From robert.maxwell at ie.ibm.com Tue Dec 8 12:08:45 2009 From: robert.maxwell at ie.ibm.com (Robert Maxwell) Date: Tue, 8 Dec 2009 17:08:45 +0000 Subject: [sudo-users] Sudo and Group Changes Message-ID: Hi Guys I was asked by a team member to go and see if I could break sudo, and I think I have uncovered what may be a security violation within sudo. If I create 2 groups, one called test, and the other called beatles. Now in sudoers file i have the following lines. %test ALL= /usr/bin/write %beatles ALL=/usr/bin/more Now if I have 2 users one in each, for sake of things,a user called paul is a part of the beatles group, and a user called testy is part of the test group. Under Testy, if I do a sudo -l I get the output that testy can run the write command. and same for paul, he can only run the more command. If I go into a new terminal, edit the /etc/group file to change the GID's of both of test and beatles, as in switch the GIDs around, and then do a sudo -l again while both shells were logged in while the changes were made, I get under both users the option to execute both write and more under the 2 user names. Now if it was the case that the user being moved from the wheel group, but the user was logged in while the change was moved, he would still have access to the whole commands associated with the wheel group as well as the group he was moved to. Now the version of Sudo I am using is 1.6.9p15 on AIX 5.3 Just wondering if this kind of issue has occurred before, or if it considered to be a massive security breach? Is mise le meas / Regards, Robert Maxwell - IBM Global Account - IGA CTS From edlinuxguru at gmail.com Tue Dec 8 12:26:19 2009 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Tue, 8 Dec 2009 12:26:19 -0500 Subject: [sudo-users] Sudo and Group Changes In-Reply-To: References: Message-ID: On Tue, Dec 8, 2009 at 12:08 PM, Robert Maxwell wrote: > > Hi Guys > > I was asked by a team member to go and see if I could break sudo, and I > think I have uncovered what may be a security violation within sudo. > > If I create 2 groups, one called test, and the other called beatles. > Now in sudoers file i have the following lines. > > %test ALL= /usr/bin/write > %beatles ALL=/usr/bin/more > > Now if I have 2 users one in each, for sake of things,a user called ?paul > is a part of the beatles group, and a user called testy is part of the test > group. > Under Testy, if I do a sudo -l I get the output that testy can run the > write command. > and same for paul, he can only run the more command. > > If I go into a new terminal, edit the /etc/group file to change the GID's > of both of test and beatles, as in switch the GIDs around, and then do a > sudo -l again while both shells were logged in while the changes were made, > I get under both users the option to execute both write and more under the > 2 user names. > > Now if it was the case that the user being moved from the wheel group, but > the user was logged in while the change was moved, he would still have > access to the whole commands associated with the wheel group as well as the > group he was moved to. > > Now the version of Sudo I am using is 1.6.9p15 on AIX 5.3 > > Just wondering if this kind of issue has occurred before, or if it > considered to be a massive security breach? > > > Is mise le meas / Regards, > > Robert Maxwell - IBM Global Account - IGA CTS > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > I do not think this is a sudo issue as much as it is a system level issue. This same problem exists without sudo. Some programs trust read only environmental variable that last for your session. For example just because a root password is changed does that imply everyone logged in with the old password should be forcibly kicked out? Some systems take advantage of USER/GID caching as well. Those to suffer in that they may retain this information long after an authoritative change is made. If you want to solve the security problem you are having make sure you terminate all user shells, local and remote after making a passwd/group change. From Todd.Miller at courtesan.com Tue Dec 8 12:40:28 