From andy at hazlorealidad.com Sun Aug 2 16:08:04 2009 From: andy at hazlorealidad.com (Andy Bailey) Date: Sun, 02 Aug 2009 15:08:04 -0500 Subject: [sudo-users] less Message-ID: <1249243684.13147.336.camel@localhost.localdomain> Hello, I know its not really a sudo question, but I imagine that someone on the list must have come across this, is there a secure less command that doesnt let the user do an escape to the shell or permit the user open another file. I want to let the user view log files, I know I could do it with standard file permissions but I wanted to log administrative activity using sudo. Thanks in advance Andy Bailey From keith.wire at earthlink.net Sun Aug 2 12:10:35 2009 From: keith.wire at earthlink.net (Keith Wire) Date: Sun, 2 Aug 2009 12:10:35 -0400 (GMT-04:00) Subject: [sudo-users] Error: sudo: no tty present and no askpass program specified Message-ID: <20919844.1249229435604.JavaMail.root@mswamui-cedar.atl.sa.earthlink.net> Hi all, I'm running Fedora 10. Here is what uname -a says: Linux localhost.localdomain 2.6.27.25-170.2.72.fc10.x86_64 #1 SMP Sun Jun 21 18:39:34 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux I have a QT 4.5.1 program that I wrote that I was using QProcess to shell out and call a perl script using sudo. This worked for several months, but after installing some update (I don't know which update caused the problem.)... Here is the command I am running: perlProcess.start( "sudo", args, QIODevice::ReadWrite ); Here are the args: args= ("/usr/local/bin/zmpkg.pl", "status") Now when it runs I am getting this error: sudo: no tty present and no askpass program specified When I first set this up I edited the sudo configuration file with visudo and commented out "Default requiretty". It is still commented out... I can still execute the command in a terminal window, but for the life of me, I can't get this to work from my application. Any and all ideas would be appreciated. Keith From Todd.Miller at courtesan.com Mon Aug 3 10:43:04 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 03 Aug 2009 10:43:04 -0400 Subject: [sudo-users] Error: sudo: no tty present and no askpass program specified In-Reply-To: Your message of "Sun, 02 Aug 2009 12:10:35 EDT." <20919844.1249229435604.JavaMail.root@mswamui-cedar.atl.sa.earthlink.net> References: <20919844.1249229435604.JavaMail.root@mswamui-cedar.atl.sa.earthlink.net> Message-ID: <200908031443.n73Eh4SP003848@core.courtesan.com> Recent versions of sudo will refuse to prompt for a password if no tty is present, since it is not possible to turn off echo in this case. You can restore the old behavior with a line like: Defaults visiblepw in sudoers. However, since you have X windows available you could use a graphical prompter instead. Sudo doesn't come with its own but it is possible to use the ssh one. To do this, either set the SUDO_ASKPASS environment variable or the "askpass" setting in sudoers to something like /usr/libexec/openssh/ssh-askpass. - todd From alexandresumare at hotmail.com Mon Aug 3 22:42:39 2009 From: alexandresumare at hotmail.com (alexandre oliveira) Date: Tue, 4 Aug 2009 02:42:39 +0000 Subject: [sudo-users] less In-Reply-To: <1249243684.13147.336.camel@localhost.localdomain> References: <1249243684.13147.336.camel@localhost.localdomain> Message-ID: You can let users to use /bin/cat to view logfiles. So, they can use: sudo cat /var/log/logfile | less _______________________ Alexandre > From: andy at hazlorealidad.com > To: sudo-users at sudo.ws > Date: Sun, 2 Aug 2009 15:08:04 -0500 > Subject: [sudo-users] less > > Hello, > > I know its not really a sudo question, but I imagine that someone on the > list must have come across this, is there a secure less command that > doesnt let the user do an escape to the