SunOS /bin/uname -X = System = SunOS Node = webct4 Release = 5.9 KernelID = Generic_118558-14 Machine = sun4u So... many people like sunfreeware.com (I'll admit it's not my favorite). But you're probably just as well off grabbing the software supplement that came with Solaris 9 and making sure you install GCC and all the compiler tools from there (unless, of course, it's already on the box in the aforementioned out-of-the-way location). Russell -- Russell M. Van Tassell russell at loosenut.com This login session: $13.99, but for you $11.88 From russell+sudo-users at loosenut.com Mon Nov 10 14:56:22 2008 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Mon, 10 Nov 2008 11:56:22 -0800 Subject: [sudo-users] segfault with v1.7r3 In-Reply-To: <4914748C.5040202@encs.concordia.ca> References: <4914748C.5040202@encs.concordia.ca> Message-ID: <20081110195622.GZ20652@fubar.loosenut.com> On Fri, Nov 07, 2008 at 12:02:04PM -0500, Chris O'Regan wrote: > I am experiencing a problem with sudo v1.7rc3. When I run sudo the first > time, it works, but it segfaults if I run again. I can work around the > problem by running "sudo -k" or waiting until my timestamp expires. > > What's strange is that I can reproduce the problem on some systems, but > not on others (all are pretty much identical, running RHEL3 with the > same patches and configuration). I do not experience the problem if I > have logged into my account from root via "su" ("su chris", no "-", does > not work with "su - chris"). I've also tested with the v1.7rc2 binary > and it is fine, too. > > Any ideas? It would *sound* like there's something in your startup scripts under the "chris" account (but not under root) that's causing the issue... what happens if you move them out of the way? Of course, it shouldn't segfault, period... but that might give you something to go on... Todd (or someone else) might have more ideas, too... -- Russell M. Van Tassell russell at loosenut.com "He has no enemies, but is intensely disliked by his friends." - Oscar Wilde From Todd.Miller at courtesan.com Mon Nov 10 15:01:39 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 10 Nov 2008 15:01:39 -0500 Subject: [sudo-users] segfault with v1.7r3 In-Reply-To: Your message of "Mon, 10 Nov 2008 11:56:22 PST." <20081110195622.GZ20652@fubar.loosenut.com> References: <4914748C.5040202@encs.concordia.ca> <20081110195622.GZ20652@fubar.loosenut.com> Message-ID: <200811102001.mAAK1dOr031462@core.courtesan.com> In message <20081110195622.GZ20652 at fubar.loosenut.com> so spake Russell Van Tassell (russell+sudo-users): > Of course, it shouldn't segfault, period... but that might give you > something to go on... Todd (or someone else) might have more ideas, > too... It was an off-by-one error introduced in rc3. I'll have an rc4 tarball out soon. - todd From joel.heenan at gmail.com Tue Nov 11 23:23:01 2008 From: joel.heenan at gmail.com (Joel Heenan) Date: Wed, 12 Nov 2008 15:23:01 +1100 Subject: [sudo-users] test-sudoers.py - Python script to test a sudoers file In-Reply-To: <843700460811091937v1c130852kf5a4c2647cbed184@mail.gmail.com> References: <843700460811091937v1c130852kf5a4c2647cbed184@mail.gmail.com> Message-ID: <843700460811112023m7bf3b277pd2dec324997ea3ee@mail.gmail.com> sudo-users list, I wrote a script that parses a sudoers file and can print out who can run what commands on which hosts. It can also test whether a particular user can run a particular command and return a status code indicating as much. You can find it here: http://www.planetjoel.com/viewarticle/626/test-sudoers.py+-+Test+a+sudoers+file+through+python Joel From jakrainer at yahoo.com Wed Nov 12 11:22:37 2008 From: jakrainer at yahoo.com (Jackson Afonso Krainer) Date: Wed, 12 Nov 2008 08:22:37 -0800 (PST) Subject: [sudo-users] sudo-1.6.9p17 - problem with wildcards Message-ID: <380839.43825.qm@web52110.mail.re2.yahoo.com> Hello there, I?m using sudo 1.6.9.17 on AIX 5.3 and the wilcards seems not to be working on this version. For example, I have an user a0badm that has on his profile the command: a0badm> sudo -l User a0badm may run the following commands on this host: (root) NOPASSWD: !ALL (root) NOPASSWD: /sapmnt/???/exe/saproot.sh, ... Now, let?s try to execute the command: a0badm> sudo /sapmnt/J0Y/exe/saproot.sh A0B Sorry, user a0badm is not allowed to execute '/sapmnt/J0Y/exe/saproot.sh A0B' as root on server_name. I have tried replacing the "???" for "*" but it didn't work either. It only works if I define the full path with no wildcards. Does anyone knows what can cause this problem on version sudo-1.6.9p17? Any ideias how to fix it? Thank you very much in advance, Jackson Novos endere?os, o Yahoo! que voc? conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. http://br.new.mail.yahoo.com/addresses From edwardspl at ita.org.mo Fri Nov 14 08:40:26 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Fri, 14 Nov 2008 21:40:26 +0800 Subject: [sudo-users] [Fwd: Quota function] Message-ID: <491D7FCA.2080306@ita.org.mo> Dear All, Would you mind to help about this problem ? Thanks ! Edward. -------- Original Message -------- Subject: Quota function Date: Wed, 05 Nov 2008 00:28:46 +0800 From: edwardspl at ita.org.mo To: sudo-users at sudo.ws Dear All, Is there config sample for using Quota function ( cmd of quota and edquota ) ? For user's bash_profile : PATH=$PATH:/sbin:/usr/sbin:/usr/local/bin For running with visudo : HOST = NOPASSWD: /usr/sbin/edquota, /usr/bin/quota For home directory : [manager at xxx ~]$ ls -l -h /home/aquota.* -rw-r--r-- 1 root root 10K Nov 4 23:32 /home/aquota.group -rw-r--r-- 1 root root 10K Nov 4 23:32 /home/aquota.user [manager at xxx ~]$ BUT the result : [manager at xxxx ~]$ sudo quota -v edward Password: [manager at xxxx ~]$ sudo edquota -p qwe -u zxc Password: NEED password ??? So, what misstake I had ? Many thank for your help ! Edward. From russell+sudo-users at loosenut.com Fri Nov 14 13:25:04 2008 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Fri, 14 Nov 2008 10:25:04 -0800 Subject: [sudo-users] [Fwd: Quota function] In-Reply-To: <491D7FCA.2080306@ita.org.mo> References: <491D7FCA.2080306@ita.org.mo> Message-ID: <20081114182504.GA27588@fubar.loosenut.com> On Fri, Nov 14, 2008 at 09:40:26PM +0800, edwardspl at ita.org.mo wrote: > For running with visudo : > > HOST = NOPASSWD: /usr/sbin/edquota, /usr/bin/quota This looks wrong... remember the format is something more like: USER_NAMES HOSTS_LIST = (RUN_AS_LIST) COMMAND_LIST So I suspect you want something closer to: manager ALL = (ALL) /usr/sbin/edquota, /usr/bin/quota ...and after that, it's a simple matter of throwing the NOPASSWD in there, if you really want it (I always recommend against using it, myself) > BUT the result : > > [manager at xxxx ~]$ sudo quota -v edward > Password: > > [manager at xxxx ~]$ sudo edquota -p qwe -u zxc > Password: ALWAYS check this with "sudo -l" ... it'll save you a lot of grief. -- Russell M. Van Tassell russell at loosenut.com The more things change, the more they stay insane. From edwardspl at ita.org.mo Fri Nov 14 22:07:25 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Sat, 15 Nov 2008 11:07:25 +0800 Subject: [sudo-users] [Fwd: Quota function] In-Reply-To: <20081114182504.GA27588@fubar.loosenut.com> References: <491D7FCA.2080306@ita.org.mo> <20081114182504.GA27588@fubar.loosenut.com> Message-ID: <491E3CED.7050802@ita.org.mo> Russell Van Tassell wrote: >On Fri, Nov 14, 2008 at 09:40:26PM +0800, edwardspl at ita.org.mo wrote: > > >>For running with visudo : >> >>HOST = NOPASSWD: /usr/sbin/edquota, /usr/bin/quota >> >> > >This looks wrong... remember the format is something more like: > >USER_NAMES HOSTS_LIST = (RUN_AS_LIST) COMMAND_LIST > >So I suspect you want something closer to: > >manager ALL = (ALL) /usr/sbin/edquota, /usr/bin/quota > > Hello to you, Sorry, what means about "ALL" ? Thanks ! Edward. From russell+sudo-users at loosenut.com Fri Nov 14 23:00:39 2008 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Fri, 14 Nov 2008 20:00:39 -0800 Subject: [sudo-users] [Fwd: Quota function] In-Reply-To: <491E3CED.7050802@ita.org.mo> References: <491D7FCA.2080306@ita.org.mo> <20081114182504.GA27588@fubar.loosenut.com> <491E3CED.7050802@ita.org.mo> Message-ID: <20081115040039.GH27588@fubar.loosenut.com> On Sat, Nov 15, 2008 at 11:07:25AM +0800, edwardspl at ita.org.mo wrote: > Russell Van Tassell wrote: > > >On Fri, Nov 14, 2008 at 09:40:26PM +0800, edwardspl at ita.org.mo wrote: > > > > > >>For running with visudo : > >> > >>HOST = NOPASSWD: /usr/sbin/edquota, /usr/bin/quota > > > >This looks wrong... remember the format is something more like: > > > >USER_NAMES HOSTS_LIST = (RUN_AS_LIST) COMMAND_LIST > > > >So I suspect you want something closer to: > > > >manager ALL = (ALL) /usr/sbin/edquota, /usr/bin/quota > > Hello to