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 08 Dec 2009 12:40:28 -0500 Subject: [sudo-users] Sudo and Group Changes In-Reply-To: Your message of "Tue, 08 Dec 2009 17:08:45 GMT." References: Message-ID: <200912081740.nB8HeSTX030141@core.courtesan.com> This is not a problem with sudo. When a user logs in their group ids are set based on the passwd and group databases. These are stored in the kernel as part of the process's u (user) area. Changing the group file after the fact does not revoke the group for running processes, it will only change the mapping of group id to group name. - todd From pepijn.schmitz at gmail.com Tue Dec 8 18:05:16 2009 From: pepijn.schmitz at gmail.com (Pepijn Schmitz) Date: Wed, 9 Dec 2009 00:05:16 +0100 Subject: [sudo-users] Cache password at login? Message-ID: <48a7b82f0912081505g68af3ffdjc2b7d382cb0a9ef9@mail.gmail.com> Hi everyone, I have a question that I haven't been able to find the answer to on the Internet or in the sudo manual: is it possible to cache the password when I log in? I frequently log on to my Ubuntu server to perform some administrative tasks. Every time I have to give my password to log in, and then immediately give my password again to sudo. It would be nice if the login program, which runs as root, could set my sudo timestamp somehow so that if I execute sudo immediately after logging in it doesn't have to ask me for my password. Is there a way to do this with login / sudo / some other tool? Kind regards, Pepijn Schmitz From esj at harvee.org Tue Dec 8 18:29:17 2009 From: esj at harvee.org (Eric S. Johansson) Date: Tue, 08 Dec 2009 18:29:17 -0500 Subject: [sudo-users] Cache password at login? In-Reply-To: <48a7b82f0912081505g68af3ffdjc2b7d382cb0a9ef9@mail.gmail.com> References: <48a7b82f0912081505g68af3ffdjc2b7d382cb0a9ef9@mail.gmail.com> Message-ID: <4B1EE14D.5000504@harvee.org> Pepijn Schmitz wrote: > Hi everyone, > > I have a question that I haven't been able to find the answer to on the > Internet or in the sudo manual: is it possible to cache the password when I > log in? > > I frequently log on to my Ubuntu server to perform some administrative > tasks. Every time I have to give my password to log in, and then immediately > give my password again to sudo. It would be nice if the login program, which > runs as root, could set my sudo timestamp somehow so that if I execute sudo > immediately after logging in it doesn't have to ask me for my password. Is > there a way to do this with login / sudo / some other tool? setup the root account to authenticate via ssh keys. login as root and bingo. otoh, I'v always wondered why one can't use ssh keys for authentication for sudo. one login method for all access. From gerd.niemetz at gmail.com Wed Dec 9 06:28:16 2009 From: gerd.niemetz at gmail.com (Gerd Niemetz) Date: Wed, 9 Dec 2009 12:28:16 +0100 Subject: [sudo-users] combination of -v and -u doesn't work anymore? Message-ID: Hi! I have two RedHat boxes, one with package sudo-1.6.7p5-30.1.3, the other with sudo-1.6.9p17-5.el5. On both machines i have this configuration: Defaults:apache targetpw, timestamp_timeout=5, passwd_tries = 1, passwd_timeout = 1 apache ALL = () PASSWD: On the first machine, the following command does work: echo "" | sudo -S -u (running as user apache) 2 minutes later (for example) sudo -u -v (to refresh the timeout) On the second machine: echo "" | sudo -S -u (also as user apache) 3 minutes later (for example) sudo -u -v (also to refresh the timeout) This happens: sudo: the `-u' and '-v' options may not be used together usage: sudo -h | -K | -k | -L | -l | -V | -v usage: sudo [-bEHPS] [-p prompt] [-u username|#uid] [VAR=value] {-i | -s | } usage: sudo -e [-S] [-p prompt] [-u username|#uid] file ... Is there any workaround or something i missed? best regards Gerd From Todd.Miller at courtesan.com Wed Dec 9 09:05:16 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 09 Dec 2009 09:05:16 -0500 Subject: [sudo-users] combination of -v and -u doesn't work anymore? In-Reply-To: Your message of "Wed, 09 Dec 2009 12:28:16 +0100." References: Message-ID: <200912091405.nB9E5Gnv015380@core.courtesan.com> Specifying the -u