shell or permit the user open > another file. > > I want to let the user view log files, I know I could do it with > standard file permissions but I wanted to log administrative activity > using sudo. > > Thanks in advance > > Andy Bailey > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users _________________________________________________________________ Express your personality in color! Preview and select themes for Hotmail?. http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=PID23391::T:WLMTAGL:ON:WL:en-US:WM_HYGN_express:082009 From Hullen at t-online.de Tue Aug 4 02:22:00 2009 From: Hullen at t-online.de (Helmut Hullen) Date: 04 Aug 2009 08:22:00 +0200 Subject: [sudo-users] less In-Reply-To: Message-ID: Hallo, alexandre, Du meintest am 04.08.09: >> I want to let the user view log files, I know I could do it with >> standard file permissions but I wanted to log administrative >> activity using sudo. > You can let users to use /bin/cat to view logfiles. So, they can use: > sudo cat /var/log/logfile | less [full quote and top post repaired] What about sudo less /var/log/logfile "less" doesn't need "cat". Viele Gruesse! Helmut From andy at hazlorealidad.com Tue Aug 4 07:53:42 2009 From: andy at hazlorealidad.com (Andy Bailey) Date: Tue, 04 Aug 2009 06:53:42 -0500 Subject: [sudo-users] less In-Reply-To: References: Message-ID: <1249386822.13147.464.camel@localhost.localdomain> On Tue, 2009-08-04 at 08:22 +0200, Helmut Hullen wrote: > Hallo, alexandre, > > Du meintest am 04.08.09: > > >> I want to let the user view log files, I know I could do it with > >> standard file permissions but I wanted to log administrative > >> activity using sudo. > > > You can let users to use /bin/cat to view logfiles. So, they can use: > > sudo cat /var/log/logfile | less > What about > > > sudo less /var/log/logfile > > "less" doesn't need "cat". Thanks Matthew, alexandre and helmut I just spotted that as well as compiling less in secure mode you can set an environment variable to less (Oops I did read the man page for less, honest, but just not all of it, and I was looking for a command line option not an environment variable. Thats my excuse and Im sticking to it!) I also spotted that you can do (at least in the bash shell) export LESSSECURE=1 typeset -r LESSSECURE alexandre's cat ... | less solution is a good workaround, so that the less process is running as the user and not root, but Im not sure how much less can buffer up in the case of a large logfile and needing to scroll backwards towards the start. At the moment I have the_user ALL=NOEXEC: /usr/bin/less /var/log/messages The final question is: How can I enforce that the LESSSECURE environment variable is set to 1 in the sudoers file for the less command and that the user cant override this setting using sudo -E. Thanks in advance Andy Bailey From alexandresumare at hotmail.com Tue Aug 4 18:47:07 2009 From: alexandresumare at hotmail.com (alexandre oliveira) Date: Tue, 4 Aug 2009 22:47:07 +0000 Subject: [sudo-users] FW: less In-Reply-To: References: Message-ID: Viele, I think that it is not a good idea. The command less allows users to escape to shell. So, it is not secure. Try to avoid using any command that allows to escape to shell, like vi, more, less. Using the command cat, the user has privilege to read the file as root, but he/she executes the command less as a regular userID. _______________________ Alexandre > Date: Tue, 4 Aug 2009 08:22:00 +0200 > From: Hullen at t-online.de > To: sudo-users at sudo.ws > Subject: Re: [sudo-users] less > > Hallo, alexandre, > > Du meintest am 04.08.09: > > >> I want to let the user view log files, I know I could do it with > >> standard file permissions but I wanted to log administrative > >> activity using