you, > > Sorry, what means about "ALL" ? Edward... simply substitute the parameters vertically... USER_NAMES HOSTS_LIST = (RUN_AS_LIST) COMMAND_LIST manager ALL = (ALL) /usr/sbin/edquota, /usr/bin/quota There's more detail here: http://www.sudo.ws/sudo/man/sudoers.html -- Russell M. Van Tassell russell at loosenut.com "He hoped and prayed that there wasn't an afterlife. Then he realised there was a contradiction involved here and merely hoped that there wasn't an afterlife." - Douglas Adams From edwardspl at ita.org.mo Sat Nov 15 03:16:27 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Sat, 15 Nov 2008 16:16:27 +0800 Subject: [sudo-users] [Fwd: Quota function] In-Reply-To: <20081115040039.GH27588@fubar.loosenut.com> References: <491D7FCA.2080306@ita.org.mo> <20081114182504.GA27588@fubar.loosenut.com> <491E3CED.7050802@ita.org.mo> <20081115040039.GH27588@fubar.loosenut.com> Message-ID: <491E855B.1000709@ita.org.mo> Dear to you, Sorry again... I don't quite understanding what different between "NOPASSWD:" and "(ALL)"... So, would you mind to give me some hints ? Thanks ! Edward. Russell Van Tassell wrote: >On Sat, Nov 15, 2008 at 11:07:25AM +0800, edwardspl at ita.org.mo wrote: > > >>Russell Van Tassell wrote: >> >> >> >>>On Fri, Nov 14, 2008 at 09:40:26PM +0800, edwardspl at ita.org.mo wrote: >>> >>> >>> >>> >>>>For running with visudo : >>>> >>>>HOST = NOPASSWD: /usr/sbin/edquota, /usr/bin/quota >>>> >>>> >>>This looks wrong... remember the format is something more like: >>> >>>USER_NAMES HOSTS_LIST = (RUN_AS_LIST) COMMAND_LIST >>> >>>So I suspect you want something closer to: >>> >>>manager ALL = (ALL) /usr/sbin/edquota, /usr/bin/quota >>> >>> >>Hello to you, >> >>Sorry, what means about "ALL" ? >> >> > >Edward... simply substitute the parameters vertically... > >USER_NAMES HOSTS_LIST = (RUN_AS_LIST) COMMAND_LIST >manager ALL = (ALL) /usr/sbin/edquota, /usr/bin/quota > >There's more detail here: > > http://www.sudo.ws/sudo/man/sudoers.html > > From russell+sudo-users at loosenut.com Sat Nov 15 03:46:53 2008 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Sat, 15 Nov 2008 00:46:53 -0800 Subject: [sudo-users] [Fwd: Quota function] In-Reply-To: <491E855B.1000709@ita.org.mo> References: <491D7FCA.2080306@ita.org.mo> <20081114182504.GA27588@fubar.loosenut.com> <491E3CED.7050802@ita.org.mo> <20081115040039.GH27588@fubar.loosenut.com> <491E855B.1000709@ita.org.mo> Message-ID: <20081115084653.GJ27588@fubar.loosenut.com> On Sat, Nov 15, 2008 at 04:16:27PM +0800, edwardspl at ita.org.mo wrote: > Dear to you, > > Sorry again... > I don't quite understanding what different between "NOPASSWD:" and > "(ALL)"... > So, would you mind to give me some hints ? NOPASSWD - User does not have to enter password ALL - "ALL" for which this argument applies. These two arguments are separate... I just removed "NOPASSWD" as my own personal opinion is that you "avoid at all costs." To be clear... in my previous example, "ALL" meant "all hosts" and "run-as all users." Not to confuse you, but "ALL" can just-as-well mean "ANY" or, in shell terms, "*" > >USER_NAMES HOSTS_LIST = (RUN_AS_LIST) COMMAND_LIST > >manager ALL = (ALL) /usr/sbin/edquota, /usr/bin/quota -- Russell M. Van Tassell russell at loosenut.com "The man pages contain a lot of such material, which reads like the terse mutterings of pilots wrestling with the controls of damaged airplanes" - Neal Stephenson, "In the Beginning was the Command Line" From edwardspl at ita.org.mo Sat Nov 15 09:49:56 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Sat, 15 Nov 2008 22:49:56 +0800 Subject: [sudo-users] [Fwd: Quota function] In-Reply-To: <20081115084653.GJ27588@fubar.loosenut.com> References: <491D7FCA.2080306@ita.org.mo> <20081114182504.GA27588@fubar.loosenut.com> <491E3CED.7050802@ita.org.mo> <20081115040039.GH27588@fubar.loosenut.com> <491E855B.1000709@ita.org.mo> <20081115084653.GJ27588@fubar.loosenut.com> Message-ID: <491EE194.4070707@ita.org.mo> Russell Van Tassell wrote: >On Sat, Nov 15, 2008 at 04:16:27PM +0800, edwardspl at ita.org.mo wrote: > > >>Dear to you, >> >>Sorry again... >>I don't quite understanding what different between "NOPASSWD:" and >>"(ALL)"... >>So, would you mind to give me some hints ? >> >> >NOPASSWD - User does not have to enter password >ALL - "ALL" for which this argument applies. > >These two arguments are separate... I just removed "NOPASSWD" as my own >personal opinion is that you "avoid at all costs." > >To be clear... in my previous example, "ALL" meant "all hosts" and >"run-as all users." Not to confuse you, but "ALL" can just-as-well mean >"ANY" or, in shell terms, "*" > >>>USER_NAMES HOSTS_LIST = (RUN_AS_LIST) COMMAND_LIST >>>manager ALL = (ALL) /usr/sbin/edquota, /usr/bin/quota >>> >>> Hello to you, If I want to disable to enter password : manager ALL = (ALL) NOPASSWD: /usr/sbin/edquota, /usr/bin/quota Is it right format ? Thanks ! Edward. From edwardspl at ita.org.mo Mon Nov 17 03:49:05 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Mon, 17 Nov 2008 16:49:05 +0800 Subject: [sudo-users] How to disable ( deny ) user to change the password of root Message-ID: <49213001.5030003@ita.org.mo> Dear All, For the sudo setting ( visudo ) : User_Alias SYSADM = manager Cmnd_Alias NOROOT = !/usr/bin/passwd root Cmnd_Alias USER = /usr/sbin/adduser, /usr/bin/passwd, /bin/chown, /usr/sbin/userdel SYSADM MH = (ALL) NOROOT,USER BUT the test result as the following : [manager at xxx ~]$ sudo passwd root Changing password for user root. New UNIX password: So, what wrong of the config ? Many thnak for your hints... Edward. From edwardspl at ita.org.mo Mon Nov 17 04:25:00 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Mon, 17 Nov 2008 17:25:00 +0800 Subject: [sudo-users] [Fwd: How to disable ( deny ) user to change the password of root] Message-ID: <4921386C.1000605@ita.org.mo> Dear All, Just previewed the sudo manual : http://www.sudo.ws/sudo/man/sudoers.html pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root The user pete is allowed to change anyone's password except for root on the HPPA machines. Note that this assumes passwd(1) does not take multiple usernames on the command line. If the Linux System is FC System, so how about the format of it ? Many thanks ! Edward. -------- Original Message -------- Subject: [sudo-users] How to disable ( deny ) user to change the password of root Date: Mon, 17 Nov 2008 16:49:05 +0800 From: edwardspl at ita.org.mo To: sudo-users at sudo.ws CC: fedora-list at redhat.com Dear All, For the sudo setting ( visudo ) : User_Alias SYSADM = manager Cmnd_Alias NOROOT = !/usr/bin/passwd root Cmnd_Alias USER = /usr/sbin/adduser, /usr/bin/passwd, /bin/chown, /usr/sbin/userdel SYSADM MH = (ALL) NOROOT,USER BUT the test result as the following : [manager at xxx ~]$ sudo passwd root Changing password for user root. New UNIX password: So, what wrong of the config ? Many thnak for your hints... Edward. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users __________ NOD32 3616 (20081117) Information __________ This message was checked by NOD32 antivirus system. http://www.nod32.com.hk From russell+sudo-users at loosenut.com Mon Nov 17 04:53:44 2008 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Mon, 17 Nov 2008 01:53:44 -0800 Subject: [sudo-users] [Fwd: How to disable ( deny ) user to change the password of root] In-Reply-To: <4921386C.1000605@ita.org.mo> References: <4921386C.1000605@ita.org.mo> Message-ID: <20081117095343.GU27588@fubar.loosenut.com> Edward - The format should basically be the same... the "HPPA" piece is an example pertaining to the Host_Alias piece of the configuration. [BTW, copying the fedora users list on these sudo-related threads probably isn't winning you any friends over there... not that I'm sub'd to that list, though] However, in my own opinion, this is just one of many instances where you're really better with a wrapper script or good monitoring/alerting (and is good case for a secure log host so-as to maintain log integrity). (So perhaps this IS a decent fedora/un*x discussion) If you are securing down "passwd," I trust you have already gone through the pain and trouble of limiting commands fairly strictly across your ENTIRE network? Put bluntly, there are *many* ways to circumvent typical system password mechanisms for the determined intruder; here you are only really protecting against someone that's either made an error or is going to be nice enough to "give up" after "passwd root" fails... Your best bet is a solution other than simply trying to patch shell holes in your O/S... something such as decent OTP (One Time Password) solution, for example. On Mon, Nov 17, 2008 at 05:25:00PM +0800, edwardspl at ita.org.mo wrote: > Dear All, > > Just previewed the sudo manual : > > http://www.sudo.ws/sudo/man/sudoers.html > > pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root > > The user pete is allowed to change anyone's password except for root on > the HPPA machines. Note that this assumes passwd(1) does not take > multiple usernames on the command line. > > If the Linux System is FC System, so how about the format of it ? > > Many thanks ! > > Edward. > -------- Original Message -------- > Subject: [sudo-users] How to disable ( deny ) user to change the > password of root > Date: Mon, 17 Nov 2008 16:49:05 +0800 > From: edwardspl at ita.org.mo > To: sudo-users at sudo.ws > CC: fedora-list at redhat.com > > > > Dear All, > > For the sudo setting ( visudo ) : > > User_Alias SYSADM = manager > > Cmnd_Alias NOROOT = !