flag along with -v has no meaning. All you need is "sudo -v" to refresh the timestamp. - todd In message so spake Gerd Niemetz (gerd.niemetz): > Hi! > > I have two RedHat boxes, one with package sudo-1.6.7p5-30.1.3, the other > with sudo-1.6.9p17-5.el5. > On both machines i have this configuration: > Defaults:apache targetpw, timestamp_timeout=5, passwd_tries = 1, > passwd_timeout = 1 > apache ALL = () PASSWD: > > On the first machine, the following command does work: > echo "" | sudo -S -u (running as > user apache) > 2 minutes later (for example) > sudo -u -v (to refresh the timeout) > > > On the second machine: > echo "" | sudo -S -u (also as user > apache) > 3 minutes later (for example) > sudo -u -v (also to refresh the timeout) > > This happens: > sudo: the `-u' and '-v' options may not be used together > usage: sudo -h | -K | -k | -L | -l | -V | -v > usage: sudo [-bEHPS] [-p prompt] [-u username|#uid] [VAR=value] > {-i | -s | } > usage: sudo -e [-S] [-p prompt] [-u username|#uid] file ... > > Is there any workaround or something i missed? > > best regards > Gerd > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > From jamie.beverly at yahoo.com Wed Dec 9 09:30:55 2009 From: jamie.beverly at yahoo.com (Jamie Beverly) Date: Wed, 9 Dec 2009 06:30:55 -0800 (PST) Subject: [sudo-users] Cache password at login? Message-ID: <938726.55923.qm@web31810.mail.mud.yahoo.com> On Dec 8, 2009, at 3:29 PM, "Eric S. Johansson" wrote: Pepijn Schmitz wrote: Hi everyone, I have a question that I haven't been able to find the answer to on the Internet or in the sudo manual: is it possible to cache the password when I log in? I frequently log on to my Ubuntu server to perform some administrative tasks. Every time I have to give my password to log in, and then immediately give my password again to sudo. It would be nice if the login program, which runs as root, could set my sudo timestamp somehow so that if I execute sudo immediately after logging in it doesn't have to ask me for my password. Is there a way to do this with login / sudo / some other tool? setup the root account to authenticate via ssh keys. login as root and bingo. otoh, I'v always wondered why one can't use ssh keys for authentication for sudo. one login method for all access. http://pamsshagentauth.sf.net ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From edlinuxguru at gmail.com Wed Dec 9 12:22:33 2009 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Wed, 9 Dec 2009 12:22:33 -0500 Subject: [sudo-users] Cache password at login? In-Reply-To: <938726.55923.qm@web31810.mail.mud.yahoo.com> References: <938726.55923.qm@web31810.mail.mud.yahoo.com> Message-ID: On Wed, Dec 9, 2009 at 9:30 AM, Jamie Beverly wrote: > > On Dec 8, 2009, at 3:29 PM, "Eric S. Johansson" wrote: > > Pepijn Schmitz wrote: > Hi everyone, > > I have a question that I haven't been able to find the answer to on the > Internet or in the sudo manual: is it possible to cache the password when I > log in? > > I frequently log on to my Ubuntu server to perform some administrative > tasks. Every time I have to give my password to log in, and then immediately > give my password again to sudo. It would be nice if the login program, which > runs as root, could set my sudo timestamp somehow so that if I execute sudo > immediately after logging in it doesn't have to ask me for my password. Is > there a way to do this with login / sudo / some other tool? > > setup the root account to authenticate via ssh keys. ?login as root and bingo. > > otoh, I'v always wondered why one can't use ssh keys for authentication for > sudo. ?one login method for all access. > > http://pamsshagentauth.sf.net > > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > I spend some time setting up a public key in ldap and sudo LDAP solution. The two systems are somewhat at odd, if you are logging in with a key_file you probably do not want passwords for sudo, and vice-versa. I always though it would be nice to enforce two-factor authentication. For example login request public key and server side password. Or in a super secure environment three form, public key+password+one time