sudo. > > > You can let users to use /bin/cat to view logfiles. So, they can use: > > sudo cat /var/log/logfile | less > > [full quote and top post repaired] > > What about > > > sudo less /var/log/logfile > > "less" doesn't need "cat". > > Viele Gruesse! > Helmut > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users _________________________________________________________________ Get free photo software from Windows Live http://www.windowslive.com/online/photos?ocid=PID23393::T:WLMTAGL:ON:WL:en-US:SI_PH_software:082009 From jespasac at minibofh.org Wed Aug 5 03:49:47 2009 From: jespasac at minibofh.org (Jordi Espasa Clofent) Date: Wed, 05 Aug 2009 09:49:47 +0200 Subject: [sudo-users] Deny all command on /var/log/sudolog Message-ID: <4A79399B.6000902@minibofh.org> Hi list, I've a LDAP+sudo working like a charm. The sudo configuration of Ivan user is: # sudo -l Password: User ivan may run the following commands on this host: LDAP Role: hosting_sat Commands: !/usr/bin/su /usr/bin* /usr/sbin/vipw /usr/sbin/chown /usr/sbin/pkg_info /sbin/ipfw /usr/local/bin* /usr/local/sbin/apachectl /usr/sbin/rmuser !/bin/csh !/bin/tcsh /usr/local/etc/rc.d/apache2 /usr/local/etc/rc.d/pure-ftpd /usr/local/sbin/pure-ftpwho /usr/local/sbin/postcat /usr/local/etc/rc.d/postfix !/bin/su /sbin/ifconfig /usr/sbin/apache2ctl I want to deny all possible operation on /var/log/sudolog. I've tried (withou success) the next combination/syntax: !ALL /var/log/sudolog * /var/log/sudo/log Even I've tried to modify the /usr/bin* for /usr/bin* !/var/log/sudolog ?How to do it? -- Thanks, Jordi Espasa Clofent From jespasac at minibofh.org Wed Aug 5 11:34:57 2009 From: jespasac at minibofh.org (Jordi Espasa Clofent) Date: Wed, 05 Aug 2009 17:34:57 +0200 Subject: [sudo-users] Deny all command on /var/log/sudolog In-Reply-To: References: <4A79399B.6000902@minibofh.org> Message-ID: <4A79A6A1.3020105@minibofh.org> Edward Capriolo escribi?: > With your sudo configuration it does not seem like you can since you > are using wild card configurations a user can sudo any program like > vi. I use this type of configuration on trusted administrators. I > would suggest doing a remote syslog. This way no one will be able to > change the syslog audit trail. Yes. It's a option. -- Thanks, Jordi Espasa Clofent From tony.chamberlain at lemko.com Wed Aug 5 16:17:24 2009 From: tony.chamberlain at lemko.com (tony.chamberlain at lemko.com) Date: Wed, 05 Aug 2009 20:17:24 +0000 Subject: [sudo-users] restricting users Message-ID: They asked me to do something so that if this happens: $ sudo ls Password: Sorry, try again. Password: Sorry, try again. Password: Sorry, try again. sudo: 3 incorrect password attempts maybe twice, then the next time it either just locks up or says something like "too many password attempts. You are blocked for 2 hours". Anyway to do this? On a similar note, using visudo I put Defaults insults which is supposed to insult you when you enter a wrong password, but it is still saying " Sorry, try again.". DO you know why? From tony.chamberlain at lemko.com Wed Aug 5 20:26:33 2009 From: tony.chamberlain at lemko.com (tony.chamberlain at lemko.com) Date: Thu, 06 Aug 2009 00:26:33 +0000 Subject: [sudo-users] restricting users Message-ID: In other words, I can't make it so it denies them for a time? -----Original Message----- From: Stier, Matthew [mailto:Matthew.Stier at us.fujitsu.com] Sent: Wednesday, August 5, 2009 04:50 PM To: tony.chamberlain at lemko.com Subject: RE: [sudo-users] restricting users Welcome to a denial of service attack. Step away from your keyboard for a few minutes, and mischievous hands will have you locked out of sudo. I've always preferred Sun Microsystems, choice on this matter. Failed logins take 45 seconds to exit. Quick enough