From tj_yang at hotmail.com Wed Oct 1 12:45:25 2008 From: tj_yang at hotmail.com (T.J. Yang) Date: Wed, 1 Oct 2008 11:45:25 -0500 Subject: [sudo-users] how to get rid of log about TTY=unknown ? Message-ID: I have program on a server using sudo to call up fping for ping connection test. it generate lots of message in log file. sudo: hobbits : TTY=unknown ; PWD=/opt/hobbitserver42 ; USER=root ; COMMAND=/opt/fping24/sbin/fping -Ae Anyone know how to configure sudo to avoid this kind of message ? T.J. Yang _________________________________________________________________ Want to do more with Windows Live? Learn ?10 hidden secrets? from Jamie. http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008 From Todd.Miller at courtesan.com Wed Oct 1 14:05:52 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 01 Oct 2008 14:05:52 -0400 Subject: [sudo-users] how to get rid of log about TTY=unknown ? In-Reply-To: Your message of "Wed, 01 Oct 2008 11:45:25 CDT." References: Message-ID: <200810011805.m91I5qDc015965@core.courtesan.com> In message so spake "T.J. Yang" (tj_yang): > I have program on a server using sudo to call up fping for ping connection > test. > it generate lots of message in log file. > > sudo: hobbits : TTY=unknown ; PWD=/opt/hobbitserver42 ; USER=root ; > COMMAND=/opt/fping24/sbin/fping -Ae > > Anyone know how to configure sudo to avoid this kind of message ? Sudo normally logs the tty along with the command. When there is no tty present, it logs the string "unknown" instead. If you wish to avoid having the commands logged at all, you can either adjust your syslog.conf not to log them or change syslog_goodpri in /etc/sudoers such that your existing syslog.conf will not log the message. For example, Default syslog_goodpri=debug would change the syslog priority for successful commands from info to debug. Assuming your syslog.conf doesn't log things at the debug level that should prevent the messages from being logged. - todd From jm91 at alpinenetworks.com Tue Oct 7 02:20:10 2008 From: jm91 at alpinenetworks.com (No Name) Date: Mon, 6 Oct 2008 23:20:10 -0700 Subject: [sudo-users] sudo su terminates the shell immediately after the first keystroke Message-ID: Hello all, I have a bizzare problem with sudo that's been working fine for years. Obviously something changed recenly but I don't know what. On our linux machines when I do sudo su - I get the root shell as expected but as soon as I type any character it terminates the shell immediately. [/etc] $ sudo su - # i <--- was trying to type 'id' but as soon as I pressed i it terminated the root shell logout [/etc] $ I get the same behavior when I do sudo su - . However, su by itself works fine. Our sudoers file is served over NFS, at first I was suspecting it was related to the NFS exports but it looks OK and if it wasn't I'm sure sudo would complain that it couldn't read the file etc. So I'm completely lost here, any ideas what might be causing this or if there's a way to debug it? My only thought at this time is perhaps something to do with the way sudo spawns /dev/pts. Thanks From edwardspl at ita.org.mo Tue Oct 7 04:49:31 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Tue, 07 Oct 2008 16:49:31 +0800 Subject: [sudo-users] About Sudoers Manual Message-ID: <48EB229B.9090907@ita.org.mo> Dear All, Does the user specification support both userid and groupid ? Thanks ! Edward. From edwardspl at ita.org.mo Tue Oct 7 04:51:48 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Tue, 07 Oct 2008 16:51:48 +0800 Subject: [sudo-users] [Fwd: About Sudoers Manual] Message-ID: <48EB2324.1000109@ita.org.mo> Dear All, For the "User_Alias" function, thanks ! Edward. -------- Original Message -------- Subject: About Sudoers Manual Date: Tue, 07 Oct 2008 16:49:31 +0800 From: edwardspl at ita.org.mo To: sudo-users at sudo.ws Dear All, Does the user specification support both userid and groupid ? Thanks ! Edward. From Todd.Miller at courtesan.com Tue Oct 7 09:59:16 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 07 Oct 2008 09:59:16 -0400 Subject: [sudo-users] sudo su terminates the shell immediately after the first keystroke In-Reply-To: Your message of "Mon, 06 Oct 2008 23:20:10 PDT." References: Message-ID: <200810071359.m97DxGKj027450@core.courtesan.com> A bug was filed in bugzilla for this yesterday. http://www.gratisoft.us/bugzilla/show_bug.cgi?id=304 - todd From jakrainer at yahoo.com Tue Oct 7 16:51:56 2008 From: jakrainer at yahoo.com (Jackson Afonso Krainer) Date: Tue, 7 Oct 2008 13:51:56 -0700 (PDT) Subject: [sudo-users] sudo configuration Message-ID: <569187.9597.qm@web52109.mail.re2.yahoo.com> Hello everyone, What would be the?best way to avoid an user from executing the following commands: sudo /bin/ln -s /usr/bin/su sap_file sudo ./sap_file - and?get root access on a AIX server. I?m using?sudo?1.6.9.17 Thanks in advance, Jackson Novos endere?os, o Yahoo! que voc? conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. http://br.new.mail.yahoo.com/addresses From russell+sudo-users at loosenut.com Tue Oct 7 19:15:25 2008 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Tue, 7 Oct 2008 16:15:25 -0700 Subject: [sudo-users] sudo configuration In-Reply-To: <569187.9597.qm@web52109.mail.re2.yahoo.com> References: <569187.9597.qm@web52109.mail.re2.yahoo.com> Message-ID: <20081007231524.GS5253@fubar.loosenut.com> On Tue, Oct 07, 2008 at 01:51:56PM -0700, Jackson Afonso Krainer wrote: > Hello everyone, > What would be the?best way to avoid an user from executing the following commands: Start your sudo configuration from the point of enabling rather than disabling... that is, when a command is identified where someone needs sudo, add it to the config. Locking down privileges one by one is almost ALWAYS a tougher way to go... The toughest one most people will likely be familiar with is preventing users from doing: sudo su And instead doing: sudo There are likely various good starting points/configs out there on the web, too... -- Russell M. Van Tassell russell at loosenut.com Slowly and surely the unix crept up on the Nintendo user ... From dave.parson at daimler.com Tue Oct 7 18:28:23 2008 From: dave.parson at daimler.com (dave.parson at daimler.com) Date: Tue, 07 Oct 2008 15:28:23 -0700 Subject: [sudo-users] sudo configuration In-Reply-To: <569187.9597.qm@web52109.mail.re2.yahoo.com> Message-ID: Give out 'only' what they need to do. We have a