password. From jjperry at water.com Wed Dec 9 16:08:03 2009 From: jjperry at water.com (James J. Perry) Date: Wed, 9 Dec 2009 16:08:03 -0500 Subject: [sudo-users] Setting up chmod to allow all files/directories for a specified path but not allow .. Message-ID: <35C9A2CFC27ACC439F4F97B1915D3FA2016F7DAF@EXVS01.dsw.net> I have been banging my head against this all day long and cannot seem to find a solution. I am trying to setup users to be able to chown directories under a base path, say /oracle/main, but not allow then to do /oracle/main/.. or /oracle/main/../.., which globs out to /. I would prefer to not have to write a wrapper script if there is some way to use globbing properly to set the restrictions. I tried a lot of possibilities but here is the latest Cmnd_Alias set that should work but seems not to for some reason. Cmnd_Alias CHM = /bin/chmod -h -R oracle:oracle /oracle/main/*, \ !/bin/chmod -h -R oracle:oracle /oracle/main/*..* I also tried /bin/chmod -h -R oracle:oracle /oracle/main/[!.][!.] and all sorts of other permutations. I was still able to change ownership of /oracle and /oracle/main. Thanks! -Jim From jamie.beverly at yahoo.com Wed Dec 9 16:49:55 2009 From: jamie.beverly at yahoo.com (Jamie Beverly) Date: Wed, 9 Dec 2009 13:49:55 -0800 (PST) Subject: [sudo-users] Cache password at login? In-Reply-To: References: <938726.55923.qm@web31810.mail.mud.yahoo.com> Message-ID: <773271.88638.qm@web31802.mail.mud.yahoo.com> Remind me never to reply to a thread from my iphone... it apparently does not know how to correctly preserve quoting. ----- Original Message ---- > From: Edward Capriolo > To: Jamie Beverly > Cc: Eric S. Johansson ; Pepijn Schmitz ; "sudo-users at sudo.ws" > Sent: Wed, December 9, 2009 9:22:33 AM > Subject: Re: [sudo-users] Cache password at login? > > On Wed, Dec 9, 2009 at 9:30 AM, Jamie Beverly wrote: > > > > On Dec 8, 2009, at 3:29 PM, "Eric S. Johansson" wrote: > > > > Pepijn Schmitz wrote: > > Hi everyone, > > > > I have a question that I haven't been able to find the answer to on the > > Internet or in the sudo manual: is it possible to cache the password when I > > log in? > > > > I frequently log on to my Ubuntu server to perform some administrative > > tasks. Every time I have to give my password to log in, and then immediately > > give my password again to sudo. It would be nice if the login program, which > > runs as root, could set my sudo timestamp somehow so that if I execute sudo > > immediately after logging in it doesn't have to ask me for my password. Is > > there a way to do this with login / sudo / some other tool? > > > > setup the root account to authenticate via ssh keys. login as root and bingo. > > > > otoh, I'v always wondered why one can't use ssh keys for authentication for > > sudo. one login method for all access. > > http://pamsshagentauth.sf.net Is a module I authored that pam module I authored, which I use for sudo (among other things). It allows a forwarded ssh-agent to be used as authentication for local services. > > I spend some time setting up a public key in ldap and sudo LDAP solution. > > The two systems are somewhat at odd, if you are logging in with a > key_file you probably do not want passwords for sudo, and vice-versa. > > I always though it would be nice to enforce two-factor authentication. > For example login request public key and server side password. Or in a > super secure environment three form, > public key+password+one time password. Entirely possible with the module above, simply use "required" instead of "sufficient" in the PAM stack. From spinler.patrick at mayo.edu Wed Dec 9 17:02:12 2009 From: spinler.patrick at mayo.edu (Patrick Spinler) Date: Wed, 09 Dec 2009 16:02:12 -0600 Subject: [sudo-users] Setting up chmod to allow all files/directories for a specified path but not allow .. In-Reply-To: <35C9A2CFC27ACC439F4F97B1915D3FA2016F7DAF@EXVS01.dsw.net> References: <35C9A2CFC27ACC439F4F97B1915D3FA2016F7DAF@EXVS01.dsw.net> Message-ID: <4B201E64.5000400@mayo.