for interactive users, but drastically slows down program attacks. -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of tony.chamberlain at lemko.com Sent: Wednesday, August 05, 2009 4:17 PM To: sudo Subject: [sudo-users] restricting users They asked me to do something so that if this happens: $ sudo ls Password: Sorry, try again. Password: Sorry, try again. Password: Sorry, try again. sudo: 3 incorrect password attempts maybe twice, then the next time it either just locks up or says something like "too many password attempts. You are blocked for 2 hours". Anyway to do this? On a similar note, using visudo I put Defaults insults which is supposed to insult you when you enter a wrong password, but it is still saying " Sorry, try again.". DO you know why? ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From Pat.Morgan at bcbsfl.com Mon Aug 10 09:54:09 2009 From: Pat.Morgan at bcbsfl.com (Morgan, Pat) Date: Mon, 10 Aug 2009 09:54:09 -0400 Subject: [sudo-users] Sudo version 1.7.2 Message-ID: Does anyone have experience using the -i with this new version of sudo. It seems the only way for me to source the users .profile is to have /usr/bin/ksh in the /etc/sudoers file for the command. I obviously do not want to add /usr/bin/ksh among the commands to run as a particular user because I could easily become that user by typing "sudo -u username /usr/bin/ksh" and then run whatever I want. I have noticed that when I add /usr/bin/ksh to the sudoers file that what it effectively does is to do an "su - username -c command" Thanks, Pat Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU. From lists at deksai.com Tue Aug 11 13:08:52 2009 From: lists at deksai.com (Chris) Date: Tue, 11 Aug 2009 13:08:52 -0400 Subject: [sudo-users] sudo+ldap ignores env_keep Message-ID: <20090811170851.GA23296@chris-laptop.a2hosting.com> I've been playing with ldap and sudo, but I can't seem to make env_keep actually keep anything. Using syntax that I see come from the sudoers2ldap script, I would add something like: sudoOption: env_keep += "SSH_AUTH_SOCK" but this gives the error "sudo: unknown defaults entry `env_keep ' referenced near line 1" It looks like it may be unhappy about the space after the name? If I change it to something like sudoOption: env_keep+=SSH_AUTH_SOCK or sudoOption: env_keep+="SSH_AUTH_SOCK" I get no error, but it does nothing. Are there some strange quirks with syntax that I am missing? Is there some other rule that env_keep is dependent on other than env_reset? I'm using version 1.7.2p1. Thanks, Chris From lists at deksai.com Tue Aug 11 17:15:13 2009 From: lists at deksai.com (Chris) Date: Tue, 11 Aug 2009 17:15:13 -0400 Subject: [sudo-users] sudo+ldap ignores env_keep In-Reply-To: <20090811170851.GA23296@chris-laptop.a2hosting.com> References: <20090811170851.GA23296@chris-laptop.a2hosting.com> Message-ID: <20090811211513.GA5647@chris-laptop.a2hosting.com> > If I change it to something like > sudoOption: env_keep+=SSH_AUTH_SOCK > or > sudoOption: env_keep+="SSH_AUTH_SOCK" > > I get no error, but it does nothing. > > I'm using version 1.7.2p1. Scratch that. I had undone one too many changes in vim, and the RPM spec was using the centos source file for 1.6.9p17. Once compiled with version 1.7.2p1 it worked fine. I guess I can't complain about sudo not figuring out my environment when I have trouble doing it myself :P So, the Centos one didn't work, but that isn't relevant here. The new one is working fine. Sorry for the spam! Chris From jespasac at minibofh.org Wed Aug 12 06:42:49 2009 From: jespasac at minibofh.org (Jordi Espasa Clofent) Date: Wed, 12 Aug 2009 12:42:49 +0200 Subject: [sudo-users] mysqldump without sh -c ? Message-ID: <4A829CA9.6020804@minibofh.org> Hi all, My workmates of support deptartment