rule. if you can't tell us what you want or need to run as root, then you don't need root (read this as you don't know what your doing) The best model is to give them "only" what they need and go from there - don't start will (all) and try to take it away - that is not very secure and someone is going to have an easier time finding a work around. That said, I don't know your situation, but I would think that if they have root (all) this means they are already a system administrator and not a user or app support person. jakrainer at yahoo.com Sent by: sudo-users-bounces at courtesan.com 10/07/2008 01:51 PM To sudo-users at sudo.ws cc Subject [sudo-users] sudo configuration Hello everyone, What would be the best way to avoid an user from executing the following commands: sudo /bin/ln -s /usr/bin/su sap_file sudo ./sap_file - and get root access on a AIX server. I?m using sudo 1.6.9.17 Thanks in advance, Jackson Novos endere?os, o Yahoo! que voc? conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. http://br.new.mail.yahoo.com/addresses ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users If you are not the intended addressee, please inform us immediately that you have received this e-mail in error, and delete it. We thank you for your cooperation. From christian.peper at kpn.com Wed Oct 8 04:05:56 2008 From: christian.peper at kpn.com (christian.peper at kpn.com) Date: Wed, 8 Oct 2008 10:05:56 +0200 Subject: [sudo-users] [Fwd: About Sudoers Manual] In-Reply-To: <48EB2324.1000109@ita.org.mo> References: <48EB2324.1000109@ita.org.mo> Message-ID: <459520CEEC42F041A8B0CFBCEE958A1101A1A6D8@KKWNLEX182.kpnnl.local> Yes you can! Here is mine: User_Alias MNGR = %sysop :\ DBA = %dba, %oinstall :\ AB = user1 :\ FB = user2,user3,user4 You can also integrate netgroups if you have Suns and/or use NIS/NIS+ In that case, the groupname is prepended with a + instead of a %. Example: MNGR = %sysop, +sunmgrs Christian. > -----Original Message----- > From: sudo-users-bounces at courtesan.com > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of > edwardspl at ita.org.mo > Sent: Tuesday, October 07, 2008 10:52 AM > To: sudo-users at sudo.ws > Subject: [sudo-users] [Fwd: About Sudoers Manual] > > Dear All, > > For the "User_Alias" function, thanks ! > > Edward. > > -------- Original Message -------- > Subject: About Sudoers Manual > Date: Tue, 07 Oct 2008 16:49:31 +0800 > From: edwardspl at ita.org.mo > To: sudo-users at sudo.ws > > > > Dear All, > > Does the user specification support both userid and groupid ? > > Thanks ! > > Edward. > ____________________________________________________________ > sudo-users mailing list For list > information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > From edwardspl at ita.org.mo Wed Oct 8 09:10:20 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Wed, 08 Oct 2008 21:10:20 +0800 Subject: [sudo-users] [Fwd: About Sudoers Manual] In-Reply-To: <459520CEEC42F041A8B0CFBCEE958A1101A1A6D8@KKWNLEX182.kpnnl.local> References: <48EB2324.1000109@ita.org.mo> <459520CEEC42F041A8B0CFBCEE958A1101A1A6D8@KKWNLEX182.kpnnl.local> Message-ID: <48ECB13C.1030203@ita.org.mo> Hello, How about the cmd of Unix / Linux ? Thanks ! Edward. christian.peper at kpn.com wrote: >Yes you can! Here is mine: >User_Alias MNGR = %sysop :\ > DBA = %dba, %oinstall :\ > AB = user1 :\ > FB = user2,user3,user4 > >You can also integrate netgroups if you have Suns and/or use NIS/NIS+ >In that case, the groupname is prepended with a + instead of a %. >Example: MNGR = %sysop, +sunmgrs > >Christian. > > > >>-----Original Message----- >>From: sudo-users-bounces at courtesan.com >>[mailto:sudo-users-bounces at courtesan.com] On Behalf Of >>edwardspl at ita.org.mo >>Sent: Tuesday, October 07, 2008 10:52 AM >>To: sudo-users at sudo.ws >>Subject: [sudo-users] [Fwd: About Sudoers Manual] >> >>Dear All, >> >>For the "User_Alias" function, thanks ! >> >>Edward. >> >>-------- Original Message -------- >>Subject: About Sudoers Manual >>Date: Tue, 07 Oct 2008 16:49:31 +0800 >>From: edwardspl at ita.org.mo >>To: sudo-users at sudo.ws >> >> >> >>Dear All, >> >>Does the user specification support both userid and groupid ? >> >>Thanks ! >> >>Edward. >>____________________________________________________________ >>sudo-users mailing list For list >>information, options, or to unsubscribe, visit: >>http://www.sudo.ws/mailman/listinfo/sudo-users >> >> >> >____________________________________________________________ >sudo-users mailing list >For list information, options, or to unsubscribe, visit: >http://www.sudo.ws/mailman/listinfo/sudo-users > >__________ NOD32 3503 (20081008) Information __________ > >This message was checked by NOD32 antivirus system. >http://www.nod32.com.hk > > > > > From Jean.Maguire at ge.com Wed Oct 8 11:56:33 2008 From: Jean.Maguire at ge.com (Maguire, Jean (GE, Corporate)) Date: Wed, 8 Oct 2008 11:56:33 -0400 Subject: [sudo-users] Logging all commands after a user has sudo'ed to another userid Message-ID: <7660E0EC7C2B954996AF49800DB8B622066CDC02@STAMLVEM04.e2k.ad.ge.com> Just say I create a special group that allows my users to do a #sudo su - oracle. Is there a way for me to log all commands executed while they were sudo'ed to oracle id? Thanks. Jean Jean Maguire Senior Server Engineer GE Asset Management 3001 Summer Street Stamford, CT 06904 Phone: 203-326-2408 jean.maguire at ge.com From russell+sudo-users at loosenut.com Wed Oct 8 14:08:18 2008 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Wed, 8 Oct 2008 11:08:18 -0700 Subject: [sudo-users] Logging all commands after a user has sudo'ed to another userid In-Reply-To: <7660E0EC7C2B954996AF49800DB8B622066CDC02@STAMLVEM04.e2k.ad.ge.com> References: <7660E0EC7C2B954996AF49800DB8B622066CDC02@STAMLVEM04.e2k.ad.ge.com> Message-ID: <20081008180818.GH5253@fubar.loosenut.com> On Wed, Oct 08, 2008 at 11:56:33AM -0400, Maguire, Jean (GE, Corporate) wrote: > Just say I create a special group that allows my users to do a #sudo su > - oracle. Is there a way for me to log all commands executed while they > were sudo'ed to oracle id? Simple answer: No Slightly longer answer: Maybe Longer answer: Why? There are other tools/utilities out there to do this, such as OSH (a restricted "operator's" shell). Sudo isn't a shell utility, but a simple and secure way to give folks elevated privileges for a list of very specific commands across a wide distribution, all while