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James J. Perry wrote: > I have been banging my head against this all day long and cannot seem to > find a solution. I am trying to setup users to be able to chown > directories under a base path, say /oracle/main, but not allow then to > do /oracle/main/.. or /oracle/main/../.., which globs out to /. I would > prefer to not have to write a wrapper script if there is some way to use > globbing properly to set the restrictions. Sorry, but as far as I know, you'll pretty much have to write a wrapper script for this to be secure in the manner you desire. I can send you copies of my own chown and chmod wrappers (written in perl) if you'd like. - -- Pat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksgHmQACgkQNObCqA8uBsxFKwCeLbr7p4VcbWmKZKW6gzUmxMRG k/QAn38KgSOdu61Bo8/UsRztj+3wkIKB =Uzn/ -----END PGP SIGNATURE----- From mmarchio at coat.com Wed Dec 16 13:23:40 2009 From: mmarchio at coat.com (Matt Marchione) Date: Wed, 16 Dec 2009 13:23:40 -0500 Subject: [sudo-users] sudo 1.7.2p1 host parsing problem Message-ID: <4B2925AC.1010905@coat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm encountering a problem with sudo 1.7.2p1 on Solaris. It took me a little while to figure out what triggers it. The hostname parsing does not seem to work right if the target host is not included in the host list at the front of the user privileges. 2) ~~~~~~~~~~ Given this portion of sudoers as a starting point.... # Defaults specification Defaults log_year Defaults root_sudo Defaults syslog=local2 # User privilege specification test1 nsa=NOPASSWD:/bin/ls ~~~~~~~~~~~~~ nsa:/sudo/TEST> ./sudo -u test1 ./sudo -l Matching Defaults entries for test1 on this host: log_year, root_sudo, syslog=local2 User test1 may run the following commands on this host: (root) NOPASSWD: /bin/ls 2) ~~~~~~~~~~~~~ Then add to the user privilege.... test1 host2=NOPASSWD:/bin/vi:nsa=NOPASSWD:/bin/ls ~~~~~~~~~~~~ nsa:/sudo/TEST> ./sudo -u test1 ./sudo -l Matching Defaults entries for test1 on this host: log_year, root_sudo, syslog=local2 User test1 may run the following commands on this host: 3) ~~~~~~~~~~~~ And then once more.... test1 host2,nsa=/bin/su:host2=NOPASSWD:/bin/vi:nsa=NOPASSWD:/bin/ls ~~~~~~~~~~~ nsa:/sudo/TEST> ./sudo -u test1 ./sudo -l Matching Defaults entries for test1 on this host: log_year, root_sudo, syslog=local2 User test1 may run the following commands on this host: (root) /bin/su (root) NOPASSWD: /bin/vi (root) NOPASSWD: /bin/ls ~~~~~~~~~~~ The initial setup works fine. The second one is not showing the granted 'ls' privilege for the host nsa, and finally all the defined privileges are being listed on nsa when 'vi' should not be listed. Any ideas? Thanks, MattM -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkspJaoACgkQ1WRySZ+3l2sA4wCfYW8rN+Ju49ouJcOoqKvPkTHt 9ToAn0hSt2hPKPcVMbXFXdiqQXeQFhwx =DYG5 -----END PGP SIGNATURE----- From Todd.Miller at courtesan.com Thu Dec 17 10:01:34 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 17 Dec 2009 10:01:34 -0500 Subject: [sudo-users] sudo 1.7.2p1 host parsing problem In-Reply-To: Your message of "Wed, 16 Dec 2009 13:23:40 EST." <4B2925AC.1010905@coat.com> References: <4B2925AC.1010905@coat.com> Message-ID: <200912171501.nBHF1YH3022029@core.courtesan.com> In message <4B2925AC.1010905 at coat.com> so spake Matt Marchione (mmarchio): > I'm encountering a problem with sudo 1.7.2p1 on Solaris. It took > me a little while to figure out what triggers it. The hostname > parsing does not seem to work right if the target host is not > included in the host list at the front of the user privileges. There is a bug when displaying entries that have multiple hosts on the same line. The included patch should fix that. BTW, in sudo 1.7.x you don't need to run sudo twice to check these things. You can do, e.g. "./sudo -U test1 -l" - todd Index: parse.c =================================================================== RCS file: /home/cvs/courtesan/sudo/parse.c,v retrieving revision 1.244 diff -u -p -u -r1.244 parse.c --- parse.c 6 Sep 2009 13:28:36 -0000 1.244 +++ parse.c 17 Dec 2009 15:01:18 -0000 @@ -320,6 +320,8 @@ sudo_file_display_priv_short(pw, us, lbu int nfound = 0; tq_foreach_fwd(&us->privileges, priv) { + if (hostlist_matches(&priv->hostlist) != ALLOW) + continue; tags.noexec = UNSPEC; tags.setenv = UNSPEC; tags.nopasswd = UNSPEC; @@ -372,6 +374,8 @@ sudo_file_display_priv_long(pw, us, lbuf int nfound = 0; tq_foreach_fwd(&us->privileges, priv) { + if (hostlist_matches(&priv->hostlist) != ALLOW) + continue; tags.noexec = UNSPEC; tags.setenv = UNSPEC; tags.nopasswd = UNSPEC; @@ -428,9 +432,7 @@ sudo_file_display_privs(nss, pw, lbuf) return(-1); tq_foreach_fwd(&userspecs, us) { - /* XXX - why only check the first privilege here? */ - if (userlist_matches(pw, &us->users) != ALLOW || - hostlist_matches(&us->privileges.first->hostlist) != ALLOW) + if (userlist_matches(pw, &us->users) != ALLOW) continue; if (long_list) From gyan_kumar at uhc.com Wed Dec 23 01:07:18 2009 From: gyan_kumar at uhc.com (Kumar, Gyan) Date: Wed, 23 Dec 2009 00:07:18 -0600 Subject: [sudo-users] Please help me sudo Message-ID: <312D09D33B3C0E4A9AE709A6577D3768053EA7A3@APSW0132EVS.ms.ds.uhc.com> Hi, I am not able to run in ssh command. ssh gkuma14 at cwr.uuu.com 'sudo -u wladmin -s -H '----hanging user : wladmin I here After this command ,it is hanging ,please help me this command execute. ssh gkuma14 at cwr.uuu.com 'df -k '--working After this command ,it is hanging Regards, Gyan This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. From Todd.Miller at courtesan.com Wed Dec 23 09:30:24 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 23 Dec 2009 09:30:24 -0500 Subject: [sudo-users] Please help me sudo In-Reply-To: Your message of "Wed, 23 Dec 2009 00:07:18 CST." <312D09D33B3C0E4A9AE709A6577D3768053EA7A3@APSW0132EVS.ms.ds.uhc.com> References: <312D09D33B3C0E4A9AE709A6577D3768053EA7A3@APSW0132EVS.ms.ds.uhc.com> Message-ID: <200912231430.nBNEUO3G016092@core.courtesan.com> In message <312D09D33B3C0E4A9AE709A6577D3768053EA7A3 at APSW0132EVS.ms.ds.uhc.com> so spake "Kumar, Gyan" (gyan_kumar): > I am not able to run in ssh command. > > ssh gkuma14 at cwr.uuu.com 'sudo -u wladmin -s -H ' You need to tell ssh to allocate a pty for the command. E.g. ssh -tt gkuma14 at cwr.uuu.com 'sudo -u wladmin -s -H' That should do the trick. - todd From gyan_imp at yahoo.com Thu Dec 24 01:03:28 2009 From: gyan_imp at yahoo.com (Gyan_raj kumar) Date: Wed, 23 Dec 2009 22:03:28 -0800 (PST) Subject: [sudo-users] Sudo or Cd command is not working Message-ID: <805219.14430.qm@web110604.mail.gq1.yahoo.com> Hi , ?My requirement is take backup as sudo admin. ? ????? a.? apsr8007 machine. ???? [gkuma14 at apsr8007 gyan]$ ssh -t gkuma14 at cwsapp02.phs.com 'sudo -u wladmin -s -H ;cd /home/stage/doamins/cw_stage1 ' ????? ?after executing now i am in wladmin user, ?????? ?????? [wladmin at cwsapp02 gyan]$ pwd ?????? /home/gyan ? ??? but cd /home/stage/doamins/cw_stage1 'is not working ? ?? ????? ????? b. now i want to connect cwsapp02 machine(Three requirement).Because here? 20 machine(cwsapp03,05...20) ????????? It is very diffcult to take backup for logfile.Taking backup we have to do "sudo -u wladmin -s -H' and go to ????????? the perticular path cd /home/stage/domains/cw_stage1/ ?????? ????????????? Three steps: ????????????????????? 1> sudo -u wladmin -s -H??????????????? =? do the sudo ????????????????????? 2> cd /home/stage/domains/cw_stage1/??? =? go to the pertucular path ????????????????????? 3> mv log logs.241209?????????????????? =? Take backup Thanks, Gyan ? From gyan_kumar at uhc.com Thu Dec 24 01:04:21 2009 From: gyan_kumar at uhc.com (Kumar, Gyan) Date: Thu, 24 Dec 2009 00:04:21 -0600 Subject: [sudo-users] Please help me sudo In-Reply-To: <200912231430.nBNEUO3G016092@core.courtesan.com> References: <312D09D33B3C0E4A9AE709A6577D3768053EA7A3@APSW0132EVS.ms.ds.uhc.com> <200912231430.nBNEUO3G016092@core.courtesan.com> Message-ID: <312D09D33B3C0E4A9AE709A6577D3768053EB021@APSW0132EVS.ms.ds.uhc.com> Hi , My requirement is take backup as sudo admin. a. apsr8007 machine. [gkuma14 at apsr8007 gyan]$ ssh -t gkuma14 at cwsapp02.phs.com 'sudo -u wladmin -s -H ;cd /home/stage/doamins/cw_stage1 ' after executing now i am in wladmin user, [wladmin at cwsapp02 gyan]$ pwd /home/gyan but cd /home/stage/doamins/cw_stage1 'is not working b. now i want to connect cwsapp02 