From tusharm at cdac.in Tue Sep 2 00:59:13 2008 From: tusharm at cdac.in (Tushar Abraham Mathew =?UTF-8?Q?=E0=A4=A4=E0=A5=81=E0=A4=B6=E0=A4=BE=E0=A4=B0_?= =?UTF-8?Q?=E0=A4=8F=E0=A4=AC=E0=A5=8D=E0=A4=B0=E0=A4=B9=E0=A4=BE?= =?UTF-8?Q?=E0=A4=AE_?= =?UTF-8?Q?=E0=A4=AE=E0=A4=BE=E0=A4=A5=E0=A5=8D=E0=A4=AF=E0=A5=82?=) Date: Tue, 02 Sep 2008 10:29:13 +0530 Subject: [sudo-users] Regarding permissions Message-ID: <1220331554.7898.15.camel@boss> Hi all, I have been trying to edit my sudoers file for the first time for allowing access to my machine to some people. This is what my file looks like - # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification User_Alias ADMIN = amol,nimmi # Cmnd alias specification Cmnd_Alias SHELLS = usr/local/bin/bash,/bin/csh,/bin/tcsh Cmnd_Alias COMMANDS = /bin/rm,/usr/sbin/adduser,/usr/sbin/rmuser,/usr/local/sbin/visudo # Defaults specification # Runas alias specification Runas_Alias SYSADMIN = amol, nimmi # User privilege specification root ALL=(ALL) ALL john ALL=(ALL) ALL # # # # ADMIN ALL = (SYSADMIN) ALL, !SHELLS, !COMMANDS # Uncomment to allow people in group wheel to run all commands Could anyone advise if there is any way users (except for john) can do harm to my machine ?? I also haven't understood the exact difference between the statements root ALL = (ALL) ALL and john ALL = (ALL) ALL Having read through the general sudo documetation available, I understand john will be able to on ALL hosts as ANY USER (sudo -u) run ALL commands. So the root statement would most likely mean if the root user did sudo foo, he will be able to do so. But since the root user has full previleges, why use sudo in the first place ? Another version I read was that giving root ALL = (ALL) ALL means once a user like john (john ALL = (ALL) ALL) gets access to commands, he is again restricted if the commands for root become something like root ALL = (ALL) /bin/ Could you enlighten me on this please ? Best Wishes, Tushar. From tusharm at cdac.in Thu Sep 4 01:32:54 2008 From: tusharm at cdac.in (Tushar Abraham Mathew =?UTF-8?Q?=E0=A4=A4=E0=A5=81=E0=A4=B6=E0=A4=BE=E0=A4=B0_?= =?UTF-8?Q?=E0=A4=8F=E0=A4=AC=E0=A5=8D=E0=A4=B0=E0=A4=B9=E0=A4=BE?= =?UTF-8?Q?=E0=A4=AE_?= =?UTF-8?Q?=E0=A4=AE=E0=A4=BE=E0=A4=A5=E0=A5=8D=E0=A4=AF=E0=A5=82?=) Date: Thu, 04 Sep 2008 11:02:54 +0530 Subject: [sudo-users] Regarding permissions In-Reply-To: <48BD2656.5070204@us.fujitsu.com> References: <1220331554.7898.15.camel@boss> <48BD2656.5070204@us.fujitsu.com> Message-ID: <1220506374.9216.13.camel@boss> Hi Mathew, On Tue, 2008-09-02 at 07:41 -0400, Matthew Stier wrote: > Tushar Abraham Mathew ????? ??????? ?????? wrote: > > Hi all, > > I have been trying to edit my sudoers file for the first time > > for allowing access to my machine to some people. This is what my file > > looks like - > > > > > > > > > > # sudoers file. > > # > > # This file MUST be edited with the 'visudo' command as root. > > # > > # See the sudoers man page for the details on how to write a sudoers file. > > # > > > > # Host alias specification > > > > # User alias specification > > User_Alias ADMIN = amol,nimmi > > > > # Cmnd alias specification > > Cmnd_Alias SHELLS = usr/local/bin/bash,/bin/csh,/bin/tcsh > > > Typo in the definition of 'bash' > > Cmnd_Alias COMMANDS = /bin/rm,/usr/sbin/adduser,/usr/sbin/rmuser,/usr/local/sbin/visudo > > > > > > # Defaults specification > > > > # Runas alias specification > > Runas_Alias SYSADMIN = amol, nimmi > > > > > > # User privilege specification > > root ALL=(ALL) ALL > > john ALL=(ALL) ALL > > # > > # > > # > > # > > > > > > > > ADMIN ALL = (SYSADMIN) ALL, !SHELLS, !COMMANDS > > > > > > # Uncomment to allow people in group wheel to run all commands > > > > > > > > > > > > Could anyone advise if there is any way users (except for john) can do > > harm to my machine ?? > > > > > > > Beside root and john being all powerfull, you are giving amol and nimmi > permission to act as each other. > > So I can avoid this by giving it seperately I guess - ADMIN (or only amol ??) ALL = (amol) ALL, !SHELLS, !COMMANDS & ADMIN (or only nimmi ??) ALL = (nimmi) ALL, !SHELLS, !COMMANDS > > > > I also haven't understood the exact difference between the statements > > > > root ALL = (ALL) ALL and john ALL = (ALL) ALL > > > > Having read through the general sudo documetation available, I > > understand john will be able to on ALL hosts as ANY USER (sudo -u) run > > ALL commands. > > > > > Correct. > > So the root statement would most likely mean if the root user did sudo > > foo, he will be able to do so. But since the root user has full > > previleges, why use sudo in the first place ? > > > > > Logging. Could you expand little on this ? Also, I'm pasting some material I read in one of the tutiorials - " bob, bunny ALL = (ALL) ALL This is generally not a good idea because this allows bob and bunny to use the su command to grant themselves permanent root privileges thereby bypassing the command logging features of sudo. The example on using aliases in the sudoers file shows how to