maintaining an audit trail log integrity of what was done (ideally while NOT potentially leaving a root shell open). Yes, it can be abused by simply allowing "sudo su" -- but really, that's one of the things (IMO) you should strive to shut off and, instead, try to force more of a cultural change within the organization of using sudo in front of *every* command where the elevated privilege is needed... for something like oracle, why not something such as: % sudo -u oracle sqlplus (obviously this list is a lot longer) As was just said here only a day or so ago... rather than granting broad, all-encompassing privileges you should work to identify individual tools and commands where elevated privilege is necessary, and grant THOSE instead. Really, allowing by allowing things like "su," it's really not much better than just distributing the password (since there's nothing really to prevent folks from something like "sudo su - user; passwd" or any of a number of other things). -- Russell M. Van Tassell russell at loosenut.com "Never sweat the petty things... and never pet the sweaty things" From Jean.Maguire at ge.com Thu Oct 9 08:05:49 2008 From: Jean.Maguire at ge.com (Maguire, Jean (GE, Corporate)) Date: Thu, 9 Oct 2008 08:05:49 -0400 Subject: [sudo-users] Logging all commands after a user has sudo'ed to another userid In-Reply-To: <20081008180818.GH5253@fubar.loosenut.com> References: <7660E0EC7C2B954996AF49800DB8B622066CDC02@STAMLVEM04.e2k.ad.ge.com> <20081008180818.GH5253@fubar.loosenut.com> Message-ID: <7660E0EC7C2B954996AF49800DB8B62205A51E91@STAMLVEM04.e2k.ad.ge.com> Thanks Russell. You're right it comes down to "cultural change" which as you know is hard. I appreciate the feedback. Thanks again. Jean Jean Maguire Senior Server Engineer GE Asset Management 3001 Summer Street Stamford, CT 06904 Phone: 203-326-2408 jean.maguire at ge.com -----Original Message----- From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com] Sent: Wednesday, October 08, 2008 2:08 PM To: Maguire, Jean (GE, Corporate) Cc: sudo-users at sudo.ws Subject: Re: [sudo-users] Logging all commands after a user has sudo'ed to another userid On Wed, Oct 08, 2008 at 11:56:33AM -0400, Maguire, Jean (GE, Corporate) wrote: > Just say I create a special group that allows my users to do a #sudo > su > - oracle. Is there a way for me to log all commands executed while > they were sudo'ed to oracle id? Simple answer: No Slightly longer answer: Maybe Longer answer: Why? There are other tools/utilities out there to do this, such as OSH (a restricted "operator's" shell). Sudo isn't a shell utility, but a simple and secure way to give folks elevated privileges for a list of very specific commands across a wide distribution, all while maintaining an audit trail log integrity of what was done (ideally while NOT potentially leaving a root shell open). Yes, it can be abused by simply allowing "sudo su" -- but really, that's one of the things (IMO) you should strive to shut off and, instead, try to force more of a cultural change within the organization of using sudo in front of *every* command where the elevated privilege is needed... for something like oracle, why not something such as: % sudo -u oracle sqlplus (obviously this list is a lot longer) As was just said here only a day or so ago... rather than granting broad, all-encompassing privileges you should work to identify individual tools and commands where elevated privilege is necessary, and grant THOSE instead. Really, allowing by allowing things like "su," it's really not much better than just distributing the password (since there's nothing really to prevent folks from something like "sudo su - user; passwd" or any of a number of other things). -- Russell M. Van Tassell russell at loosenut.com "Never sweat the petty things... and never pet the sweaty things" From christian.peper at kpn.com Thu Oct 9 09:07:38 2008 From: christian.peper at kpn.com (christian.peper at kpn.com) Date: Thu, 9 Oct 2008 15:07:38 +0200 Subject: [sudo-users] [Fwd: About Sudoers Manual] In-Reply-To: <48ECB13C.1030203@ita.org.mo> References: <48EB2324.1000109@ita.org.mo> <459520CEEC42F041A8B0CFBCEE958A1101A1A6D8@KKWNLEX182.kpnnl.local> <48ECB13C.1030203@ita.org.mo> Message-ID: <459520CEEC42F041A8B0CFBCEE958A1101A1AC88@KKWNLEX182.kpnnl.local> Dear Edward, I don't know what you mean and I can't guess across mails. Please be more elaborate in your questions. Tell us what you want to do and what you've tried that didn't work. Give an example... I want to help you but your style to me (IMHO) is really blunt and ignorant so it puts people off really quickly. It seems to me you haven't read the manual properly or thoroughly. Because your questions are right there: http://www.gratisoft.us/sudo/man/sudoers.html If there are things unclear or you don't understand a specific example, just let us know. But for general questions, just read the manual. That's what it is for. :) Sincerely, Chris. From edwardspl at ita.org.mo Thu Oct 9 09:56:30 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Thu, 09 Oct 2008 21:56:30 +0800 Subject: [sudo-users] [Fwd: About Sudoers Manual] In-Reply-To: <459520CEEC42F041A8B0CFBCEE958A1101A1AC88@KKWNLEX182.kpnnl.local> References: <48EB2324.1000109@ita.org.mo> <459520CEEC42F041A8B0CFBCEE958A1101A1A6D8@KKWNLEX182.kpnnl.local> <48ECB13C.1030203@ita.org.mo> <459520CEEC42F041A8B0CFBCEE958A1101A1AC88@KKWNLEX182.kpnnl.local> Message-ID: <48EE0D8E.1010604@ita.org.mo> christian.peper at kpn.com wrote: >Dear Edward, > >I don't know what you mean and I can't guess across mails. Please be >more elaborate in your questions. >Tell us what you want to do and what you've tried that didn't work. Give >an example... > >I want to help you but your style to me (IMHO) is really blunt and >ignorant so it puts people off really quickly. >It seems to me you haven't read the manual properly or thoroughly. >Because your questions are right there: >http://www.gratisoft.us/sudo/man/sudoers.html > >If there are things unclear or you don't understand a specific example, >just let us know. But for general questions, just read the manual. >That's what it is for. :) > >Sincerely, >Chris. > Hello, Sorry, Mine is FC9 System... Does the user specification ( User_Alias ) support both userid and groupid ( group named "adgroup" and include userid "edward", "peter" and "dick" ) ? If so, is there any sample for reference ? Thanks ! Edward. From