/usr/bin/passwd root > Cmnd_Alias USER = /usr/sbin/adduser, /usr/bin/passwd, /bin/chown, > /usr/sbin/userdel > > SYSADM MH = (ALL) NOROOT,USER > > BUT the test result as the following : > > [manager at xxx ~]$ sudo passwd root > Changing password for user root. > New UNIX password: > > So, what wrong of the config ? > > Many thnak for your hints... > > Edward. -- Russell M. Van Tassell russell at loosenut.com From scarville at landam.com Mon Nov 17 13:59:11 2008 From: scarville at landam.com (Stephen Carville) Date: Mon, 17 Nov 2008 10:59:11 -0800 Subject: [sudo-users] How to disable ( deny ) user to change the password ofroot In-Reply-To: <49213001.5030003@ita.org.mo> References: <49213001.5030003@ita.org.mo> Message-ID: <200811171059.11486.scarville@landam.com> On Monday 17 November 2008 00:49, edwardspl at ita.org.mo wrote: > Dear All, > > For the sudo setting ( visudo ) : > > User_Alias SYSADM = manager > > Cmnd_Alias NOROOT = !/usr/bin/passwd root > Cmnd_Alias USER = /usr/sbin/adduser, /usr/bin/passwd, /bin/chown, > /usr/sbin/userdel > > SYSADM MH = (ALL) NOROOT,USER > > BUT the test result as the following : > > [manager at xxx ~]$ sudo passwd root > Changing password for user root. > New UNIX password: > > So, what wrong of the config ? I think the exception has to be after the allowed rule: SYSADM MH = (ALL) USER,NOROOT It's been while since I checked that part of the code... -- Stephen Carville Systems Engineer Land America 1.626.667.1450 X1326 ============================================================ Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy. -- Eric Raymond From edwardspl at ita.org.mo Mon Nov 17 23:30:15 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Tue, 18 Nov 2008 12:30:15 +0800 Subject: [sudo-users] How to disable ( deny ) user to change the password of root In-Reply-To: <200811171059.11486.scarville@landam.com> References: <49213001.5030003@ita.org.mo> <200811171059.11486.scarville@landam.com> Message-ID: <492244D7.2060204@ita.org.mo> Stephen Carville wrote: >On Monday 17 November 2008 00:49, edwardspl at ita.org.mo wrote: > > >>Dear All, >> >>For the sudo setting ( visudo ) : >> >>User_Alias SYSADM = manager >> >>Cmnd_Alias NOROOT = !/usr/bin/passwd root >>Cmnd_Alias USER = /usr/sbin/adduser, /usr/bin/passwd, /bin/chown, >>/usr/sbin/userdel >> >>SYSADM MH = (ALL) NOROOT,USER >> >>BUT the test result as the following : >> >>[manager at xxx ~]$ sudo passwd root >>Changing password for user root. >>New UNIX password: >> >>So, what wrong of the config ? >> >> > >I think the exception has to be after the allowed rule: > >SYSADM MH = (ALL) USER,NOROOT > >It's been while since I checked that part of the code... > Hello to you, Just test as the following rule is successfuly: SYSADM MH = (ALL) USER,NOROOT BUT there is another problem of it ( I think it is a bug of sudo )..... When you enter "sudo passwd" without the option (eg:userid): [manager at xxx ~]$ sudo passwd Changing password for user root. New UNIX password: OH...the user manager who can change root password ? So, is there any solution for this case of problem ? Thanks ! Edward. From jakrainer at yahoo.com Tue Nov 18 12:25:49 2008 From: jakrainer at yahoo.com (Jackson Afonso Krainer) Date: Tue, 18 Nov 2008 09:25:49 -0800 (PST) Subject: [sudo-users] sudo 1.6.9.18 on AIX 5.3 Message-ID: <704571.80001.qm@web52105.mail.re2.yahoo.com> Hello sudo list! I'm compiling the new stable version o sudo (1.6.9.18) on AIX using the following parameters: sudo ./configure --with-noexec --without-passwd --with-ignore-dot --with-mailto=email at host.com --with-mail-if-no-host --with-mail-if-noperms --disable-root-sudo --enable-log-host This command finishes ok. When I issue the command "make install" I get the following error: gcc -c -I. -I. -O2 -D_XOPEN_EXTENDED_SOURCE -D_ALL_SOURCE -D_PATH_SUDOERS=\"/etc/sudoers\" -D_PATH_SUDOERS_TMP=\"/etc/sudoers.tmp\" -DSUDOERS_UID=0 -DSUDOERS_GID=0 -DSUDOERS_MODE=0440 ./auth/sudo_auth.c ./auth/sudo_auth.c:61: error: 'aixauth_cleanup' undeclared here (not in a function) make: 1254-004 The error code from the last command is 1. Can someone help me with the compilation problem? I have compiled the version 1.6.9.17 exactly the same way and everything worked fine. Thank you very much in advance for your help! Jackson Veja quais s?o os assuntos do momento no Yahoo! +Buscados http://br.maisbuscados.yahoo.com From Todd.Miller at courtesan.com Tue Nov 18 13:52:15 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 18 Nov 2008 13:52:15 -0500 Subject: [sudo-users] sudo 1.6.9.18 on AIX 5.3 In-Reply-To: Your message of "Tue, 18 Nov 2008 09:25:49 PST." <704571.80001.qm@web52105.mail.re2.yahoo.com> References: <704571.80001.qm@web52105.mail.re2.yahoo.com> Message-ID: <200811181852.mAIIqFWI004172@core.courtesan.com> You probably need the following patch. - todd Index: auth/sudo_auth.h =================================================================== RCS file: /home/cvs/courtesan/sudo/auth/sudo_auth.h,v retrieving revision 1.20.2.3 retrieving revision 1.20.2.4 diff -u -r1.20.2.3 -r1.20.2.4 --- auth/sudo_auth.h 6 Nov 2008 00:14:58 -0000 1.20.2.3 +++ auth/sudo_auth.h 18 Nov 2008 12:54:56 -0000 1.20.2.4 @@ -57,6 +57,7 @@ int sia_verify __P((struct passwd *pw, char *prompt, sudo_auth *auth)); int sia_cleanup __P((struct passwd *pw, sudo_auth *auth)); int aixauth_verify __P((struct passwd *pw, char *pass, sudo_auth *auth)); +int aixauth_cleanup __P((struct passwd *pw, sudo_auth *auth)); int bsdauth_init __P((struct passwd *pw, char **prompt, sudo_auth *auth)); int bsdauth_verify __P((struct passwd *pw, char *prompt, sudo_auth *auth)); int bsdauth_cleanup __P((struct passwd *pw, sudo_auth *auth)); From scarville at landam.com Tue Nov 18 14:21:26 2008 From: scarville at landam.com (Stephen Carville) Date: Tue, 18 Nov 2008 11:21:26 -0800 Subject: [sudo-users] How to disable ( deny ) user to change the password of root In-Reply-To: <492244D7.2060204@ita.org.mo> References: <49213001.5030003@ita.org.mo> <200811171059.11486.scarville@landam.com> <492244D7.2060204@ita.org.mo> Message-ID: <200811181121.26864.scarville@landam.com> On Monday 17 November 2008 20:30, edwardspl at ita.org.mo wrote: [snip] > Just test as the following rule is successfuly: > > SYSADM MH = (ALL) USER,NOROOT > BUT there is another problem of it ( I think it is a bug of sudo )..... > > When you enter "sudo passwd" without the option (eg:userid): > > [manager at xxx ~]$ sudo passwd > Changing password for user root. > New UNIX password: > > OH...the user manager who can change root password ? > > So, is there any solution for this case of problem ? Require a username be entered for passwd. USER /usr/bin/passwd [A-z0-1] NOROOT !/usr/bin/passwd root SYSADM MH=(ALL) USER,NOROOT -- Stephen Carville Systems Engineer Land America 1.626.667.1450 X1326 ============================================================ Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy. -- Eric Raymond From edwardspl at ita.org.mo Tue Nov 18 19:41:16 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Wed, 19 Nov 2008 08:41:16 +0800 Subject: [sudo-users] How to disable ( deny ) user to change the password of root In-Reply-To: <200811181121.26864.scarville@landam.com> References: <49213001.5030003@ita.org.mo> <200811171059.11486.scarville@landam.com> <492244D7.2060204@ita.org.mo> <200811181121.26864.scarville@landam.com> Message-ID: <492360AC.7020408@ita.org.mo> Stephen Carville wrote: >On Monday 17 November 2008 20:30, edwardspl at ita.org.mo wrote: > >[snip] > > > >>Just test as the following rule is successfuly: >> >>SYSADM MH = (ALL) USER,NOROOT >>BUT there is another problem of it ( I think it is a bug of sudo )..... >> >>When you enter "sudo passwd" without the option (eg:userid): >> >>[manager at xxx ~]$ sudo passwd >>Changing password for user root. >>New UNIX password: >> >>OH...the user manager who can change root password ? >> >>So, is there any solution for this case of problem ? >> >> > >Require a username be entered for passwd. > >USER /usr/bin/passwd [A-z0-1] >NOROOT !