need very often to make dump/and restores of MySQL customers databases; because of it, I've given to them access to /bin/sh binary, so they can execute the next commands: $ sudo sh -c "mysqldump --opt -u user -ppassword > /path/backup_db/backup.sql" $ sudo sh -c "mysql -u -ppassword> < /parh/backup_db/backup.sql" Unfortunately, they can do a simple: $ sudo sh -c "su" or any other command using "sudo sh -c " ?Any workaround to avoid this? -- Thanks, Jordi Espasa Clofent From Todd.Miller at courtesan.com Wed Aug 12 08:43:03 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 12 Aug 2009 08:43:03 -0400 Subject: [sudo-users] mysqldump without sh -c ? In-Reply-To: Your message of "Wed, 12 Aug 2009 12:42:49 +0200." <4A829CA9.6020804@minibofh.org> References: <4A829CA9.6020804@minibofh.org> Message-ID: <200908121243.n7CCh3fx002181@core.courtesan.com> If the only reason you are using sudo for this is to write to /parh/backup_db/backup.sql, why not just make the file (or directory) writable by a group that the support people are in? Then you wouldn't need to use sudo at all... - todd From jespasac at minibofh.org Wed Aug 12 11:53:24 2009 From: jespasac at minibofh.org (Jordi Espasa Clofent) Date: Wed, 12 Aug 2009 17:53:24 +0200 Subject: [sudo-users] mysqldump without sh -c ? In-Reply-To: <200908121243.n7CCh3fx002181@core.courtesan.com> References: <4A829CA9.6020804@minibofh.org> <200908121243.n7CCh3fx002181@core.courtesan.com> Message-ID: <4A82E574.8020104@minibofh.org> Todd C. Miller escribi?: > If the only reason you are using sudo for this is to write to > /parh/backup_db/backup.sql, why not just make the file (or directory) > writable by a group that the support people are in? Then you > wouldn't need to use sudo at all... > > - todd Yes. My main problem is I've configured sudo to allow all and restrict only some commands, and the more secure (and correct) policy should be to deny all by default and allow the needed commands only. I'm working on this now. -- Thanks, Jordi Espasa Clofent From jespasac at minibofh.org Thu Aug 13 04:53:43 2009 From: jespasac at minibofh.org (Jordi Espasa Clofent) Date: Thu, 13 Aug 2009 10:53:43 +0200 Subject: [sudo-users] Debian problem or sudo config? Message-ID: <4A83D497.8060502@minibofh.org> Hi all, I'm using LDAP+sudo as accouting server. The clients are FreeBSD (sudo 1.6.9 from ports tree) and Debian Lenny GNU/Linux (1.7.1 compiled from sources... Debian packages sucks) . Normally the users belongs to one SUDOers group only, but in some special cases I need to create another group for concrete boxes (the sudoHost is the key) For example, the user 'jordi' belongs to "hosting_prog" and "preproduccio" groups. preproduccio group is a sepcial group with a list of sudoHost which include FreeBSD and Debian boxes. // In FreeBSD %sudo -l Password: User jordi may run the following commands on this host: LDAP Role: hosting_prog Commands: /usr/bin* /bin* !/usr/bin/su !/bin/csh !/bin/tcsh /usr/sbin/chown /usr/local/sbin/apachectl /usr/local/etc/rc.d/* !/bin/su LDAP Role: preproduccio Commands: ALL %sudo su # whoami root As you can see, the client (FreeBSD machine, which is a hosts defined in proproduccio SUDOers group) knows that user 'jordi' has ALL commands available in this host, and all works fine. But in another host (xen-ad003, which is also in preproduccio group): // In Debian Lenny GNU/Linux jordi at xen-ad0003:~$ sudo -l Password: Matching Defaults entries for jordi on this host: ignore_dot, !mail_no_user, log_host, logfile=/var/log/sudolog, !syslog, timestamp_timeout=10, insults Runas and Command-specific defaults for jordi: User jordi may run the following commands on this host: (root) /usr/bin*, /bin*, !/usr/bin/su, !/bin/csh, !/bin/tcsh, /usr/sbin/chown, /usr/local/sbin/apachectl, /usr/local/etc/rc.d/*, !