christian.peper at kpn.com Thu Oct 9 09:58:28 2008 From: christian.peper at kpn.com (christian.peper at kpn.com) Date: Thu, 9 Oct 2008 15:58:28 +0200 Subject: [sudo-users] [Fwd: About Sudoers Manual] In-Reply-To: <48EE0D8E.1010604@ita.org.mo> References: <48EB2324.1000109@ita.org.mo> <459520CEEC42F041A8B0CFBCEE958A1101A1A6D8@KKWNLEX182.kpnnl.local> <48ECB13C.1030203@ita.org.mo> <459520CEEC42F041A8B0CFBCEE958A1101A1AC88@KKWNLEX182.kpnnl.local> <48EE0D8E.1010604@ita.org.mo> Message-ID: <459520CEEC42F041A8B0CFBCEE958A1101A1ACE9@KKWNLEX182.kpnnl.local> > -----Original Message----- > From: edwardspl at ita.org.mo [mailto:edwardspl at ita.org.mo] > Sent: Thursday, October 09, 2008 3:57 PM > To: Peper, J.C.A. (Christian) (IT I&O System Engineering) > Cc: sudo-users at sudo.ws > Subject: Re: [sudo-users] [Fwd: About Sudoers Manual] > > Sorry, > > Mine is FC9 System... > Does the user specification ( User_Alias ) support both > userid and groupid ( group named "adgroup" and include userid > "edward", "peter" and "dick" ) ? > If so, is there any sample for reference ? That's allright... :) now it makes sense. Yes you can and yes there is. It's right in the manual! :) http://www.gratisoft.us/sudo/man/sudoers.html#examples So again, please, check it. It is a good manual. Chris. From edwardspl at ita.org.mo Thu Oct 9 10:12:24 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Thu, 09 Oct 2008 22:12:24 +0800 Subject: [sudo-users] [Fwd: About Sudoers Manual] In-Reply-To: <459520CEEC42F041A8B0CFBCEE958A1101A1ACE9@KKWNLEX182.kpnnl.local> References: <48EB2324.1000109@ita.org.mo> <459520CEEC42F041A8B0CFBCEE958A1101A1A6D8@KKWNLEX182.kpnnl.local> <48ECB13C.1030203@ita.org.mo> <459520CEEC42F041A8B0CFBCEE958A1101A1AC88@KKWNLEX182.kpnnl.local> <48EE0D8E.1010604@ita.org.mo> <459520CEEC42F041A8B0CFBCEE958A1101A1ACE9@KKWNLEX182.kpnnl.local> Message-ID: <48EE1148.4020006@ita.org.mo> christian.peper at kpn.com wrote: >>-----Original Message----- >>From: edwardspl at ita.org.mo [mailto:edwardspl at ita.org.mo] >>Sent: Thursday, October 09, 2008 3:57 PM >>To: Peper, J.C.A. (Christian) (IT I&O System Engineering) >>Cc: sudo-users at sudo.ws >>Subject: Re: [sudo-users] [Fwd: About Sudoers Manual] >> >>Sorry, >> >>Mine is FC9 System... >>Does the user specification ( User_Alias ) support both >>userid and groupid ( group named "adgroup" and include userid >>"edward", "peter" and "dick" ) ? >>If so, is there any sample for reference ? >> >> > >That's allright... :) now it makes sense. >Yes you can and yes there is. It's right in the manual! :) > >http://www.gratisoft.us/sudo/man/sudoers.html#examples > >So again, please, check it. It is a good manual. >Chris. > > > Hello, Sorry, For teh examples : Which is userid and which is groupid ? Thanks ! Edward. From christian.peper at kpn.com Thu Oct 9 10:22:31 2008 From: christian.peper at kpn.com (christian.peper at kpn.com) Date: Thu, 9 Oct 2008 16:22:31 +0200 Subject: [sudo-users] [Fwd: About Sudoers Manual] In-Reply-To: <48EE1148.4020006@ita.org.mo> References: <48EB2324.1000109@ita.org.mo> <459520CEEC42F041A8B0CFBCEE958A1101A1A6D8@KKWNLEX182.kpnnl.local> <48ECB13C.1030203@ita.org.mo> <459520CEEC42F041A8B0CFBCEE958A1101A1AC88@KKWNLEX182.kpnnl.local> <48EE0D8E.1010604@ita.org.mo> <459520CEEC42F041A8B0CFBCEE958A1101A1ACE9@KKWNLEX182.kpnnl.local> <48EE1148.4020006@ita.org.mo> Message-ID: <459520CEEC42F041A8B0CFBCEE958A1101A1AD17@KKWNLEX182.kpnnl.local> from http://www.gratisoft.us/sudo/man/sudoers.html#aliases The definitions of what constitutes a valid alias member follow User_List ::= User | User ',' User_List User ::= '!'* username | '!'* '%'group | '!'* '+'netgroup | '!'* User_Alias A User_List is made up of one or more usernames, system groups (prefixed with '%'), netgroups (prefixed with '+') and other aliases. Each list item may be prefixed with one or more '!' operators. An odd number of '!' operators negate the value of the item; an even number just cancel each other out. This means.... a user_list can be a combi of a user and possibly another user_list. A user_list can be a combination of zero or more users, zero or more groups (%), zero or more netgroups (+) and zero or more user_aliases. Using a "!" in front of a username or groupname means they will be excluded. So User_Alias myteam = chris, edward, %sysop, %dba, +sunadmins is a legal alias, AFAIK. Chris. PS: what happens if a user is allowed by username but denied by groupname and if the order matters, I don't know. However, using sudo -l at the prompt, you can see what is allowed for the current user. From bluntsimon28 at gmail.com Wed Oct 15 10:14:14 2008 From: bluntsimon28 at gmail.com (Simon Blunt) Date: Wed, 15 Oct 2008 16:14:14 +0200 Subject: [sudo-users] sudo+ldap+netgroups woes In-Reply-To: <58f6b85c0810150712w3d4c714ek95d832fe45da1d51@mail.gmail.com> References: <58f6b85c0810150712w3d4c714ek95d832fe45da1d51@mail.gmail.com> Message-ID: <58f6b85c0810150714g77cc965dlcf2614b0e434a15d@mail.gmail.com> Hi, My netgroups setup in ldap seems to work: $ getent netgroup SuperUsers SuperUsers ( , bob, ) But sudo can't find it: $ sudo -l ldap_bind() ok found:cn=defaults,ou=SUDOers,dc=example,dc=com ldap search '(|(sudoUser=bob)(sudoUser=%bob)(sudoUser=%bob)(sudoUser=ALL))' ldap search 'sudoUser=+*' user_matches=0 host_matches=0 sudo_ldap_check(50)=0x44 What's sudo doing looking for users beginning "+"? Thanks, Simon From bluntsimon28 at gmail.com Wed Oct 15 10:30:53 2008 From: bluntsimon28 at gmail.com (Simon Blunt) Date: Wed, 15 Oct 2008 16:30:53 +0200 Subject: [sudo-users] sudo+ldap+netgroups woes In-Reply-To: <58f6b85c0810150714g77cc965dlcf2614b0e434a15d@mail.gmail.com> References: <58f6b85c0810150712w3d4c714ek95d832fe45da1d51@mail.gmail.com> <58f6b85c0810150714g77cc965dlcf2614b0e434a15d@mail.gmail.com> Message-ID: <58f6b85c0810150730s59038e78qe0517f94073d62e9@mail.gmail.com> I am a fool. My sudo roles had a leading "@" not "+". From Robert.Binkley at fnis.com Wed Oct 15 10:34:13 2008 From: Robert.Binkley at fnis.com (Binkley, Robert) Date: Wed, 15 Oct 2008 09:34:13 -0500 Subject: [sudo-users] Understanding on configuration Message-ID: <5399DC0DAC1583479B6ED19235754D060416B2@CMBFISLTC09.FNFIS.COM> Can some help me understand the below configuration if gadm ALL=(ALL) NOPASSWD: ALL %unixsa ALL=(ALL) ALL %isadm ALL=(ALL) ALL keith ALL=(ALL) NOPASSWD: ALL 1. The NOPASSWD keyword provides access without prompting for your password 2. You can have multiple usernames per line separated by commas 3. Multiple commands also can be separated by commas. 