/usr/bin/passwd root > >SYSADM MH=(ALL) USER,NOROOT > Hello, Just test the rules, BUT the result is fail: [manager at xxx ~]$ sudo passwd [sudo] password for manager: Sorry, user manager is not allowed to execute '/usr/bin/passwd' as root on edsvr. [manager at xxx ~]$ sudo passwd root [sudo] password for manager: Sorry, user manager is not allowed to execute '/usr/bin/passwd root' as root on edsvr. [manager at xxx ~]$ sudo passwd edward [sudo] password for manager: Sorry, user manager is not allowed to execute '/usr/bin/passwd edward' as root on edsvr. So, how can we disable any user for changing the root password ? Thanks ! Edward. From edwardspl at ita.org.mo Tue Nov 18 19:55:53 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Wed, 19 Nov 2008 08:55:53 +0800 Subject: [sudo-users] How to disable ( deny ) user to change the password of root In-Reply-To: <4922EF28.1020304@eburg.com> References: <49213001.5030003@ita.org.mo> <200811171059.11486.scarville@landam.com> <492244D7.2060204@ita.org.mo> <4922EF28.1020304@eburg.com> Message-ID: <49236419.6020509@ita.org.mo> Gordon Messmer wrote: > edwardspl at ita.org.mo wrote: > >> BUT there is another problem of it ( I think it is a bug of sudo )..... >> >> When you enter "sudo passwd" without the option (eg:userid): >> >> [manager at xxx ~]$ sudo passwd >> Changing password for user root. >> New UNIX password: > > > That's not a bug. "sudo" doesn't know what you're trying to do, only > whether or not your commands match the patterns in its configuration > files. They do, so sudo allows the access. > >> OH...the user manager who can change root password ? >> >> So, is there any solution for this case of problem ? > > > Yes, there is. Don't let users execute any of those commands directly. > Write shell scripts that validate the commands that you want them to > execute, and only allow users to execute those with sudo. For example: > > passwd-wrapper: > #!/bin/sh > > # Validate that a username was given as an argument > [ -n "$1" ] || { > echo "Use: passwd-wrapper " >&2 > exit 64 > } > > # Validate that the username wasn't "root" > [ "$1" != "root" ] || { > echo "Can't set the root user's password" >&2 > exit 77 > } > > # Use -- to make sure that the "username" given wasn't just > # a switch that passwd would interpret. > # THIS ONLY WORKS ON GNU SYSTEMS. > passwd -- "$1" > Hello, Sorry... After create the shell script, then how to use it by sudo ? Thanks ! Edward. From scarville at landam.com Tue Nov 18 20:18:10 2008 From: scarville at landam.com (Stephen Carville) Date: Tue, 18 Nov 2008 17:18:10 -0800 Subject: [sudo-users] How to disable ( deny ) user to change the password of root In-Reply-To: <492360AC.7020408@ita.org.mo> References: <49213001.5030003@ita.org.mo> <200811181121.26864.scarville@landam.com> <492360AC.7020408@ita.org.mo> Message-ID: <200811181718.10849.scarville@landam.com> On Tuesday 18 November 2008 16:41, edwardspl at ita.org.mo wrote: > > USER /usr/bin/passwd [A-z0-1] > > NOROOT !/usr/bin/passwd root > Oops. I forget the '*'. That should be: USER /usr/bin/passwd [A-z0-1]* In truth, Gordon Messmer's suggestion is probably more secure. The only change I'd make would be to embed the sudo command in the script. Something like. #!/bin/bash # echo is a bash builtin so export PATH="" [ -n "$1" ] || { echo "Use: $0 " >&2 exit 64 } if [ "$1" = "root" ] || { echo "Can't set the root user's password" >&2 exit 77 } /usr/bin/sudo /usr/bin/passwd -- $1 The give sudo permissions something like: SYSADM MH = (ALL) /usr/bin/passwd -- [A-z0-1]* Of course the script permissions have be set to something like 0444 > > SYSADM MH=(ALL) USER,NOROOT > > Hello, > > Just test the rules, BUT the result is fail: > > [manager at xxx ~]$ sudo passwd > [sudo] password for manager: > Sorry, user manager is not allowed to execute '/usr/bin/passwd' as root on > edsvr. > [manager at xxx ~]$ sudo passwd root > [sudo] password for manager: > Sorry, user manager is not allowed to execute '/usr/bin/passwd root' as > root on edsvr. > [manager at xxx ~]$ sudo passwd edward > [sudo] password for manager: > Sorry, user manager is not allowed to execute '/usr/bin/passwd edward' as > root on edsvr. > > So, how can we disable any user for changing the root password ? > > Thanks ! > > Edward. -- Stephen Carville Systems Engineer Land America 1.626.667.1450 X1326 ============================================================ Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy. -- Eric Raymond From russell+sudo-users at loosenut.com Tue Nov 18 21:14:11 2008 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Tue, 18 Nov 2008 18:14:11 -0800 Subject: [sudo-users] How to disable ( deny ) user to change the password of root In-Reply-To: <200811181718.10849.scarville@landam.com> References: <49213001.5030003@ita.org.mo> <200811181121.26864.scarville@landam.com> <492360AC.7020408@ita.org.mo> <200811181718.10849.scarville@landam.com> Message-ID: <20081119021411.GG1169@fubar.loosenut.com> On Tue, Nov 18, 2008 at 05:18:10PM -0800, Stephen Carville wrote: > > [Preventing root passwd change using sudo] > > In truth, Gordon Messmer's suggestion is probably more secure. The only > change I'd make would be to embed the sudo command in the script. Something > like. > > [...] > > The give sudo permissions something like: > > SYSADM MH = (ALL) /usr/bin/passwd -- [A-z0-1]* Just "devil's advocate," caveat emptor, buyer beware and all that jazz... This still doesn't prevent people from doing things such as: /usr/bin/sudo /usr/bin/sh /usr/bin/passwd ...or other similar "nasty" things (the list is quite huge). This also presumes, of course, that the "typical" sudoers file allows more than it prevents/excludes. -- Russell M. Van Tassell russell at loosenut.com "I have always felt that a politician is to be judged by the animosities he excites among his opponents." - Sir Winston Churchill From edwardspl at ita.org.mo Tue Nov 18 23:52:30 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Wed, 19 Nov 2008 12:52:30 +0800 Subject: [sudo-users] How to disable ( deny ) user to change the password of root In-Reply-To: <20081119021411.GG1169@fubar.loosenut.com> References: <49213001.5030003@ita.org.mo> <200811181121.26864.scarville@landam.com> <492360AC.7020408@ita.org.mo> <200811181718.10849.scarville@landam.com> <20081119021411.GG1169@fubar.loosenut.com> Message-ID: <49239B8E.9060902@ita.org.mo> Dear All, For /usr/bin/upasswd : #!/bin/sh # Validate that a username was given as an argument [ -n "$1" ] || { echo "Use: upasswd " >&2 exit 64 } # Validate that the username wasn't "root" [ "$1" != "root" ] || { echo "Can't set the root user's password" >&2 exit 77 } # Use -- to make sure that the "username" given wasn't just # a switch that passwd would interpret. # THIS ONLY WORKS ON GNU SYSTEMS. passwd -- "$1" For visudo : SYSADM MH = (ALL) /usr/bin/upasswd Notice * without the option after "/usr/bin/upasswd"... So, the test result is okay now : [manager at xxx bin]$ sudo upasswd Use: upasswd [manager at xxx bin]$ sudo upasswd root Can't set the root user's password [manager at xxx bin]$ sudo upasswd edward Changing password for user edward. New UNIX password: Many thanks for your help ! * This procedure is good for working on FC9... Edward. Russell Van Tassell wrote: >On Tue, Nov 18, 2008 at 05:18:10PM -0800, Stephen Carville wrote: > > >>>[Preventing root passwd change using sudo] >>> >>> >>In truth, Gordon Messmer's suggestion is probably more secure. The only >>change I'd make would be to embed the sudo command in the script. Something >>like. >> >>[...] >> >>The give sudo permissions something like: >> >>SYSADM MH = (ALL) /usr/bin/passwd -- [A-z0-1]* >> >> > >Just "devil's advocate," caveat emptor, buyer beware and all that jazz... > >This still doesn't prevent people from doing things such as: > >/usr/bin/sudo /usr/bin/sh /usr/bin/passwd > >...or other similar "nasty" things (the list is quite huge). This also >presumes, of course, that the "typical" sudoers file allows more than it >prevents/excludes. > > > > From yinyang at eburg.com Tue Nov 18 11:36:56 2008 From: yinyang at eburg.com (Gordon Messmer) Date: Tue, 18 Nov 2008 08:36:56 -0800 Subject: [sudo-users] How to disable ( deny ) user to change the password of root In-Reply-To: <492244D7.2060204@ita.org.mo> References: <49213001.5030003@ita.org.mo> <200811171059.11486.scarville@landam.com> <492244D7.2060204@ita.org.mo> Message-ID: <4922EF28.1020304@eburg.com> edwardspl at ita.org.mo wrote: > BUT there is another problem of it ( I think it is a bug of sudo )..... > > When you enter "sudo passwd" without the option (eg:userid): > > [manager at xxx ~]$ sudo passwd > Changing password for user root. > New UNIX password: That's not a bug. "sudo" doesn't know what you're trying to do, only whether or not your commands match the patterns in its configuration files. They do, so sudo allows the access. > OH...the user manager who can change root password ? > > So, is there any solution for this case of problem ? Yes, there is. Don't let users execute any of those commands directly. Write shell scripts that validate the commands that you want them to execute, and only allow users to execute those with sudo. For example: passwd-wrapper: #!