eliminate this problem. " What does this statement mean ? How can bob and bunny use the su command without knowing the su password ? > > Another version I read was that giving root ALL = (ALL) ALL means once a > > user like john (john ALL = (ALL) ALL) gets access to commands, he is > > again restricted if the commands for root become something like > > root ALL = (ALL) /bin/ So I'm taking it this version is completely wrong. > > > > Could you enlighten me on this please ? > > > > > > > > Best Wishes, > > > > Tushar. > > > > > > > > > > > > ____________________________________________________________ > > sudo-users mailing list > > For list information, options, or to unsubscribe, visit: > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > From ccx110 at coventry.ac.uk Wed Sep 3 08:11:37 2008 From: ccx110 at coventry.ac.uk (Rachael Brown) Date: Wed, 3 Sep 2008 13:11:37 +0100 Subject: [sudo-users] makefile error Message-ID: <881F54DCA3F26C4696683605F62B40220765C962@VSEXMS-03.coventry.ac.uk> I am new to sudo and when running make I keep getting the following error gcc -o sudo check.o env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o interfaces.o logging.o parse.o set_perms.o sudo.o sudo_edit.o tgetpass.o zero_bytes.o sudo_auth.o pam.o sudo.tab.o lex.yy.o alloc.o defaults.o strlcpy.o strlcat.o closefrom.o -lpam -ldl /usr/lib/gcc-lib/i486-slackware-linux/3.2.3/../../../../i486-slackware-l inux/bin/ld: cannot find -lpam collect2: ld returned 1 exit status make: *** [sudo] Error 1 I am running it on a redhat linux machine -------------------------------------------------------- NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. From sujnanshetty at gmail.com Thu Sep 4 10:17:42 2008 From: sujnanshetty at gmail.com (Suj) Date: Thu, 4 Sep 2008 10:17:42 -0400 Subject: [sudo-users] Regarding permissions In-Reply-To: <1220506374.9216.13.camel@boss> References: <1220331554.7898.15.camel@boss> <48BD2656.5070204@us.fujitsu.com> <1220506374.9216.13.camel@boss> Message-ID: <37cf4dcd0809040717k3a307dafv8e062f131ebc6351@mail.gmail.com> User_Alias ADMIN = amol,nimmi Cmnd_Alias SHELLS = usr/local/bin/bash,/bin/csh,/bin/tcsh <<< Typo in the definition of 'bash' Cmnd_Alias COMMANDS = /bin/rm,/usr/sbin/adduser,/usr/sbin/rmuser,/usr/local/sbin/visudo Runas_Alias SYSADMIN = amol, nimmi root ALL=(ALL) ALL john ALL=(ALL) ALL ADMIN ALL = (SYSADMIN) ALL, !SHELLS, !COMMANDS Beside root and john being all powerfull, you are giving amol and nimmi permission to act as each other. So I can avoid this by giving it seperately I guess - ADMIN (or only amol ??) ALL = (amol) ALL, !SHELLS, !COMMANDS & ADMIN (or only nimmi ??) ALL = (nimmi) ALL, !SHELLS, !COMMANDS >>same thing!!! Could you expand little on this ? Also, I'm pasting some material I read in one of the tutiorials - bob, bunny ALL = (ALL) ALL What does this statement mean ? How can bob and bunny use the su command without knowing the su password ? >> They don't have to enter root passwd, but they will be entering their own passwd's to get root privileges, that's the whole point of sudo !! So if you restrict root to certain commands the users who gets root privileges will have that restricted set of commands.Better not to do it .......unless the root doesn't want to adminster the machine in the near future. When you have sudo activated all users when logging in will have to use "sudo -l" to view the cmds they are permitted to use, then enter their own passwd's and execute the root-permissible-cmd's they are allowed to in the sudo file. -- Sujnan Shetty From Todd.Miller at courtesan.com Thu Sep 4 10:29:12 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 04 Sep 2008 10:29:12 -0400 Subject: [sudo-users] makefile error In-Reply-To: Your message of "Wed, 03 Sep 2008 13:11:37 BST." <881F54DCA3F26C4696683605F62B40220765C962@VSEXMS-03.coventry.ac.uk> References: <881F54DCA3F26C4696683605F62B40220765C962@VSEXMS-03.coventry.ac.uk> Message-ID: <200809041429.m84ETCcf025725@core.courtesan.com> In message <881F54DCA3F26C4696683605F62B40220765C962 at VSEXMS-03.coventry.ac.uk> so spake "Rachael Brown" (ccx110): > I am new to sudo and when running make I keep getting the following > error > > gcc -o sudo check.o env.o getspwuid.o gettime.o goodpath.o fileops.o > find_path.o interfaces.o logging.o parse.o set_perms.o sudo.o > sudo_edit.o tgetpass.o zero_bytes.o sudo_auth.o pam.o sudo.tab.o > lex.yy.o alloc.o defaults.o strlcpy.o strlcat.o closefrom.o -lpam -ldl > > /usr/lib/gcc-lib/i486-slackware-linux/3.2.3/../../../../i486-slackware-l > inux/bin/ld: cannot find -lpam Do you have the pam and pam-devel packages installed? If you system doesn't use pam, you can just run configure with the --with-pam=no flag and re-run make. - todd From Hullen at t-online.de Thu Sep 4 10:14:00 2008 From: Hullen at t-online.de (Helmut Hullen) Date: 04 Sep 2008 16:14:00 +0200 Subject: [sudo-users] makefile error In-Reply-To: <881F54DCA3F26C4696683605F62B40220765C962@VSEXMS-03.coventry.ac.uk> Message-ID: Hallo, Rachael, Du (ccx110) meintest am 03.09.08: > I am new to sudo and when running make I keep getting the following > error > gcc -o sudo check.o env.o getspwuid.o gettime.o goodpath.o fileops.o > find_path.o interfaces.o logging.o parse.o set_perms.o sudo.o > sudo_edit.o tgetpass.o zero_bytes.o sudo_auth.o pam.o sudo.tab.o > lex.yy.o alloc.o defaults.o strlcpy.o strlcat.o closefrom.o -lpam > -ldl > /usr/lib/gcc-lib/i486-slackware-linux/3.2.3/../../../../i486-slackwar > e-l inux/bin/ld: cannot find -lpam > collect2: ld returned 1 exit status Slackware doesn't use PAM. Why do you compile sudo? You can use a "ready for use" packet from the slackware site. Viele Gruesse! Helmut From fivespeedv8 at hotmail.com Fri Sep 5 11:10:02 2008 From: fivespeedv8 at hotmail.com (Five Speed) Date: Fri, 5 Sep 2008 11:10:02 -0400 Subject: [sudo-users] Need to know when +netgroup and %group look-ups occur Message-ID: We are trying to ascertain the impact on our LDAP service if we start putting netgroup references into the sudoers file. Our netgroup table is in LDAP. Right now, we use regular unix groups for many entries: %usergroup1 ALL = /some/command %usergroup2 somehost = /some/other/command and LDAP group lookups are doing OK. If we decide to add this entry: %usergroup3 +netgroup = /some/command When does the netgroup lookup occur? - Only when the executing userID is in usergroup3? - Only when /some/command is issued via sudo? - Always? Also, does a Host_Alias affect the way the lookup is performed? Host_Alias MYHOSTS = +netgroup %usergroup3 MYHOSTS = /some/command Is there a doc on the logic used for table lookups? Thanks, Lou From kawaljeet.malviya at gmail.com Mon Sep 8 02:27:54 2008 From: kawaljeet.malviya at gmail.com (kawaljeet kaur) Date: Mon, 8 Sep 2008 11:57:54 +0530 Subject: [sudo-users] Sudo-1.7.0rc2 on AIX 5.3 Message-ID: Hi All, I have compiled Sudo-1.7.0rc2 on AIX 5.3 System, but don't seem to be getting all its proper functionality as below: 1) I am getting the below error when trying to su to root using sudo as: # su - soetest1 $ /opt/soe/local/sudo-1.7.0rc2/bin/sudo su - 3004-505 Cannot set process environment. I have also compiled earlier version of Sudo on the same system , and am able to run the above command successfully with that. Please guide me with the reason behind this and its solution. 2) Also, simply putting and entry as ' ALL=(ALL) ALL' in the sudoers file does not make it to prompt for a password before executing the command. Whereas the password is being prompted if i add the line ' ALL=PASSWD:ALL' instead of the above line. Please guide me with this also. Thanks Kawaljeet Kaur From Todd.Miller at courtesan.com Sat Sep 13 08:48:28 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sat, 13 Sep 2008 08:48:28 -0400 Subject: [sudo-users] Sudo-1.7.0rc2 on AIX 5.3 In-Reply-To: Your message of "Mon, 08 Sep 2008 11:57:54 +0530." References: Message-ID: <200809131248.m8DCmS89007503@core.courtesan.com> In message so spake "kawaljeet kaur" (kawaljeet.malviya): > I have compiled Sudo-1.7.0rc2 on AIX 5.3 System, but don't seem to be > getting all its proper functionality as below: > > 1) I am getting the below error when trying to su to root using sudo as: > > # su - soetest1 > > $ /opt/soe/local/sudo-1.7.0rc2/bin/sudo su - > > 3004-505 Cannot set process environment. Do you have the NOEXEC tag set for user soetest1? If so, that would explain why su is unable to run a shell. - todd From ccx110 at coventry.ac.uk Mon Sep 8 10:21:23 2008 From: ccx110 at coventry.ac.uk (Rachael Brown) Date: Mon, 8 Sep 2008 15:21:23 +0100 Subject: [sudo-users] sudoers file Message-ID: <881F54DCA3F26C4696683605F62B4022077DCA5F@VSEXMS-03.coventry.ac.uk> I am trying to set up a sudoers file which works in a way that if a user does sudo su he only has access to a specific directory and can run any command in that directory Is that possible Thanks Rachael -------------------------------------------------------- NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. From jakrainer at yahoo.com Tue Sep 9 14:59:24 2008 From: jakrainer at yahoo.com (Jackson Afonso Krainer) Date: Tue, 9 Sep 2008 11:59:24 -0700 (PDT) Subject: [sudo-users] crontab -e on AIX Message-ID: <292453.86400.qm@web52104.mail.re2.yahoo.com> I?m trying to restrict the use of a few tools on AIX known by its shell escapes history. I started the tests with vi, crontab, less and find. The problem is: I cannot use the command crontab -e anymore. Even if I remove vi from the list. Does anyone knows how to make it work? Is any other way to accomplish that? Here is the NOEXEC declaration in the sudoers file: Cmnd_Alias????? NOEXCMD = /usr/bin/vi, /usr/bin/crontab, /usr/bin/less, /usr/bin/find Any help will be greatly appreciate, Jackson Novos endere?os, o Yahoo! que voc? conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. http://br.new.mail.yahoo.com/addresses From ccx110 at coventry.ac.uk Wed Sep 10 10:42:16 2008 From: ccx110 at coventry.ac.uk (Rachael Brown) Date: Wed, 10 Sep 2008 15:42:16 +0100 Subject: [sudo-users] Make file Message-ID: <881F54DCA3F26C4696683605F62B4022077DCFA9@VSEXMS-03.coventry.ac.uk> I have a user who needs to be able to run all the executables as root within /vista directory. The command is ./startWebCTServer.sh He also needs access to all files within that directory but nowhere else Can I set up a run_as alias to do this. Obviously we do not want him to have root access as he can then cause havoc on the rest of the server. -------------------------------------------------------- NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University. From tiagomnm at gmail.com Sat Sep 13 19:55:23 2008 From: tiagomnm at gmail.com (Tiago Marques) Date: Sun, 14 Sep 2008 00:55:23 +0100 Subject: [sudo-users] can't pass environment variables to sudo env Message-ID: Hi! I've noticed that since sudo-1.6.8, i think, I can't pass useful environment variables like RSYNC_PROXY, ACCEPT_KEYWORDS, USE, and other stuff I use in Gentoo. Is there any worthwhile reason for sudo to now ignore the environment variables, like security reasons? For me, this was a major loss in functionality. Best regards, Tiago Marques From Todd.Miller at courtesan.com Sat Sep 13 21:20:35 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sat, 13 Sep 2008 21:20:35 -0400 Subject: [sudo-users] can't pass environment variables to sudo env In-Reply-To: Your message of "Sun, 14 Sep 2008 00:55:23 BST." References: Message-ID: <200809140120.m8E1KZZF021068@core.courtesan.com> In message so spake "Tiago Marques" (tiagomnm): > I've noticed that since sudo-1.6.8, i think, I can't pass useful environment > variables like RSYNC_PROXY, ACCEPT_KEYWORDS, USE, and other stuff I use in > Gentoo. > > Is there any worthwhile reason for sudo to now ignore the environment > variables, like security reasons? For me, this was a major loss in > functionality. The default behavior was changed to not pass environment variables to the process being run by sudo. You have two basic options: 1) Restore the old behavior by placing a line like the following in sudoers. Defaults !env_reset 2) Add the variables you with to keep explicitly, e.g. Defaults env_keep+="RSYNC_PROXY ACCEPT_KEYWORDS USE" - todd From Todd.Miller at courtesan.com Sun Sep 14 08:26:50 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sun, 14 Sep 2008 08:26:50 -0400 Subject: [sudo-users] can't pass environment variables to sudo env In-Reply-To: Your message of "Sun, 14 Sep 2008 02:32:23 BST." References: <200809140120.m8E1KZZF021068@core.courtesan.com> Message-ID: <200809141226.m8ECQoka023555@core.courtesan.com> In message so spake "Tiago Marques" (tiagomnm): > The other thing I would like to know is if this was done for security > reasons. Was it? I would like to know if there's any risk in changing this > behavior. Yes, it was done for security reasons. The old method was to blacklist specific environment variables that could be used to influence program behavior. However, blacklists like this are a flawed mechanism as there's no way to be sure you've caught everything. The set of programs that may be influenced by the environment is always increasing. On a single-user workstation or a situation where all users of sudo are given "sudo ALL" this is probably not a big deal but in situations where you are trying to use sudo to restrict what a user can run it is a problem. - todd From tiagomnm at gmail.com Sat Sep 13 21:32:23 2008 From: tiagomnm at gmail.com (Tiago Marques) Date: Sun, 14 Sep 2008 02:32:23 +0100 Subject: [sudo-users] can't pass environment variables to sudo env In-Reply-To: <200809140120.m8E1KZZF021068@core.courtesan.com> References: <200809140120.m8E1KZZF021068@core.courtesan.com> Message-ID: Ok, tks! The other thing I would like to know is if this was done for security reasons. Was it? I would like to know if there's any risk in changing this behavior. Best regards, Tiago Marques On Sun, Sep 14, 2008 at 2:20 AM, Todd C. Miller wrote: > In message > so spake "Tiago Marques" (tiagomnm): > > > I've noticed that since sudo-1.6.8, i think, I can't pass useful > environment > > variables like RSYNC_PROXY, ACCEPT_KEYWORDS, USE, and other stuff I use > in > > Gentoo. > > > > Is there any worthwhile reason for sudo to now ignore the environment > > variables, like security reasons? For me, this was a major loss in > > functionality. > > The default behavior was changed to not pass environment variables > to the process being run by sudo. You have two basic options: > > 1) Restore the old behavior by placing a line like the following > in sudoers. > > Defaults !env_reset > > 2) Add the variables you with to keep explicitly, e.g. > > Defaults env_keep+="RSYNC_PROXY ACCEPT_KEYWORDS USE" > > - todd > From samjnaa at gmail.com Tue Sep 16 05:28:48 2008 From: samjnaa at gmail.com (Shriramana Sharma) Date: Tue, 16 Sep 2008 14:58:48 +0530 Subject: [sudo-users] why are my ~/.bashrc aliases not honoured by sudo ? Message-ID: <48CF7C50.6030401@gmail.com> Hello I'm new to this list, and am only moderately knowledgeable technically, so please be patient my ignorance. In both my /home/samjnaa/.bashrc and /root/.bashrc I have the alias rm = 'rm -i' to prevent me from deleting stuff accidentally. (I can always use -f to override the -i if I'm really sure.) But I find that though both the user and root shells honour this alias, it is not honoured by sudo. See: [samjnaa:~] cd /tmp [samjnaa:/tmp] touch foo [samjnaa:/tmp] rm foo rm: remove regular empty file `foo'? n [samjnaa:/tmp] sudo -i [sudo] password for samjnaa: [root:~] rm /tmp/foo rm: remove regular empty file `/tmp/foo'? n [root:~] exit logout [samjnaa:/tmp] sudo rm /tmp/foo [samjnaa:/tmp] Also with a sub-shell: [samjnaa:/tmp] touch foo [samjnaa:/tmp] sudo bash -c 'rm foo' [samjnaa:/tmp] I don't get it. IIRC sudo runs the command with the process's uid/gid=0. To execute the command, bash is needed anyhow. So whether bash reads the user's .bashrc or root's .bashrc, it must see and obey this alias. Why does this not happen? Does bash not see the rm command at all? Thanks. Shriramana Sharma. From huaraz at moeller.plus.com Mon Sep 15 11:32:58 2008 From: huaraz at moeller.plus.com (Markus Moeller) Date: Mon, 15 Sep 2008 15:32:58 +0000 (UTC) Subject: [sudo-users] Setting environment variables Message-ID: Is there a way to set environment variables in sudoers ? I need to set an library path with LD_LIBRARY_PATH but I don't want to take the users set variable with env_keep. Is there a sudoers command which can set a environment variable per command ? e.g. Env_alias ENV1 = LD_LIBRARY_PATH=/opt/app1/lib;PATH=/opt/app1/bin OPERATORS ALL = ENV1: ALL Markus From samjnaa at gmail.com Tue Sep 16 22:21:14 2008 From: samjnaa at gmail.com (Shriramana Sharma) Date: Wed, 17 Sep 2008 07:51:14 +0530 Subject: [sudo-users] why are my ~/.bashrc aliases not honoured by sudo ? In-Reply-To: <72BEB5391076BE4BB415DBD014CE874904A0644C@MKEXCHVS2.Mail.Fiserv.net> References: <48CF7C50.6030401@gmail.com> <72BEB5391076BE4BB415DBD014CE874904A0644C@MKEXCHVS2.Mail.Fiserv.net> Message-ID: <48D0699A.9040000@gmail.com> Thanks for all your replies. However, I don't completely grok this login shell / interactive shell business. And my searches on the net for a clear explanation of the difference turned out nothing useful. So though it would be slightly OT, could anyone please explain briefly the difference between the two? Shriramana Sharma. From dave.parson at daimler.com Thu Sep 18 17:58:47 2008 From: dave.parson at daimler.com (dave.parson at daimler.com) Date: Thu, 18 Sep 2008 14:58:47 -0700 Subject: [sudo-users] How to sudoers config - set a long list of ENV prior to running the updater as root Message-ID: To enable "updates" for Websphere - there is a pre-req of running a script that updates your ENV. It assumes that you run this as root, and for your login session you have these various PATH and ENV variables set to support the upgrade. I am having trouble figuring out how to enable this via sudoers. There are two scripts to make this work: script_set_env.sh Updater -options - etc We tried the command line of sudo /../script_set_env.sh ; /../Updated - options It stopped complaining about ENV variables not being set but there are other errors. I wonder if the above is really doing what we inteded. David If you are not the intended addressee, please inform us immediately that you have received this e-mail in error, and delete it. We thank you for your cooperation. From jonathan at 23andme.com Mon Sep 22 20:18:43 2008 From: jonathan at 23andme.com (Jonathan Hansen) Date: Mon, 22 Sep 2008 17:18:43 -0700 Subject: [sudo-users] EAS install Message-ID: <06D79E7B-FCE9-46D7-891A-EB0C890B863C@23andme.com> I am trying to get an install of Enterprise Audit Shell running and several links I saw pointed to this list as appropriate to ask questions about it... if I am wrong I apologize in advance. Would anyone know what this set of errors in the logs indicates after seeing this on the terminal: root at rssh:/var/log# easd root at rssh:/var/log# eash [i] trying 127.0.0.1:5554 ... connected. ssl error: SSL_connect ssl error: certificate verify failed [i] exhausted list of log servers. root at rssh:/var/log# tail -15 messages Sep 22 17:16:38 rssh easd[11556]: debug1: (11556) using SSLv3 encryped communication. Sep 22 17:16:38 rssh easd[11556]: debug1: (11556) using configured ciphers: HIGH:MEDIUM Sep 22 17:16:38 rssh easd[11556]: debug1: (11556) listening for incoming connections on port 5554. Sep 22 17:16:38 rssh easd[11558]: easd started Sep 22 17:16:44 rssh easd[11558]: debug1: (11558) accept(5) == 6 Sep 22 17:16:44 rssh easd[11558]: debug1: (11558) connection received from 127.0.0.1:37092 Sep 22 17:16:44 rssh easd[11558]: debug1: (11558) calling fork Sep 22 17:16:44 rssh easd[11560]: debug1: (11560) new connection - forking child 11560 Sep 22 17:16:44 rssh easd[11560]: debug1: (11560) calling close(5) Sep 22 17:16:44 rssh easd[11558]: debug1: (11558) calling close(6) Sep 22 17:16:44 rssh easd[11560]: error: SSL_accept(): Sep 22 17:16:44 rssh easd[11560]: debug1: (11560) calling shutdown(6, SHUT_RDWR) Sep 22 17:16:44 rssh