4. Spaces are considered part of the command. 5. Before moving sudousers file into production sanity check the resulting data with visudo -f tempsudoers -c 6. The "!" mark is denotes as password required if used in an odd number The ! is used to negate the value of the item, if an odd number of ! are used in sudo file are preferred, even number just cancel each other out 7. The "" indicates that a command can be ran without command line arguments. 8. Last entry wins User alias specification User_Alias OWNER = keith, nick, daniel, lloyd : This below example will allow user Keith, nick, Daniel or Lloyd and root user. User root may run the following commands on this host: (ALL) ALL If root is allowed to run sudo, one can inspect what commands another user may run Command to use to check what any uses can execute sudo sudo -u someotheruser sudo -l User keith may run the following commands on this host: (root) NOPASSWD: ALL (root) NOPASSWD: !SUROOT (root) NOPASSWD: !VISUDO (root) NOPASSWD: !SHELLS (ALL) NOPASSWD: ALL (ALL) ALL (ALL) NOPASSWD: ALL = User keith may run the following commands on this host: User nick may run the following commands on this host: (root) NOPASSWD: ALL (root) NOPASSWD: !SUROOT (root) NOPASSWD: !VISUDO (root) NOPASSWD: !SHELLS User daniel may run the following commands on this host: (root) NOPASSWD: ALL (root) NOPASSWD: !SUROOT (root) NOPASSWD: !VISUDO (root) NOPASSWD: !SHELLS User lloyd may run the following commands on this host: (root) NOPASSWD: ALL (root) NOPASSWD: !SUROOT (root) NOPASSWD: !VISUDO (root) NOPASSWD: !SHELLS Robert Lee Binkley _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. _____________ From jakrainer at yahoo.com Mon Oct 20 14:42:50 2008 From: jakrainer at yahoo.com (Jackson Afonso Krainer) Date: Mon, 20 Oct 2008 11:42:50 -0700 (PDT) Subject: [sudo-users] sudo sudo-1.6.9p17 x AIX 5.3 Message-ID: <852080.71995.qm@web52109.mail.re2.yahoo.com> Hello there, I have compiled sudo-1.6.9p17 on AIX 5.3 TL 5 and in AIX 5.3 TL 8 and everything seems to be working just fine when I user reported me the following problem: $ sudo cfgmgr cfgmgr: 0514-603 Cannot access the Config_Rules object class in the device configuration database. I have compiled sudo using the following flags: configure --with-noexec --without-passwd --with-ignore-dot --with-mailto=mail at host.com --with-mail-if-no-host --with-mail-if-noperms --disable-root-sudo --enable-log-host Trying to identify which flag was causing this behavior I recompiled sudo excluding the last flag until I did it with no flags. It didn?t work in any case! I got the same error on all cases. I have used the gcc compiler with the following versions: gcc-4.0.0-1 gcc-c++-4.0.0-1 libgcc-4.0.0-1 Did anyone already face this problem? Did anyone successfully compiled sudo in AIX 5.3? Which flags did you use? What version of C compiler? Any help will be greatly appreciated! Best Regards, Jackson __________________________________________________ Fale com seus amigos de gra?a com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ From Mike.Wood at kci1.com Mon Oct 20 15:13:18 2008 From: Mike.Wood at kci1.com (Wood, Mike) Date: Mon, 20 Oct 2008 14:13:18 -0500 Subject: [sudo-users] FW: sudo sudo-1.6.9p17 x AIX 5.3 Message-ID: <0D2B277DB445634E85FFD372FE7B17562DF20D61A0@AMWPVEX01.kci.com> Use this directive: # Don't clobber the environment (breaks things like cfgmgr) Defaults: !env_reset Mike Wood UNIX System Administrator Kinetic Concepts Inc. 5751 NW Parkway San Antonio, TX, 78249 -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Jackson Afonso Krainer Sent: Monday, October 20, 2008 1:43 PM To: sudo-users at sudo.ws Subject: [sudo-users] sudo sudo-1.6.9p17 x AIX 5.3 Hello there, I have compiled sudo-1.6.9p17 on AIX 5.3 TL 5 and in AIX 5.3 TL 8 and everything seems to be working just fine when I user reported me the following problem: $ sudo cfgmgr cfgmgr: 0514-603 Cannot access the Config_Rules object class in the device configuration database. I have compiled sudo using the following flags: configure --with-noexec --without-passwd --with-ignore-dot --with-mailto=mail at host.com --with-mail-if-no-host --with-mail-if-noperms --disable-root-sudo --enable-log-host Trying to identify which flag was causing this behavior I recompiled sudo excluding the last flag until I did it with no flags. It didn't work in any case! I got the same error on all cases. I have used the gcc compiler with the following versions: gcc-4.0.0-1 gcc-c++-4.0.0-1 libgcc-4.0.0-1 Did anyone already face this problem? Did anyone successfully compiled sudo in AIX 5.3? Which flags did you use? What version of C compiler? Any help will be greatly appreciated! Best Regards, Jackson __________________________________________________ Fale com seus amigos de gra?a com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users ***************************************************************************** "CONFIDENTIALITY NOTICE: This transmission (including any accompanying attachments) is confidential, is intended only for the individual or entity named above, and is likely to contain privileged, proprietary and confidential information that is exempt from disclosure requests under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, use of or reliance upon any of the information contained in this transmission is strictly prohibited. Any inadvertent or unauthorized disclosure shall not compromise or waive the confidentiality of this transmission or any applicable attorney-client privilege. If you have received this transmission in error, please immediately notify us at postmaster at kci1.com." Kinetic Concepts, Inc. ****************************************************************************** From jakrainer at yahoo.com Mon Oct 20 16:54:49 2008 From: jakrainer at yahoo.com (Jackson Afonso Krainer) Date: Mon, 20 Oct 2008 13:54:49 -0700 (PDT) Subject: [sudo-users] FW: sudo sudo-1.6.9p17 x AIX 5.3 In-Reply-To: <0D2B277DB445634E85FFD372FE7B17562DF20D61A0@AMWPVEX01.kci.com> Message-ID: <821621.27320.qm@web52103.mail.re2.yahoo.com> Mike, Thanks for the tip. Instead of avoiding all the user's variables of being reseted I use the Defaults env_keep = "ODMDIR",... and it also made the trick. Thank you very much, Jackson --- Em seg, 20/10/08, Wood, Mike escreveu: > De: Wood, Mike > Assunto: [sudo-users] FW: sudo sudo-1.6.9p17 x AIX 5.3 > Para: "sudo-users at sudo.ws" > Data: Segunda-feira, 20 de Outubro de 2008, 12:13 > Use this directive: > # Don't clobber the environment (breaks things like > cfgmgr) > Defaults: !env_reset > > Mike Wood > UNIX System Administrator > Kinetic Concepts Inc. > 5751 NW Parkway > San Antonio, TX, 78249 > > > > -----Original Message----- > From: sudo-users-bounces at courtesan.com > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of > Jackson Afonso Krainer > Sent: Monday, October 20, 2008 1:43 PM > To: sudo-users at sudo.ws > Subject: [sudo-users] sudo sudo-1.6.9p17 x AIX 5.3 > > Hello there, > I have compiled sudo-1.6.9p17 on AIX 5.3 TL 5 and in AIX > 5.3 TL 8 and everything seems to be working just fine when I > user reported me the following problem: > $ sudo cfgmgr > cfgmgr: 0514-603 Cannot access the Config_Rules object > class in the > device configuration database. > > I have compiled sudo using the following flags: > configure --with-noexec --without-passwd --with-ignore-dot > --with-mailto=mail at host.com --with-mail-if-no-host > --with-mail-if-noperms --disable-root-sudo > --enable-log-host > > Trying to identify which flag was causing this behavior I > recompiled sudo excluding the last flag until I did it with > no flags. It didn't work in any case! I got the same > error on all cases. > > I have used the gcc compiler with the following versions: > gcc-4.0.0-1 > gcc-c++-4.0.0-1 > libgcc-4.0.0-1 > > Did anyone already face this problem? > Did anyone successfully compiled sudo in AIX 5.3? Which > flags did you use? What version of C compiler? > > > Any help will be greatly appreciated! > > Best Regards, > > > Jackson > > > __________________________________________________ > Fale com seus amigos de gra?a com o novo Yahoo! Messenger > http://br.messenger.yahoo.com/ > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > ***************************************************************************** > "CONFIDENTIALITY NOTICE: This transmission (including > any > accompanying attachments) is confidential, is intended only > for the > individual or entity named above, and is likely to contain > privileged, > proprietary and confidential information that is exempt > from disclosure > requests under applicable law. If you are not the intended > recipient, > you are hereby notified that any disclosure, copying, > distribution, use > of or reliance upon any of the information contained in > this transmission > is strictly prohibited. Any inadvertent or unauthorized > disclosure shall > not compromise or waive the confidentiality of this > transmission or any > applicable attorney-client privilege. > > If you have received this transmission in error, please > immediately > notify us at postmaster at kci1.com." > > > Kinetic Concepts, Inc. > > ****************************************************************************** > > ____________________________________________________________ > > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users __________________________________________________ Fale com seus amigos de gra?a com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ From fafaforza at yahoo.com Tue Oct 21 14:48:10 2008 From: fafaforza at yahoo.com (john bender) Date: Tue, 21 Oct 2008 11:48:10 -0700 (PDT) Subject: [sudo-users] sudo, kerb5 and Heimdal on FreeBSD 7.0 Message-ID: <943365.95219.qm@web43134.mail.sp1.yahoo.com> Hi there, so I'm trying to install sudo on FreeBSD 7.0-RELEASE. When I try a make against the kerberos libs that the system comes with under /usr/lib, I get this error: undefined reference to 'krb5_get_init_creds_opt_alloc' So I compile Heimdal from ports and libs are installed under /usr/local/lib. Running a 'strings' on these I see that the krb5_get_init_creds_opt_alloc function is there, and not presend under the libs in /usr/lib. I'm not sure whether the /usr/lib libraries are from the MIT release, but was under the impression that due to crypt export laws, FBSD came with Heimdal by default. But anyway... Moving forward, I configure with --with-kerb5, and 'export LDFLAGS=-L/usr/local/lib', but when running 'make', I get: ../auth/kerb5.c: In function 'kerb5_verify': ../auth/kerb5.c:224: warning: passing argument 1 of 'krb5_get_init_creds_opt_free' from incompatible pointer type ../auth/kerb5.c:224: error: too few arguments to function 'krb5_get_init_creds_opt_free' In auth/kerb5.c on line 223 I see #ifdef HAVE_HEIMDAL krb5_get_init_creds_opt_free(opts); #else krb5_get_init_creds_opt_free(sudo_context, opts); #endif If I remove the defines, and the 1 argument function, IE: only leave "krb5_get_init_creds_opt_free(sudo_context, opts);" from the above block, it compiles fine and a sudo command authenticates properly against my kerberos server. I looked the function up in the Heimdal source, and all instances reference two arguments: krb5_get_init_creds_opt_free(context, options); Running 'strings' on the /usr/lib libraries did not return a match for krb5_get_init_creds_opt_free, so it looks to be present only in Heimdal libraries. Is this something that needs to be changed in sudo's source? - Darek From Tom_Smith at ao.uscourts.gov Wed Oct 22 08:17:46 2008 From: Tom_Smith at ao.uscourts.gov (Tom_Smith at ao.uscourts.gov) Date: Wed, 22 Oct 2008 08:17:46 -0400 Subject: [sudo-users] Setting PATH Message-ID: I would like to set the PATH explicitly within sudo, not simply inherit or deny what the user's already set. Is there a way to do this? --------------------------------------------------------------------- tom_smith at ao.uscourts.gov From tmclaugh at gmail.com Tue Oct 21 21:21:16 2008 From: tmclaugh at gmail.com (Tom McLaughlin) Date: Tue, 21 Oct 2008 21:21:16 -0400 Subject: [sudo-users] sudo, kerb5 and Heimdal on FreeBSD 7.0 In-Reply-To: <943365.95219.qm@web43134.mail.sp1.yahoo.com> References: <943365.95219.qm@web43134.mail.sp1.yahoo.com> Message-ID: <48FE800C.3050704@gmail.com> john bender wrote: > Hi there, > > so I'm trying to install sudo on FreeBSD 7.0-RELEASE. > When I try a make against the kerberos libs that the > system comes with under /usr/lib, I get this error: > > undefined reference to 'krb5_get_init_creds_opt_alloc' The port for sudo in the ports tree builds just fine. What version are you using? Are you using the ports tree? > > So I compile Heimdal from ports and libs are installed > under /usr/local/lib. Running a 'strings' on these I > see that the krb5_get_init_creds_opt_alloc function is > there, and not presend under the libs in /usr/lib. > I'm not sure whether the /usr/lib libraries are from > the MIT release, but was under the impression that due > to crypt export laws, FBSD came with Heimdal by > default. But anyway... FreeBSD ships Heimdal 0.6.3 in 7.0. HEAD has 1.1.0. As the port maintainer for sudo I'll just say this, unless you know you need a kerberos implementation from ports then don't install it and just use the base version. I don't bother testing mix-and-matched kerberos setups because it has a tendency to explode. (This isn't just the case with sudo but many other applications as well.) tom > Moving forward, I configure with --with-kerb5, and > 'export LDFLAGS=-L/usr/local/lib', but when running > 'make', I get: > > ../auth/kerb5.c: In function 'kerb5_verify': > ../auth/kerb5.c:224: warning: passing argument 1 of > 'krb5_get_init_creds_opt_free' from incompatible > pointer type > ../auth/kerb5.c:224: error: too few arguments to > function 'krb5_get_init_creds_opt_free' > > In auth/kerb5.c on line 223 I see > > #ifdef HAVE_HEIMDAL > krb5_get_init_creds_opt_free(opts); > #else > krb5_get_init_creds_opt_free(sudo_context, > opts); > #endif > > If I remove the defines, and the 1 argument function, > IE: only leave > "krb5_get_init_creds_opt_free(sudo_context, opts);" > from the above block, it compiles fine and a sudo > command authenticates properly against my kerberos > server. > > I looked the function up in the Heimdal source, and > all instances reference two arguments: > > krb5_get_init_creds_opt_free(context, options); > > Running 'strings' on the /usr/lib libraries did not > return a match for krb5_get_init_creds_opt_free, so it > looks to be present only in Heimdal libraries. > > Is this something that needs to be changed in sudo's > source? > > - Darek > From fafaforza at yahoo.com Wed Oct 22 10:55:55 2008 From: fafaforza at yahoo.com (john bender) Date: Wed, 22 Oct 2008 07:55:55 -0700 (PDT) Subject: [sudo-users] sudo, kerb5 and Heimdal on FreeBSD 7.0 In-Reply-To: <48FE800C.3050704@gmail.com> Message-ID: <922166.46971.qm@web43145.mail.sp1.yahoo.com> --- Tom McLaughlin wrote: > john bender wrote: > > Hi there, > > > > so I'm trying to install sudo on FreeBSD > 7.0-RELEASE. > > When I try a make against the kerberos libs that > the > > system comes with under /usr/lib, I get this > error: > > > > undefined reference to > 'krb5_get_init_creds_opt_alloc' > > The port for sudo in the ports tree builds just > fine. What version are > you using? Are you using the ports tree? I am using the latest source from sudo.ws. The Freebsd 7 port (1.6.9.15 and 1.6.9.17) doesn't appear to come with kerberos support: /usr/local/bin/sudo: libutil.so.7 => /lib/libutil.so.7 (0x800650000) libpam.so.4 => /usr/lib/libpam.so.4 (0x80075e000) libldap-2.4.so.3 => /usr/local/lib/libldap-2.4.so.3 (0x800866000) libc.so.7 => /lib/libc.so.7 (0x8009a2000) liblber-2.4.so.3 => /usr/local/lib/liblber-2.4.so.3 (0x800bbf000) libssl.so.5 => /usr/lib/libssl.so.5 (0x800ccd000) libcrypto.so.5 => /lib/libcrypto.so.5 (0x800e17000) When I replace --with-pam with --with-kerb5 in the port Makefile, and without installing the Heimdal port (using whatever 7.0 comes with), I get cc -o sudo check.o env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o interfaces.o logging.o parse.o set_perms.o sudo.o sudo_edit.o tgetpass.o zero_bytes.o ldap.o sudo_auth.o kerb5.o passwd.o sudo.tab.o lex.yy.o alloc.o defaults.o memrchr.o closefrom.o -L/usr/local/lib -lutil -L/usr/lib -lkrb5 -lasn1 -lcrypto -lroken -lcrypt -lcom_err -lcrypt -lldap kerb5.o(.text+0xb9): In function `kerb5_verify': : undefined reference to `krb5_get_init_creds_opt_alloc' kerb5.o(.text+0xfe): In function `kerb5_verify': : undefined reference to `krb5_get_init_creds_opt_free' *** Error code 1 So again, looks to me like the /usr/lib libs are missing that function, which 1.1.0 has. - Darek From Todd.Miller at courtesan.com Wed Oct 22 12:56:24 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 22 Oct 2008 12:56:24 -0400 Subject: [sudo-users] sudo, kerb5 and Heimdal on FreeBSD 7.0 In-Reply-To: Your message of "Tue, 21 Oct 2008 11:48:10 PDT." <943365.95219.qm@web43134.mail.sp1.yahoo.com> References: <943365.95219.qm@web43134.mail.sp1.yahoo.com> Message-ID: <200810221656.m9MGuOkV016689@core.courtesan.com> In message <943365.95219.qm at web43134.mail.sp1.yahoo.com> so spake john bender (fafaforza): > I looked the function up in the Heimdal source, and > all instances reference two arguments: > > krb5_get_init_creds_opt_free(context, options); > > Running 'strings' on the /usr/lib libraries did not > return a match for krb5_get_init_creds_opt_free, so it > looks to be present only in Heimdal libraries. > > Is this something that needs to be changed in sudo's > source? It sounds like a configure check is needed since older versions of Heimdal have a krb5_get_init_creds_opt_free that takes a single arg. I'll add it to me sudo TODO list. - todd From Todd.Miller at courtesan.com Wed Oct 22 23:16:42 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 22 Oct 2008 23:16:42 -0400 Subject: [sudo-users] Setting PATH In-Reply-To: Your message of "Wed, 22 Oct 2008 08:17:46 EDT." References: Message-ID: <200810230316.m9N3GgZI016942@core.courtesan.com> In message so spake (Tom_Smith): > I would like to set the PATH explicitly within sudo, not simply inherit or > deny what the user's already set. Is there a way to do this? The only way to do this (unless you are running the sudo 1.7 release candidate) is to build sudo with the --with-secure-path[=PATH] configure option. - todd From chris at encs.concordia.ca Fri Oct 24 13:12:09 2008 From: chris at encs.concordia.ca (Chris O'Regan) Date: Fri, 24 Oct 2008 13:12:09 -0400 Subject: [sudo-users] Problem with defaults (v1.7.0rc2) Message-ID: <490201E9.2020806@encs.concordia.ca> We've decided to install v1.7.0rc2 because we really want to use the #include directive. Unfortunately we are encountering a serious problem: We require that members of the wheel group use the root password when running sudo and have this near the top of /etc/sudoers: Defaults:%wheel rootpw Non-wheel users are given very specific privileges and can use their own password. This has been working well for years with the v1.6.x line of sudo. With