/bin/sh # Validate that a username was given as an argument [ -n "$1" ] || { echo "Use: passwd-wrapper " >&2 exit 64 } # Validate that the username wasn't "root" [ "$1" != "root" ] || { echo "Can't set the root user's password" >&2 exit 77 } # Use -- to make sure that the "username" given wasn't just # a switch that passwd would interpret. # THIS ONLY WORKS ON GNU SYSTEMS. passwd -- "$1" From stevetucknott at yahoo.co.uk Thu Nov 20 07:50:21 2008 From: stevetucknott at yahoo.co.uk (Steve T) Date: Thu, 20 Nov 2008 12:50:21 +0000 Subject: [sudo-users] Fc9 sudo 1.6.9p13 - env_reset and PATH env var Message-ID: <1227185421.11710.58.camel@localhost.localdomain> I have been using sudo on FC from fc4 onwards. In FC9 the behaviour seems slightly different in as much that it now appears that env_reset is the default. That is fine in itself (it took a while to realise that you had to use !env_reset to turn this flag off) - but even with !env_reset in the sudoers file, the PATH is still being reset to ''presumably' a secure path. I've tried adding PATH to env_keep as well, but that had no effect, and trying to unset !secure_path causes an error in visudo. How can I keep the users PATH intact? I searched for env_reset in the archives and couldn't see anything relevant, but looking through the November threads I did see: sudo can't find an executable in my $PATH! That entry seemed to be caused by a compile time setting of secure_path - but I looked at the sudo -V output for me and cant see that that is the case here. The sudo -V output is: Sudo version 1.6.9p13 Sudoers path: /etc/sudoers Authentication methods: 'pam' Syslog facility if syslog is being used for logging: authpriv Syslog priority to use when user authenticates successfully: notice Syslog priority to use when user authenticates unsuccessfully: alert Ignore '.' in $PATH Send mail if the user is not in sudoers Use a separate timestamp for each user/tty combo Lecture user the first time they run sudo Require users to authenticate by default Root may run sudo Allow some information gathering to give useful error messages Visudo will honor the EDITOR environment variable Set the LOGNAME and USER environment variables Length at which to wrap log file lines (0 for no wrap): 80 Authentication timestamp timeout: 5 minutes Password prompt timeout: 5 minutes Number of tries to enter a password: 3 Umask to use or 0777 to use user's: 022 Address to send mail to: root Subject line for mail messages: *** SECURITY information for %h *** Incorrect password message: Sorry, try again. Path to authentication timestamp dir: /var/run/sudo Default password prompt: [sudo] password for %p: Default user to run commands as: root Path to the editor for use by visudo: /bin/vi When to require a password for 'list' pseudocommand: any When to require a password for 'verify' pseudocommand: all File containing dummy exec functions: /usr/libexec/sudo_noexec.so Reset the environment to a default set of variables Environment variables to check for sanity: TERM LINGUAS LC_* LANGUAGE LANG COLORTERM Environment variables to remove: RUBYOPT RUBYLIB PYTHONINSPECT PYTHONPATH PYTHONHOME TMPPREFIX ZDOTDIR READNULLCMD NULLCMD FPATH PERL5DB PERL5OPT PERL5LIB PERLLIB PERLIO_DEBUG JAVA_TOOL_OPTIONS SHELLOPTS GLOBIGNORE PS4 BASH_ENV ENV TERMCAP TERMPATH TERMINFO_DIRS TERMINFO _RLD* LD_* PATH_LOCALE NLSPATH HOSTALIASES RES_OPTIONS LOCALDOMAIN CDPATH IFS Environment variables to preserve: XAUTHORIZATION XAUTHORITY TZ PS2 PS1 PATH MAIL LS_COLORS KRB5CCNAME HOSTNAME DISPLAY COLORS ....so PATH appears to be in the list to be preserved, but gets reset. The sudoers file is: ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking Cmnd_Alias NETWORKING= /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database Cmnd_Alias LOCATE = /usr/sbin/updatedb ## Storage Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # # Disable "ssh hostname sudo ", because it will show the password in clear. # You have to run "ssh -t hostname sudo ". # Defaults requiretty #Defaults env_reset Defaults !env_reset #Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" #Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" #Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" #Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" #Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults env_keep += "PATH" ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now stevet ALL=(ALL) ALL From stevetucknott at yahoo.co.uk Thu Nov 20 07:30:23 2008 From: stevetucknott at yahoo.co.uk (Steve T) Date: Thu, 20 Nov 2008 12:30:23 +0000 Subject: [sudo-users] Fc9 sudo 1.6.9p13 - env_reset and PATH env var In-Reply-To: <1227183970.11710.49.camel@localhost.localdomain> References: <1227170898.11710.20.camel@localhost.localdomain> <1227183970.11710.49.camel@localhost.localdomain> Message-ID: <1227184223.11710.53.camel@localhost.localdomain> I have been using sudo on FC from fc4 onwards. In FC9 the behaviour seems slightly different in as much that it now appears that env_reset is the default. That is fine in itself (it took a while to realise that you had to use !env_reset to turn this flag off) - but even with !env_reset in the sudoers file, the PATH is still being reset to ''presumably' a secure path. I've tried adding PATH to env_keep as well, but that had no effect, and trying to unset !secure_path causes an error in visudo. How can I keep the users PATH intact? I searched for env_reset in the archives and couldn't see anything relevant, but looking through the November threads I did see: sudo can't find an executable in my $PATH! That entry seemed to be caused by a compile time setting of secure_path - but I looked at the sudo -V output for me and cant see that that is the case here. The sudo -V output is: Sudo version 1.6.9p13 Sudoers path: /etc/sudoers Authentication methods: 'pam' Syslog facility if syslog is being used for logging: authpriv Syslog priority to use when user authenticates successfully: notice Syslog priority to use when user authenticates unsuccessfully: alert Ignore '.' in $PATH Send mail if the user is not in sudoers Use a separate timestamp for each user/tty combo Lecture user the first time they run sudo Require users to authenticate by default Root may run sudo Allow some information gathering to give useful error messages Visudo will honor the EDITOR environment variable Set the LOGNAME and USER environment variables Length at which to wrap log file lines (0 for no wrap): 80 Authentication timestamp timeout: 5 minutes Password prompt timeout: 5 minutes Number of tries to enter a password: 3 Umask to use or 0777 to use user's: 022 Address to send mail to: root Subject line for mail messages: *** SECURITY information for %h *** Incorrect password message: Sorry, try again. Path to authentication timestamp dir: /var/run/sudo Default password prompt: [sudo] password for %p: Default user to run commands as: root Path to the editor for use by visudo: /bin/vi When to require a password for 'list' pseudocommand: any When to require a password for 'verify' pseudocommand: all File containing dummy exec functions: /usr/libexec/sudo_noexec.so Reset the environment to a default set of variables Environment variables to check for sanity: TERM LINGUAS LC_* LANGUAGE LANG COLORTERM Environment variables to remove: RUBYOPT RUBYLIB PYTHONINSPECT PYTHONPATH PYTHONHOME TMPPREFIX ZDOTDIR READNULLCMD NULLCMD FPATH PERL5DB PERL5OPT PERL5LIB PERLLIB PERLIO_DEBUG JAVA_TOOL_OPTIONS SHELLOPTS GLOBIGNORE PS4 BASH_ENV ENV TERMCAP TERMPATH TERMINFO_DIRS TERMINFO _RLD* LD_* PATH_LOCALE NLSPATH HOSTALIASES RES_OPTIONS LOCALDOMAIN CDPATH IFS Environment variables to preserve: XAUTHORIZATION XAUTHORITY TZ PS2 PS1 PATH MAIL LS_COLORS KRB5CCNAME HOSTNAME DISPLAY COLORS ....so PATH appears to be in the list to be preserved, but gets reset. The sudoers file is: ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking Cmnd_Alias NETWORKING= /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database Cmnd_Alias LOCATE = /usr/sbin/updatedb ## Storage Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # # Disable "ssh hostname sudo ", because it will show the password in clear. # You have to run "ssh -t hostname sudo ". # Defaults requiretty #Defaults env_reset Defaults !env_reset #Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" #Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" #Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" #Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" #Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults env_keep += "PATH" ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now stevet ALL=(ALL) ALL From scarville at landam.com Fri Nov 21 12:50:19 2008 From: scarville at landam.com (Stephen Carville) Date: Fri, 21 Nov 2008 09:50:19 -0800 Subject: [sudo-users] How to disable ( deny ) user to change the password of root In-Reply-To: <20081119021411.GG1169@fubar.loosenut.com> References: <49213001.5030003@ita.org.mo> <200811181718.10849.scarville@landam.com> <20081119021411.GG1169@fubar.loosenut.com> Message-ID: <200811210950.19934.scarville@landam.com> On Tuesday 18 November 2008 18:14, Russell Van Tassell wrote: > On Tue, Nov 18, 2008 at 05:18:10PM -0800, Stephen Carville wrote: > > > [Preventing root passwd change using sudo] > > > > In truth, Gordon Messmer's suggestion is probably more secure. The only > > > > change I'd make would be to embed the sudo command in the script. > > Something > > > like. > > > > [...] > > > > The give sudo permissions something like: > > > > SYSADM MH = (ALL) /usr/bin/passwd -- [A-z0-1]* > > Just "devil's advocate," caveat emptor, buyer beware and all that jazz... > > This still doesn't prevent people from doing things such as: > > /usr/bin/sudo /usr/bin/sh /usr/bin/passwd > > ...or other similar "nasty" things (the list is quite huge). This also > presumes, of course, that the "typical" sudoers file allows more than it > prevents/excludes. Absolutely and, personally, I only use sudo where the access control needed is either ALL or nothing plus a few commands. Outside that I will use the consolehelper program found in Redhat, CentOS and Fedora. -- Stephen Carville Systems Engineer Land America 1.626.667.1450 X1326 ============================================================ Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy. -- Eric Raymond From stevetucknott at yahoo.co.uk Sat Nov 22 04:46:28 2008 From: stevetucknott at yahoo.co.uk (Steve T) Date: Sat, 22 Nov 2008 09:46:28 +0000 Subject: [sudo-users] Fc9 sudo 1.6.9p13 - env_reset and PATH env var In-Reply-To: <1227185421.11710.58.camel@localhost.localdomain> References: <1227185421.11710.58.camel@localhost.localdomain> Message-ID: <1227347188.11710.124.camel@localhost.localdomain> Apologies for chasing this, but I have tried various forums and got no reply and I need to get sudo working as it was. I can see that I can build sudo from source, but I need to know whether the problem I'm getting is simply fixable via the sudoers settings or if it is a bug in the FC9 version (I say that because if what I'm experiencing is a bug, then compiling from source will have no effect). Does anyone have any ideas how I can keep PATH and stop it from being reset? On Thu, 2008-11-20 at 12:50 +0000, Steve T wrote: > I have been using sudo on FC from fc4 onwards. > In FC9 the behaviour seems slightly different in as much that it now > appears that env_reset is the default. That is fine in itself (it took a > while to realise that you had to use !env_reset to turn this flag off) - > but even with !env_reset in the sudoers file, the PATH is still being > reset to ''presumably' a secure path. I've tried adding PATH to env_keep > as well, but that had no effect, and trying to unset !secure_path causes > an error in visudo. How can I keep the users PATH intact? > > I searched for env_reset in the archives and couldn't see anything > relevant, but looking through the November threads I did see: > sudo can't find an executable in my $PATH! > > That entry seemed to be caused by a compile time setting of secure_path > - but I looked at the sudo -V output for me and cant see that that is > the case here. > The sudo -V output is: > Sudo version 1.6.9p13 > > Sudoers path: /etc/sudoers > Authentication methods: 'pam' > Syslog facility if syslog is being used for logging: authpriv > Syslog priority to use when user authenticates successfully: notice > Syslog priority to use when user authenticates unsuccessfully: alert > Ignore '.' in $PATH > Send mail if the user is not in sudoers > Use a separate timestamp for each user/tty combo > Lecture user the first time they run sudo > Require users to authenticate by default > Root may run sudo > Allow some information gathering to give useful error messages > Visudo will honor the EDITOR environment variable > Set the LOGNAME and USER environment variables > Length at which to wrap log file lines (0 for no wrap): 80 > Authentication timestamp timeout: 5 minutes > Password prompt timeout: 5 minutes > Number of tries to enter a password: 3 > Umask to use or 0777 to use user's: 022 > Address to send mail to: root > Subject line for mail messages: *** SECURITY information for %h *** > Incorrect password message: Sorry, try again. > Path to authentication timestamp dir: /var/run/sudo > Default password prompt: [sudo] password for %p: > Default user to run commands as: root > Path to the editor for use by visudo: /bin/vi > When to require a password for 'list' pseudocommand: any > When to require a password for 'verify' pseudocommand: all > File containing dummy exec functions: /usr/libexec/sudo_noexec.so > Reset the environment to a default set of variables > Environment variables to check for sanity: > TERM > LINGUAS > LC_* > LANGUAGE > LANG > COLORTERM > Environment variables to remove: > RUBYOPT > RUBYLIB > PYTHONINSPECT > PYTHONPATH > PYTHONHOME > TMPPREFIX > ZDOTDIR > READNULLCMD > NULLCMD > FPATH > PERL5DB > PERL5OPT > PERL5LIB > PERLLIB > PERLIO_DEBUG > JAVA_TOOL_OPTIONS > SHELLOPTS > GLOBIGNORE > PS4 > BASH_ENV > ENV > TERMCAP > TERMPATH > TERMINFO_DIRS > TERMINFO > _RLD* > LD_* > PATH_LOCALE > NLSPATH > HOSTALIASES > RES_OPTIONS > LOCALDOMAIN > CDPATH > IFS > Environment variables to preserve: > XAUTHORIZATION > XAUTHORITY > TZ > PS2 > PS1 > PATH > MAIL > LS_COLORS > KRB5CCNAME > HOSTNAME > DISPLAY > COLORS > > ....so PATH appears to be in the list to be preserved, but gets reset. > > The sudoers file is: > ## Sudoers allows particular users to run various commands as > ## the root user, without needing the root password. > ## > ## Examples are provided at the bottom of the file for collections > ## of related commands, which can then be delegated out to particular > ## users or groups. > ## > ## This file must be edited with the 'visudo' command. > > ## Host Aliases > ## Groups of machines. You may prefer to use hostnames (perhaps using > ## wildcards for entire domains) or IP addresses instead. > # Host_Alias FILESERVERS = fs1, fs2 > # Host_Alias MAILSERVERS = smtp, smtp2 > > ## User Aliases > ## These aren't often necessary, as you can use regular groups > ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname > ## rather than USERALIAS > # User_Alias ADMINS = jsmith, mikem > > > ## Command Aliases > ## These are groups of related commands... > > ## Networking > Cmnd_Alias > NETWORKING= /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool > > ## Installation and management of software > Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum > > ## Services > Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig > > ## Updating the locate database > Cmnd_Alias LOCATE = /usr/sbin/updatedb > > ## Storage > Cmnd_Alias STORAGE > = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount > > ## Delegating permissions > Cmnd_Alias DELEGATING > = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp > > ## Processes > Cmnd_Alias PROCESSES > = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall > > ## Drivers > Cmnd_Alias DRIVERS = /sbin/modprobe > > # Defaults specification > > # > # Disable "ssh hostname sudo ", because it will show the password > in clear. > # You have to run "ssh -t hostname sudo ". > # > Defaults requiretty > > #Defaults env_reset > Defaults !env_reset > #Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC > KDEDIR LS_COLORS" > #Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS > LC_CTYPE" > #Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT > LC_MESSAGES" > #Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER > LC_TELEPHONE" > #Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET > XAUTHORITY" > Defaults env_keep += "PATH" > > ## Next comes the main part: which users can run what software on > ## which machines (the sudoers file can be shared between multiple > ## systems). > ## Syntax: > ## > ## user MACHINE=COMMANDS > ## > ## The COMMANDS section may have other options added to it. > ## > ## Allow root to run any commands anywhere > root ALL=(ALL) ALL > > ## Allows members of the 'sys' group to run networking, software, > ## service management apps and more. > # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, > PROCESSES, LOCATE, DRIVERS > > ## Allows people in group wheel to run all commands > # %wheel ALL=(ALL) ALL > > ## Same thing without a password > # %wheel ALL=(ALL) NOPASSWD: ALL > > ## Allows members of the users group to mount and unmount the > ## cdrom as root > # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom > > ## Allows members of the users group to shutdown this system > # %users localhost=/sbin/shutdown -h now > > stevet ALL=(ALL) ALL > > > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users From valdemirs at gmail.com Mon Nov 24 06:01:58 2008 From: valdemirs at gmail.com (Valdemir Santos) Date: Mon, 24 Nov 2008 09:01:58 -0200 Subject: [sudo-users] Disabling root to execute vi Message-ID: Hi: Can you tell me how disable root to execute vi ? I put this line with no success... Cmnd_Alias ADMCMD = !