easd[11560]: error: shutdown(6, SHUT_RDWR): Bad file descriptor (9) Sep 22 17:16:44 rssh easd[11560]: debug1: (11560) calling exit(1) Sep 22 17:16:44 rssh easd[11558]: debug1: (11558) waitpid: reaped child 11560 with a return code of 256 root at rssh:/var/log# I have verified that the certs are in the proper place and they were generated by eas' cert generation script so I am assuming they are in the right format, though said assumption could be my issue. Thanks, Jonathan From jonathan at 23andme.com Tue Sep 23 13:35:13 2008 From: jonathan at 23andme.com (Jonathan Hansen) Date: Tue, 23 Sep 2008 10:35:13 -0700 Subject: [sudo-users] EAS install Message-ID: <5d3310720809231035s7972cec2r901ba72146a95548@mail.gmail.com> I am trying to get an install of Enterprise Audit Shell running and several links I saw pointed to this list as appropriate to ask questions about it... if I am wrong I apologize in advance. Would anyone know what this set of errors in the logs indicates after seeing this on the terminal: root at rssh:/var/log# easd root at rssh:/var/log# eash [i] trying 127.0.0.1:5554 ... connected. ssl error: SSL_connect ssl error: certificate verify failed [i] exhausted list of log servers. root at rssh:/var/log# tail -15 messages Sep 22 17:16:38 rssh easd[11556]: debug1: (11556) using SSLv3 encryped communication. Sep 22 17:16:38 rssh easd[11556]: debug1: (11556) using configured ciphers: HIGH:MEDIUM Sep 22 17:16:38 rssh easd[11556]: debug1: (11556) listening for incoming connections on port 5554. Sep 22 17:16:38 rssh easd[11558]: easd started Sep 22 17:16:44 rssh easd[11558]: debug1: (11558) accept(5) == 6 Sep 22 17:16:44 rssh easd[11558]: debug1: (11558) connection received from 127.0.0.1:37092 Sep 22 17:16:44 rssh easd[11558]: debug1: (11558) calling fork Sep 22 17:16:44 rssh easd[11560]: debug1: (11560) new connection - forking child 11560 Sep 22 17:16:44 rssh easd[11560]: debug1: (11560) calling close(5) Sep 22 17:16:44 rssh easd[11558]: debug1: (11558) calling close(6) Sep 22 17:16:44 rssh easd[11560]: error: SSL_accept(): Sep 22 17:16:44 rssh easd[11560]: debug1: (11560) calling shutdown(6, SHUT_RDWR) Sep 22 17:16:44 rssh easd[11560]: error: shutdown(6, SHUT_RDWR): Bad file descriptor (9) Sep 22 17:16:44 rssh easd[11560]: debug1: (11560) calling exit(1) Sep 22 17:16:44 rssh easd[11558]: debug1: (11558) waitpid: reaped child 11560 with a return code of 256 root at rssh:/var/log# I have verified that the certs are in the proper place and they were generated by eas' cert generation script so I am assuming they are in the right format, though said assumption could be my issue. Thanks, Jonathan From Michael.Woerz at knv.de Wed Sep 24 10:44:32 2008 From: Michael.Woerz at knv.de (=?iso-8859-1?Q?W=F6rz=2C_Michael?=) Date: Wed, 24 Sep 2008 16:44:32 +0200 Subject: [sudo-users] sudo prompts for roots password Message-ID: <200809241444.m8OEiedv014886@core.courtesan.com> Sudo version 1.6.8p12 SUSE Linux Enterprise Server 10 SP1 (x86_64) I've noticed this strange behavior on a couple of systems. After joining an Active Directory Domain Sudo prompts for roots password instead of the users tough this is not configured $ sudo -l root's password: User SPTMW01 may run the following commands on this host: (ALL) ALL $grep rootpw /etc/sudoers - nothing- any idea
Koch, Neff & Volckmar GmbH, Schockenriedstraße 37, 70565 Stuttgart, Internet: http://www.knv.de, Amtsgericht und Sitz Stuttgart HRB 11907, Geschäftsführer: Frank Thurmann, Oliver Voerster, USt-Id-Nr. DE147816562. From Todd.Miller at courtesan.com Wed Sep 24 11:06:54 2008 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 24 Sep 2008 11:06:54 -0400 Subject: [sudo-users] sudo prompts for roots password In-Reply-To: Your message of "Wed, 24 Sep 2008 16:44:32 +0200." <200809241444.m8OEiedv014886@core.courtesan.com> References: <200809241444.m8OEiedv014886@core.courtesan.com> Message-ID: <200809241506.m8OF6sKa011872@core.courtesan.com> In message <200809241444.m8OEiedv014886 at core.courtesan.com> so spake =?iso-8859-1?Q?W=F6rz=2C_Michael?= (Michael.Woerz): > Sudo version 1.6.8p12 > SUSE Linux Enterprise Server 10 SP1 (x86_64) > > I've noticed this strange behavior on a couple of systems. After joining an A > ctive Directory Domain > Sudo prompts for roots password instead of the users tough this is not confi > gured > $ sudo -l > root's password: > User SPTMW01 may run the following commands on this host: > (ALL) ALL > $grep rootpw /etc/sudoers > - nothing- SuSE configures sudo with the "targetpw" option which means that it will prompt you for the password of the user you are running the command as. The default SuSE /etc/sudoers contains the following: # In the default (unconfigured) configuration, sudo asks for the root password. # This allows use of an ordinary user account for administration of a freshly # installed system. When configuring sudo, delete the two # following lines: Defaults targetpw # ask for the password of the target user i.e. root ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! If you want