/bin/su (root) ALL jordi at xen-ad0003:~$ sudo su Sorry, user jordi is not allowed to execute '/bin/su' as root on xen-ad0003. The client (xen-ad0003) doesn't make any distinction and take always the first grup! I've not idea why this happens. My first reaction has been to check the PAM parameters, but all seems fine. Maybe some flag compilation in Debian machines? -- Thanks, Jordi Espasa Clofent From Todd.Miller at courtesan.com Thu Aug 13 09:16:09 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 13 Aug 2009 09:16:09 -0400 Subject: [sudo-users] Sudo version 1.7.2 In-Reply-To: Your message of "Mon, 10 Aug 2009 09:54:09 EDT." References: Message-ID: <200908131316.n7DDG9F2003490@core.courtesan.com> In message so spake "Morgan, Pat" (Pat.Morgan): > Does anyone have experience using the -i with this new version of sudo. > It seems the only way for me to source the users .profile is to have > /usr/bin/ksh in the /etc/sudoers file for the command. I obviously do > not want to add /usr/bin/ksh among the commands to run as a particular > user because I could easily become that user by typing "sudo -u username > /usr/bin/ksh" and then run whatever I want. I have noticed that when I > add /usr/bin/ksh to the sudoers file that what it effectively does is to > do an "su - username -c command" Yes, the only way to run a command and to have user's .profile etc. sourced is to run the command through a login shell, which is what "sudo -i command" does. You can still give users explicit access to a command this way. E.g. todd ALL=operator /usr/bin/ksh -c dump would all user todd to run "sudo -i dump". Note that in this case it is the shell and not sudo that will search the path for the dump command. Since this is a login shell, the PATH used will be what the .profile sets. - todd From megadethpaw at hotmail.co.uk Thu Aug 27 05:23:17 2009 From: megadethpaw at hotmail.co.uk (megadethpaw megadethpaw) Date: Thu, 27 Aug 2009 09:23:17 +0000 Subject: [sudo-users] Sudo and setting current environment variables Message-ID: Hi, I want to use sudo to run some tasks as a different user without having to supply a password, I've done this many times before without problem using different commands I want to run, but the one I want to use now has me stumped. At the moment I log into a unix server and at the command prompt type the following:- . ./senv.cfg ; db.status this sets the current environment variables to point to areas where db's are kept, the db.status then tells me if they are up or down. I have managed to set up sudo to allow the following command:- /usr/bin/su -c . ./senv.cfg; db.status but I would prefer to be able to use sudo and the -u parameter to specify the unix user and just run the two commands after the "-c" of the su. I have sudo 1.6.9p12 and 1.7.1 installed on my server so I can use commands applicable to either if need be. Thanks for any assistance you can provide. Jeff _________________________________________________________________ Windows Live Messenger: Thanks for 10 great years?enjoy free winks and emoticons. http://clk.atdmt.com/UKM/go/157562755/direct/01/ From caseiro.philippe at gmail.com Mon Aug 31 06:16:59 2009 From: caseiro.philippe at gmail.com (Philippe Caseiro) Date: Mon, 31 Aug 2009 12:16:59 +0200 Subject: [sudo-users] sudo + AIX + LDAP Message-ID: <790b63e00908310316y6a75a411td26cd2dab172277b@mail.gmail.com> Hello I'm trying to use sudo with ldap configuration on my AIX 5.3 and 5.2 servers. I have read the ldap readme file, I have created the /etc/ldap.conf with the correct configuration of my "linux servers". But it doesn't work. Somebody have an howto or any Idea about configuring sudo to check rules from LDAP server on an AIX host. Thanks all. -- Philippe Caseiro