/usr/bin/vi,!/usr/xpg4/bin/vi,!/usr/ucb/vi,!/bin/vi, ALL From mgdpz1 at gmail.com Mon Nov 24 06:18:01 2008 From: mgdpz1 at gmail.com (Manuel Gomez) Date: Mon, 24 Nov 2008 12:18:01 +0100 Subject: [sudo-users] Help - I need to allow my normal user for use Shorewall, how? Message-ID: <1227525481.18989.5.camel@vrp> Hi, i would like to use my frontend netfilter (iptables) shorewall commands with sudo, but i don't know how change /etc/sudoers/ for allow it. What could i change? Thank you very much, I appreciate your help. From spinler.patrick at mayo.edu Mon Nov 24 12:05:25 2008 From: spinler.patrick at mayo.edu (Patrick Spinler) Date: Mon, 24 Nov 2008 11:05:25 -0600 Subject: [sudo-users] Sudo and x11 with root-squash NFS home dirs Message-ID: <492ADED5.4010608@mayo.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I suspect my answer is that I'm S.O.L., but I'd like to ask nevertheless: We run NFS home directories on our servers, with root-squash set on the NFS server. That means that e.g. the .Xauthority file in my $HOME looks (correctly) like this: - -rw------- 1 ap00375 ap00375 3938 Nov 24 10:35 .Xauthority My use case is to ssh -X some-server, then run "sudo some-X11-command". However, with root-squash on the NFS server, when I do a "sudo some-X11-command", the command running with EUID 0 tries to read my .XAuthority. Of course it's denied and some-X11-command can't access my ssh forwarded localhost:10 $DISPLAY. As I mentioned I think I'm pretty much out of luck here, but just to be sure, does anyone have any ideas on how to combine ssh X11 forwarding, sudo X11-commands, and root-squashed NFS home dirs? Thanks! - -- Pat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJKt7VNObCqA8uBswRAlTNAJ9NBFy3/bb9IT4QgMLEDMZERqG8awCdFoT/ R9gedhiWNjk0UCRiDXQssTA= =kHfl -----END PGP SIGNATURE----- From valdemirs at gmail.com Mon Nov 24 13:58:27 2008 From: valdemirs at gmail.com (Valdemir Santos) Date: Mon, 24 Nov 2008 16:58:27 -0200 Subject: [sudo-users] Sudo + NIS Message-ID: Is there any way to put a sudoers file in a NIS server ? From mlh at zip.com.au Mon Nov 24 18:36:03 2008 From: mlh at zip.com.au (Matthew Hannigan) Date: Tue, 25 Nov 2008 10:36:03 +1100 Subject: [sudo-users] Disabling root to execute vi In-Reply-To: References: Message-ID: <20081124233603.GA8191@evofed.localdomain> On Mon, Nov 24, 2008 at 09:01:58AM -0200, Valdemir Santos wrote: > Hi: > Can you tell me how disable root to execute vi ? > I put this line with no success... > > > Cmnd_Alias ADMCMD = !/usr/bin/vi,!/usr/xpg4/bin/vi,!/usr/ucb/vi,!/bin/vi, ALL Two points. 1. There should be a big sign on the front of sudo saying: DO NOT USE THE EXCLUDE FEATURE (ie. !) It's just too hairy and prone to misconfiguration and misunderstanding. Relatedly: 2. sudo is for ALLOWING extra access not restricting. Just don't give access to vi in the first place, i.e. DO NOT USE 'ALL' unless you mean ALL Apart from that, what do you mean 'disable root'? Do you mean disable normal uses to run vi as root? Or do you really mean disable root? From dave.parson at daimler.com Mon Nov 24 18:45:59 2008 From: dave.parson at daimler.com (dave.parson at daimler.com) Date: Mon, 24 Nov 2008 15:45:59 -0800 Subject: [sudo-users] Disabling root to execute vi In-Reply-To: <20081124233603.GA8191@evofed.localdomain> Message-ID: Replace your line with this: Cmnd_Alias ADMCMD = (ALL) ALL, !/usr/bin/vi,!/usr/xpg4/bin/vi,!/usr/ucb/vi,!/bin/vi or Cmnd_Alias ADMCMD = (someuseror aliaes) ALL, !/usr/bin/vi,!/usr/xpg4/bin/vi,!/usr/ucb/vi,!/bin/vi Or what I like to do is list the common "can't do the following" into a CMD alias and to xxx = ALL, !NOROOTSUFF mlh at zip.com.au Sent by: sudo-users-bounces at courtesan.com 11/24/2008 03:36 PM To valdemirs at gmail.com cc sudo-users at sudo.ws Subject Re: [sudo-users] Disabling root to execute vi On Mon, Nov 24, 2008 at 09:01:58AM -0200, Valdemir Santos wrote: > Hi: > Can you tell me how disable root to execute vi ? > I put this line with no success... > > > Cmnd_Alias ADMCMD = !/usr/bin/vi,!/usr/xpg4/bin/vi,!/usr/ucb/vi,!/bin/vi, ALL Two points. 1. There should be a big sign on the front of sudo saying: DO NOT USE THE EXCLUDE FEATURE (ie. !) It's just too hairy and prone to misconfiguration and misunderstanding. Relatedly: 2. sudo is for ALLOWING extra access not restricting. Just don't give access to vi in the first place, i.e. DO NOT USE 'ALL' unless you mean ALL Apart from that, what do you mean 'disable root'? Do you mean disable normal uses to run vi as root? Or do you really mean disable root? ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users If you are not the intended addressee, please inform us immediately that you have received this e-mail in error, and delete it. We thank you for your cooperation. From mgdpz1 at gmail.com Tue Nov 25 09:45:16 2008 From: mgdpz1 at gmail.com (Manuel Gomez) Date: Tue, 25 Nov 2008 15:45:16 +0100 Subject: [sudo-users] I want to limit root Message-ID: <1227624316.4674.24.camel@vrp> Hi, i am constantly using gksu and it's impossible for me being secure in that way, so i am searching basics commands neccesary for administrative matters. For example: sh (sh scripts), cd, rm, cp, chmod, apt-get, bin and sbin (software), and gksu. How could I write this in sudoers? Somebody could help me? Thank you very much, I appreciate your help. From christian.peper at kpn.com Tue Nov 25 10:27:09 2008 From: christian.peper at kpn.com (christian.peper at kpn.com) Date: Tue, 25 Nov 2008 16:27:09 +0100 Subject: [sudo-users] I want to limit root In-Reply-To: <1227624316.4674.24.camel@vrp> References: <1227624316.4674.24.camel@vrp> Message-ID: <459520CEEC42F041A8B0CFBCEE958A1101C0D6F4@KKWNLEX182.kpnnl.local> Manuel, I'm assuming you're using Redhat/CentOS/Fedora, you don't say. If so, someone else mentioned the system utility consolehelper the other day. Consolehelper will lead any system command thru PAM authorization. Here is an example to get you started: http://beranger.org/index.php?article=1958&page=3k This way, you can allow or deny using sudoers and use PAM to permit certain users to run certain commands. Haven't worked on this yet, but I'm thinking of redoing system security this way too. You'll have to config consolehelper *for every command* you'ld like to run as root. Sudo will also let a user run commands as another user, AFAIK consolehelper can't do that. If you do not use a redhat-flavor, I'm afraid it is a lot more complex. Generally, you use sudo to ALLOW things, not for denying things. And generally it is considered bad design to make a list of commands that are denied because there always is a way around that using input buffer overflow, sym links and the like. Chris. > -----Original Message----- > From: sudo-users-bounces at courtesan.com > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manuel Gomez > Sent: Tuesday, November 25, 2008 3:45 PM > To: sudo-users > Subject: [sudo-users] I want to limit root > > Hi, i am constantly using gksu and it's impossible for me > being secure in that way, so i am searching basics commands > neccesary for administrative matters. > > For example: sh (sh scripts), cd, rm, cp, chmod, apt-get, bin > and sbin (software), and gksu. > > How could I write this in sudoers? Somebody could help me? > > Thank you very much, I appreciate your help. > From mgdpz1 at gmail.com Tue Nov 25 12:56:17 2008 From: mgdpz1 at gmail.com (Manuel Gomez) Date: Tue, 25 Nov 2008 18:56:17 +0100 Subject: [sudo-users] I want to limit root In-Reply-To: <459520CEEC42F041A8B0CFBCEE958A1101C0D6F4@KKWNLEX182.kpnnl.local> References: <1227624316.4674.24.camel@vrp> <459520CEEC42F041A8B0CFBCEE958A1101C0D6F4@KKWNLEX182.kpnnl.local> Message-ID: <1227635777.4674.42.camel@vrp> I am on Debian Etch, console helper works for Debian? If I deny commands, i would be safer than allowing all, isn't it? I can't use sudo because shorewall (my frontend iptables netfilter) it's only usable with root, and i don't know how accept a normal user (i have posted in shorewall-users mailing list and nobody known the response, they say that