to change to normal sudo password behavior, you should comment out both of those lines. - todd From Bobby.Cox at presage-tech.com Thu Sep 25 11:02:18 2008 From: Bobby.Cox at presage-tech.com (Bobby Cox) Date: Thu, 25 Sep 2008 10:02:18 -0500 Subject: [sudo-users] sudo: unknown defaults entry Message-ID: Hello all, I am getting the following message whenever I run a sudo command sudo: unknown defaults entry `env_keep ' referenced near line 1 ie: [bobbyc at swerve ~]$ sudo -l sudo: unknown defaults entry `env_keep ' referenced near line 1 User bobbyc may run the following commands on this host: LDAP Role: %blah RunAs: (ALL) Commands: ALL Utilizing sudo via LDAP is working fine. It's just this one error that is bugging me. Here's the ldif: # LDIF Export for: ou=SUDOers,dc=example,dc=com # Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on September 25, 2008 2:56 pm # Search Scope: sub # Search Filter: (objectClass=*) # Total Entries: 4 dn: ou=SUDOers,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: SUDOers dn: cn=%blah,ou=SUDOers,dc=internal.click2try,dc=com objectClass: top objectClass: sudoRole sudoHost: ALL sudoRunAs: ALL sudoCommand: ALL cn: %coreuser sudoUser: %blah dn: cn=defaults,ou=SUDOers,dc=example,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: requiretty sudoOption: env_reset sudoOption: env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_C OLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_ID ENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_P APER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" sudoOption: ignore_local_sudoers dn: cn=root,ou=SUDOers,dc=example,dc=com objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoHost: ALL sudoRunAs: ALL sudoCommand: ALL Thank you for your attention to this. -- Bobby Cox From edwardspl at ita.org.mo Fri Sep 26 11:16:24 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Fri, 26 Sep 2008 23:16:24 +0800 Subject: [sudo-users] Problem of running rpm command line Message-ID: <48DCFCC8.8030703@ita.org.mo> Dear All, How to config the sudo, then the user A who can install the rpm file by using rpm command line ? Thanks ! Edward. From edwardspl at ita.org.mo Fri Sep 26 12:34:50 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Sat, 27 Sep 2008 00:34:50 +0800 Subject: [sudo-users] Problem of install tarball packages Message-ID: <48DD0F2A.8000602@ita.org.mo> Dear All, How to config the sudo, then allow user A to install tarball packages with FC8 System ? Thanks ! Edward. From edwardspl at ita.org.mo Fri Sep 26 13:10:38 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Sat, 27 Sep 2008 01:10:38 +0800 Subject: [sudo-users] Problem of install tarball packages In-Reply-To: <3d22fc520809260940t4831952emb6fc8a07adfac7da@mail.gmail.com> References: <48DD0F2A.8000602@ita.org.mo> <3d22fc520809260940t4831952emb6fc8a07adfac7da@mail.gmail.com> Message-ID: <48DD178E.1050304@ita.org.mo> Aldo Foot wrote: >On Fri, Sep 26, 2008 at 9:34 AM, wrote: > > >>Dear All, >> >>How to config the sudo, then allow user A to install tarball packages with FC8 System ? >> >> >You use the 'visudo' command to edit the /etc/sudoers files. >Don't edit that file directly. > >see this /etc/sudoers sample >http://www.gratisoft.us/sudo/sample.sudoers > >'rpm' is just another command you add to the allowed commands. >so for example a the CLI: "sudo rpm -Uvh someRpm.rpm', > >~af > > > Hello Aldo, Sorry, my means is tarball packages ( NOT rpm packages )... Thank for your help ! Edward. From scarville at LANDAM.com Fri Sep 26 12:43:28 2008 From: scarville at LANDAM.com (Carville, Stephen) Date: Fri, 26 Sep 2008 12:43:28 -0400 Subject: [sudo-users] Problem of install tarball packages In-Reply-To: <48DD0F2A.8000602@ita.org.mo> References: <48DD0F2A.8000602@ita.org.mo> Message-ID: <1307EC628400E94581E0EC5971B5207B5B9056@SVARIEXMB12.landam.landamerica.net> Assuming the procedure is : 1. Extract the tar to $HOME/somewhere 2. cd to the directory 3. ./configure 4. make 5. sudo make install Then only the last step really needs root privileges. A ALL = (ALL) /usr/bin/make Bear in mind this allows A to install anything he can create a make file for so he might as well have root all around... > -----Original Message----- > From: sudo-users-bounces at courtesan.com [mailto:sudo-users- > bounces at courtesan.com] On Behalf Of edwardspl at ita.org.mo > Sent: Friday, September 26, 2008 9:35 AM > To: sudo-users at sudo.ws > Cc: fedora-list at redhat.com > Subject: [sudo-users] Problem of install tarball packages > > Dear All, > > How to config the sudo, then allow user A to install tarball packages > with FC8 System ? > > Thanks ! > > Edward. > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.169 / Virus Database: 270.7.3/1693 - Release Date: > 9/26/2008 7:35 AM From edwardspl at ita.org.mo Fri Sep 26 13:37:19 2008 From: edwardspl at ita.org.mo (edwardspl at ita.org.mo) Date: Sat, 27 Sep 2008 01:37:19 +0800 Subject: [sudo-users] Problem of install tarball packages In-Reply-To: <1307EC628400E94581E0EC5971B5207B5B9056@SVARIEXMB12.landam.landamerica.net> References: <48DD0F2A.8000602@ita.org.mo> <1307EC628400E94581E0EC5971B5207B5B9056@SVARIEXMB12.landam.landamerica.net> Message-ID: <48DD1DCF.2090105@ita.org.mo> Carville, Stephen wrote: >Assuming the procedure is : > >1. Extract the tar to $HOME/somewhere > >2. cd to the directory > >3. ./configure > > Hello, I just tried the procedure ( step 3 ) : [svradmin at svr1 proftpd-1.3.0a]$ ./configure --prefix=/usr/local/proftpd ./configure: line 88: conf4161.sh: Permission denied ./configure: line 89: conf4161.sh: Permission denied chmod: cannot access `conf4161.sh': No such file or directory ./configure: line 201: conf4161.file: Permission denied ./configure: line 1266: config.log: Permission denied [svradmin at svr1 proftpd-1.3.0a]$ So, how to fix the problem ( Permission denied ) ? May be I need to change the owner of "/usr/local" directory belong to "svradmin" user ? Any solution for it ? Thanks ! Edward. From scarville at LANDAM.com Fri Sep 26 13:57:25 2008 From: scarville at LANDAM.com (Carville, Stephen) Date: Fri, 26 Sep 2008 13:57:25 -0400 Subject: [sudo-users] Problem of install tarball packages In-Reply-To: <48DD1DCF.2090105@ita.org.mo> References: <48DD0F2A.8000602@ita.org.mo> <1307EC628400E94581E0EC5971B5207B5B9056@SVARIEXMB12.landam.landamerica.net> <48DD1DCF.2090105@ita.org.mo> Message-ID: <1307EC628400E94581E0EC5971B5207B5B9149@SVARIEXMB12.landam.landamerica.net> > -----Original Message----- > From: edwardspl at ita.org.mo [mailto:edwardspl at ita.org.mo] > Sent: Friday, September 26, 2008 10:37 AM > To: Carville, Stephen > Cc: sudo-users at sudo.ws > Subject: Re: [sudo-users] Problem of install tarball packages > > Hello, > > I just tried the procedure ( step 3 ) : > > [svradmin at svr1 proftpd-1.3.0a]$ ./configure --prefix=/usr/local/proftpd > > ./configure: line 88: conf4161.sh: Permission denied > ./configure: line 89: conf4161.sh: Permission denied > chmod: cannot access `conf4161.sh': No such file or directory > ./configure: line 201: conf4161.file: Permission denied > ./configure: line 1266: config.log: Permission denied > [svradmin at svr1 proftpd-1.3.0a]$ > > So, how to fix the problem ( Permission denied ) ? > May be I need to change the owner of "/usr/local" directory belong to > "svradmin" user ? > > Any solution for it ? I looked over the configure file for 1.3.1 and I didn't see anything out of the ordinary. My best guess is svradmin doesn't have write permission to the directory you extracted the tar.gz file to or you extracted it as a different user. -- Stephen Carville Systems Engineer Land America 1.626.667.1450 X1326 ##################################################################### That which does not kill us often hurts us a lot. From Marylou.Kohlmeier at canyons.edu Fri Sep 26 13:28:48 2008 From: Marylou.Kohlmeier at canyons.edu (Kohlmeier, Marylou) Date: Fri, 26 Sep 2008 10:28:48 -0700 Subject: [sudo-users] SUDO for HP-UX 11.23 Message-ID: <3CF163158B00244D8E1581BF5F5C05B3056D16AD@exchange1.Staff.Canyons.edu> How do you install SUDO on an Itanium RX7640 HP-UX 11.23? I have done the following: 1. Downloaded SUDO (sudo-1.6.9p17) 2. Unzipped the file to /usr/local/bin/sudo Any assistance will be appreciated, Marylou From ebradley4 at csc.com Fri Sep 26 14:41:47 2008 From: ebradley4 at csc.com (Eric Bradley) Date: Fri, 26 Sep 2008 13:41:47 -0500 Subject: [sudo-users] SUDO for HP-UX 11.23 In-Reply-To: <3CF163158B00244D8E1581BF5F5C05B3056D16AD@exchange1.Staff.Canyons.edu> Message-ID: Marylou, You can go to HP's Internet Express and get the HP tested and compiled for HP-UX 11.23 on Itanium version of sudo at the following site for free: https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXIEXP1123 You'll find sudo in the pull down menu. It comes across in HP-UX depot format so it's just a simple swinstall after that once you get the depot on the server. -Ric Bradley "Kohlmeier, Marylou" Sent by: sudo-users-bounces at courtesan.com 09/26/2008 12:28 PM To cc Subject [sudo-users] SUDO for HP-UX 11.23 How do you install SUDO on an Itanium RX7640 HP-UX 11.23? I have done the following: 1. Downloaded SUDO (sudo-1.6.9p17) 2. Unzipped the file to /usr/local/bin/sudo Any assistance will be appreciated, Marylou ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From gibrongib at gmail.com Sat Sep 27 14:41:11 2008 From: gibrongib at gmail.com (video studio) Date: Sat, 27 Sep 2008 13:41:11 -0500 Subject: [sudo-users] sudo must be setuid root Message-ID: sudo must be setuid root how can i fix this please From Bobby.Cox at presage-tech.com Sun Sep 28 19:35:19 2008 From: Bobby.Cox at presage-tech.com (Bobby Cox) Date: Sun, 28 Sep 2008 18:35:19 -0500 Subject: [sudo-users] sudo must be setuid root Message-ID: <87708F598615BE43BE4098ACC0F85DF14529DF5A32@corp1.presage-tech.com> chmod u+s and make sure the sudo binary is owned by root. -- Bobby On Sep 28, 2008, at 8:40, "video studio" wrote: > sudo must be setuid root > how can i fix this please > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users