v1.7.0rc2 (have not tried earlier versions) this is being applied to *all* users despite it being limited to group wheel. If I use the same sudoers file with v1.6.x it works as expected. If I comment out the above line with v1.7.0rc2 then the user is prompted for his own password. Here is the output of "sudo -l" (using v1.7.0rc2) for a test user account that is *not* in the wheel group (I had to type the root password to authenticate): Matching Defaults entries for joeuser on this host: shell_noargs Runas and Command-specific defaults for joeuser: Defaults>root editor=/usr/bin/vim:/encs/bin/vim:/usr/bin/vi Defaults>root always_set_home Defaults>root env_reset Defaults>root env_keep=SSH_CLIENT SSH_TTY SSH_CONNECTION DISPLAY User joeuser may run the following commands on this host: (fis-card) ALL As myself (in the wheel group): Matching Defaults entries for chris on this host: shell_noargs, rootpw Runas and Command-specific defaults for chris: Defaults>root editor=/usr/bin/vim:/encs/bin/vim:/usr/bin/vi Defaults>root always_set_home Defaults>root env_reset Defaults>root env_keep=SSH_CLIENT SSH_TTY SSH_CONNECTION DISPLAY User chris may run the following commands on this host: (ALL) ALL Notice that joeuser does *not* have "rootpw" as its defaults, so why is sudo expecting root's password? Thanks, Chris From Todd.Miller at courtesan.com Sat Oct 25 09:21:42 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sat, 25 Oct 2008 09:21:42 -0400 Subject: [sudo-users] Problem with defaults (v1.7.0rc2) In-Reply-To: Your message of "Fri, 24 Oct 2008 13:12:09 EDT." <490201E9.2020806@encs.concordia.ca> References: <490201E9.2020806@encs.concordia.ca> Message-ID: <200810251321.m9PDLgWu031519@core.courtesan.com> The following patch should fix this. - todd Index: parse.c =================================================================== RCS file: /home/cvs/courtesan/sudo/parse.c,v retrieving revision 1.230 diff -u -r1.230 parse.c --- parse.c 8 May 2008 21:54:09 -0000 1.230 +++ parse.c 25 Oct 2008 13:20:10 -0000 @@ -146,22 +146,22 @@ if (!set_default(def->var, def->val, def->op)) return(FALSE); case DEFAULTS_USER: - if (userlist_matches(sudo_user.pw, &def->binding) && + if (userlist_matches(sudo_user.pw, &def->binding) == ALLOW && !set_default(def->var, def->val, def->op)) return(FALSE); break; case DEFAULTS_RUNAS: - if (runaslist_matches(&def->binding, NULL) && + if (runaslist_matches(&def->binding, NULL) == ALLOW && !set_default(def->var, def->val, def->op)) return(FALSE); break; case DEFAULTS_HOST: - if (hostlist_matches(&def->binding) && + if (hostlist_matches(&def->binding) == ALLOW && !set_default(def->var, def->val, def->op)) return(FALSE); break; case DEFAULTS_CMND: - if (cmndlist_matches(&def->binding) && + if (cmndlist_matches(&def->binding) == ALLOW && !set_default(def->var, def->val, def->op)) return(FALSE); } From chris at encs.concordia.ca Thu Oct 30 16:14:24 2008 From: chris at encs.concordia.ca (Chris O'Regan) Date: Thu, 30 Oct 2008 16:14:24 -0400 Subject: [sudo-users] Problem with defaults (v1.7.0rc2) In-Reply-To: <200810251321.m9PDLgWu031519@core.courtesan.com> References: <490201E9.2020806@encs.concordia.ca> <200810251321.m9PDLgWu031519@core.courtesan.com> Message-ID: <490A15A0.4000404@encs.concordia.ca> Todd C. Miller wrote: > The following patch should fix this. Thanks! I have applied the patch and I am about to test it, however the first thing I noticed is that "always_set_home" is broken now. That is, I have the following in my /etc/sudoers file: Defaults>root always_set_home But after running sudo, my home is still set to the originating user. This worked fine prior to applying the patch. Interestingly, "sudo -H" works as expected. Chris From chris at encs.concordia.ca Thu Oct 30 16:21:56 2008 From: chris at encs.concordia.ca (Chris O'Regan) Date: Thu, 30 Oct 2008 16:21:56 -0400 Subject: [sudo-users] Problem with defaults (v1.7.0rc2) In-Reply-To: <490A15A0.4000404@encs.concordia.ca> References: <490201E9.2020806@encs.concordia.ca> <200810251321.m9PDLgWu031519@core.courtesan.com> <490A15A0.4000404@encs.concordia.ca> Message-ID: <490A1764.9080200@encs.concordia.ca> Even more weirdness, I have defined the following: Defaults>root env_reset Defaults>root env_keep="SSH_CLIENT SSH_TTY SSH_CONNECTION" ...but my SSH* variables are missing and many other variables like "DISPLAY" are now set. $ sudo -l Matching Defaults entries for chris on this host: shell_noargs, rootpw Runas and Command-specific defaults for chris: Defaults>root editor=/usr/bin/vim:/encs/bin/vim:/usr/bin/vi Defaults>root always_set_home Defaults>root env_reset Defaults>root env_keep=SSH_CLIENT SSH_TTY SSH_CONNECTION User chris may run the following commands on this host: [...] From chris at encs.concordia.ca Fri Oct 31 14:54:51 2008 From: chris at encs.concordia.ca (Chris O'Regan) Date: Fri, 31 Oct 2008 14:54:51 -0400 Subject: [sudo-users] Problem with defaults (v1.7.0rc2) In-Reply-To: <490A1764.9080200@encs.concordia.ca> References: <490201E9.2020806@encs.concordia.ca> <200810251321.m9PDLgWu031519@core.courtesan.com> <490A15A0.4000404@encs.concordia.ca> <490A1764.9080200@encs.concordia.ca> Message-ID: <490B547B.20108@encs.concordia.ca> > Even more weirdness, I have defined the following: I have double checked my work. I have recompiled sudo with and without the patch. Without the patch, "Defaults:%wheel rootpw" prompts all users for the root password but otherwise seems okay. With the patch, that bug is fixed, but a new bug is introduced, namely it seems that all the target root defaults are ignored, in my case: Defaults>root always_set_home Defaults>root env_reset Defaults>root env_keep="SSH_CLIENT SSH_TTY SSH_CONNECTION" Interestingly, setting -H from the command line does what it should. If you need any more information, please let me know. Chris From repsons at gmail.com Fri Oct 31 11:47:03 2008 From: repsons at gmail.com (=?utf-8?q?K=C4=81rlis_Repsons?=) Date: Fri, 31 Oct 2008 18:47:03 +0300 Subject: [sudo-users] sudo can't find an executable in my $PATH! Message-ID: <200810311747.03824.repsons@gmail.com> Hello in this list. Simply I have script "doit" in /opt/scripts and I want to execute it as roon by typing "sudo doit". /opt/scripts is in $PATH both of root and my user. It doesn't works! Thing this simple has nearly turned out in a nightmare just in trying to make it work and looking for what is wrong :( Please answer. -- K?rlis Repsons