i would have to ask here...). Thank you very much for your help. El mar, 25-11-2008 a las 16:27 +0100, christian.peper at kpn.com escribi?: > Manuel, > > I'm assuming you're using Redhat/CentOS/Fedora, you don't say. > If so, someone else mentioned the system utility consolehelper the other > day. > Consolehelper will lead any system command thru PAM authorization. Here > is an example to get you started: > http://beranger.org/index.php?article=1958&page=3k > > This way, you can allow or deny using sudoers and use PAM to permit > certain users to run certain commands. Haven't worked on this yet, but > I'm thinking of redoing system security this way too. You'll have to > config consolehelper *for every command* you'ld like to run as root. > > Sudo will also let a user run commands as another user, AFAIK > consolehelper can't do that. > > If you do not use a redhat-flavor, I'm afraid it is a lot more complex. > Generally, you use sudo to ALLOW things, not for denying things. > And generally it is considered bad design to make a list of commands > that are denied because there always is a way around that using input > buffer overflow, sym links and the like. > > Chris. > > -----Original Message----- > > From: sudo-users-bounces at courtesan.com > > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manuel Gomez > > Sent: Tuesday, November 25, 2008 3:45 PM > > To: sudo-users > > Subject: [sudo-users] I want to limit root > > > > Hi, i am constantly using gksu and it's impossible for me > > being secure in that way, so i am searching basics commands > > neccesary for administrative matters. > > > > For example: sh (sh scripts), cd, rm, cp, chmod, apt-get, bin > > and sbin (software), and gksu. > > > > How could I write this in sudoers? Somebody could help me? > > > > Thank you very much, I appreciate your help. > > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users From christian.peper at kpn.com Wed Nov 26 03:23:58 2008 From: christian.peper at kpn.com (christian.peper at kpn.com) Date: Wed, 26 Nov 2008 09:23:58 +0100 Subject: [sudo-users] I want to limit root In-Reply-To: <1227635777.4674.42.camel@vrp> References: <1227624316.4674.24.camel@vrp> <459520CEEC42F041A8B0CFBCEE958A1101C0D6F4@KKWNLEX182.kpnnl.local> <1227635777.4674.42.camel@vrp> Message-ID: <459520CEEC42F041A8B0CFBCEE958A1101C0D881@KKWNLEX182.kpnnl.local> Manuel, I think the first question is: - what do you want to do? Then comes the "how can I do that?". If you want to enable users to safely set the firewall without harming anything else, maybe you can also use a jail or utilize the suid bit. That's a bit off topic for this list, so I'll continue off list on this. :P) Christian. > -----Original Message----- > From: Manuel Gomez [mailto:mgdpz1 at gmail.com] > Sent: Tuesday, November 25, 2008 6:56 PM > To: Peper, J.C.A. (Christian) (IT I&O System Engineering) > Cc: sudo-users at sudo.ws > Subject: Re: [sudo-users] I want to limit root > > I am on Debian Etch, console helper works for Debian? If I > deny commands, i would be safer than allowing all, isn't it? > > I can't use sudo because shorewall (my frontend iptables > netfilter) it's only usable with root, and i don't know how > accept a normal user (i have posted in shorewall-users > mailing list and nobody known the response, they say that i > would have to ask here...). > > Thank you very much for your help. > > El mar, 25-11-2008 a las 16:27 +0100, christian.peper at kpn.com > escribi?: > > Manuel, > > > > I'm assuming you're using Redhat/CentOS/Fedora, you don't say. > > If so, someone else mentioned the system utility consolehelper the > > other day. > > Consolehelper will lead any system command thru PAM authorization. > > Here is an example to get you started: > > http://beranger.org/index.php?article=1958&page=3k > > > > This way, you can allow or deny using sudoers and use PAM to permit > > certain users to run certain commands. Haven't worked on > this yet, but > > I'm thinking of redoing system security this way too. > You'll have to > > config consolehelper *for every command* you'ld like to run as root. > > > > Sudo will also let a user run commands as another user, AFAIK > > consolehelper can't do that. > > > > If you do not use a redhat-flavor, I'm afraid it is a lot > more complex. > > Generally, you use sudo to ALLOW things, not for denying things. > > And generally it is considered bad design to make a list of > commands > > that are denied because there always is a way around that > using input > > buffer overflow, sym links and the like. > > > > Chris. > > > -----Original Message----- > > > From: sudo-users-bounces at courtesan.com > > > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of > Manuel Gomez > > > Sent: Tuesday, November 25, 2008 3:45 PM > > > To: sudo-users > > > Subject: [sudo-users] I want to limit root > > > > > > Hi, i am constantly using gksu and it's impossible for me being > > > secure in that way, so i am searching basics commands > neccesary for > > > administrative matters. > > > > > > For example: sh (sh scripts), cd, rm, cp, chmod, apt-get, bin and > > > sbin (software), and gksu. > > > > > > How could I write this in sudoers? Somebody could help me? > > > > > > Thank you very much, I appreciate your help. > > > > > ____________________________________________________________ > > sudo-users mailing list For list information, > > options, or to unsubscribe, visit: > > http://www.sudo.ws/mailman/listinfo/sudo-users > > From valdemirs at gmail.com Fri Nov 28 12:51:49 2008 From: valdemirs at gmail.com (Valdemir Santos) Date: Fri, 28 Nov 2008 15:51:49 -0200 Subject: [sudo-users] Sudo in Linux Message-ID: How could I prevent linux users escape to the shell using vi ? I made this: Cmnd_Alias PRODCMD = !/usr/bin/vi,!/usr/xpg4/bin/vi,!/usr/ucb/vi,!/bin/vi but I need set any editor to the users ! From stevetucknott at yahoo.co.uk Fri Nov 28 13:09:42 2008 From: stevetucknott at yahoo.co.uk (Steve T) Date: Fri, 28 Nov 2008 18:09:42 +0000 Subject: [sudo-users] Sudo in Linux In-Reply-To: References: Message-ID: <1227895782.3468.78.camel@localhost.localdomain> In the man sudoers, there's this: PREVENTING SHELL ESCAPES Once sudo executes a program, that program is free to do whatever it pleases, including run other programs. This can be a security issue since it is not uncommon for a program to allow shell escapes, which lets a user bypass sudo's restrictions. Common programs that permit shell escapes include shells (obviously), editors, paginators, mail and terminal pro- grams. Many systems that support shared libraries have the ability to override default library functions by pointing an environment variable (usually LD_PRELOAD) to an alternate shared library. On such systems, sudo's noexec functionality can be used to prevent a program run by sudo from executing any other programs. Note, however, that this applies only to native dynamically-linked executables. Statically-linked executables and foreign executables run- ning under binary emulation are not affected. To tell whether or not sudo supports noexec, you can run the following as root: sudo -V | grep "dummy exec" If the resulting output contains a line that begins with: File containing dummy exec functions: then sudo may be able to replace the exec family of functions in the standard library with its own that simply return an error. Unfortunately, there is no foolproof way to know whether or not noexec will work at compile-time. Noexec should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known not to work on AIX and UnixWare. Noexec is expected to work on most operating systems that support the LD_PRELOAD environment variable. Check your operating system's manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is supported. To enable noexec for a command, use the NOEXEC tag as documented in the User Specification section above. Here is that example again: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi Does that help? On Fri, 2008-11-28 at 15:51 -0200, Valdemir Santos wrote: > How could I prevent linux users escape to the shell > using vi ? > I made this: > Cmnd_Alias PRODCMD = !/usr/bin/vi,!/usr/xpg4/bin/vi,!/usr/ucb/vi,!/bin/vi > but I need set any editor to the users ! > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users From pdalec at gmail.com Fri Nov 28 15:46:53 2008 From: pdalec at gmail.com (pDale) Date: Fri, 28 Nov 2008 15:46:53 -0500 Subject: [sudo-users] Sudo in Linux In-Reply-To: References: Message-ID: <5494c3ae0811281246s3549fb07laae5042d5cf55a16@mail.gmail.com> On Fri, Nov 28, 2008 at 12:51 PM, Valdemir Santos wrote: > How could I prevent linux users escape to the shell using vi ? You might find this useful: http://linuxshellaccount.blogspot.com/2008/05/restricted-accounts-and-vim-tricks-in.html -- pDale Campbell