machine(Three requirement).Because here 20 machine(cwsapp03,05...20) It is very diffcult to take backup for logfile.Taking backup we have to do "sudo -u wladmin -s -H' and go to the perticular path cd /home/stage/domains/cw_stage1/ Three steps: 1> sudo -u wladmin -s -H = do the sudo 2> cd /home/stage/domains/cw_stage1/ = go to the pertucular path 3> mv log logs.241209 = Take backup Thanks, Gyan -----Original Message----- From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] Sent: Wednesday, December 23, 2009 8:00 PM To: Kumar, Gyan Cc: sudo-users at sudo.ws Subject: Re: [sudo-users] Please help me sudo In message <312D09D33B3C0E4A9AE709A6577D3768053EA7A3 at APSW0132EVS.ms.ds.uhc.com> so spake "Kumar, Gyan" (gyan_kumar): > I am not able to run in ssh command. > > ssh gkuma14 at cwr.uuu.com 'sudo -u wladmin -s -H ' You need to tell ssh to allocate a pty for the command. E.g. ssh -tt gkuma14 at cwr.uuu.com 'sudo -u wladmin -s -H' That should do the trick. - todd This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. From stefan.goetz at cs.rwth-aachen.de Tue Dec 29 05:04:47 2009 From: stefan.goetz at cs.rwth-aachen.de (=?ISO-8859-1?Q?Stefan_G=F6tz?=) Date: Tue, 29 Dec 2009 11:04:47 +0100 Subject: [sudo-users] Password required with option -i !? Message-ID: <4B39D43F.6090703@cs.rwth-aachen.de> Hi! When using the -i option, sudo (v. 1.7.0) unexpectedly asks for a password - any ideas why? My goal is to run firefox as the (existing) user firefox in my X session running as the user goetz. Problem 1) Even though I have 'Defaults env_keep = "DISPLAY"' in my /etc/sudoers, the command 'sudo -u firefox /usr/bin/firefox' does not start firefox. Instead it terminates with error code 1. I don't care much for this problem since it is easily worked around via the command 'sudo -u firefox -i /usr/bin/firefox' which starts firefox successfully. But now appears Problem 2) To /etc/sudoers I add goetz ALL = (firefox) NOPASSWD: /usr/bin/firefox so I don't have to provide my password. Running the above command without the -i option does correctly not prompt for a password. But running the above command with the -i option does prompt for a password, which seems incorrect to me. Does anybody know what's going on here? Cheers, Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From Todd.Miller at courtesan.com Tue Dec 29 08:45:32 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 29 Dec 2009 08:45:32 -0500 Subject: [sudo-users] Password required with option -i !? In-Reply-To: Your message of "Tue, 29 Dec 2009 11:04:47 +0100." <4B39D43F.6090703@cs.rwth-aachen.de> References: <4B39D43F.6090703@cs.rwth-aachen.de> Message-ID: <200912291345.nBTDjWTo018150@core.courtesan.com> In message <4B39D43F.6090703 at cs.rwth-aachen.de> so spake =?ISO-8859-1?Q?Stefan_G=F6tz?= (stefan.goetz): > When using the -i option, sudo (v. 1.7.0) unexpectedly asks for a > password - any ideas why? > > My goal is to run firefox as the (existing) user firefox in my X session > running as the user goetz. The problem is that when you run a command with "sudo -i" what sudo actually does is run "user_shell -c command". That is why the NOPASSWD flag is not working for you. If you look in the logs you should see the exact command sudo is running. If user firefox has /bin/bash as its shell the following should work: goetz ALL = (firefox) NOPASSWD: /bin/bash -c firefox - todd From stefan.goetz at cs.rwth-aachen.de Tue Dec 29 09:09:32 2009 From: stefan.goetz at cs.rwth-aachen.de (=?ISO-8859-1?Q?Stefan_G=F6tz?=) Date: Tue, 29 Dec 2009 15:09:32 +0100 Subject: [sudo-users] Password required with option -i !? In-Reply-To: <200912291345.nBTDjWTo018150@core.courtesan.com> References: <4B39D43F.6090703@cs.rwth-aachen.de> <200912291345.nBTDjWTo018150@core.courtesan.com> Message-ID: <4B3A0D9C.3080901@cs.rwth-aachen.de> > The problem is that when you run a command with "sudo -i" what sudo > actually does is run "user_shell -c command". That is why the > NOPASSWD flag is not working for you. If you look in the logs you > should see the exact command sudo is running. > > If user firefox has /bin/bash as its shell the following should work: > > goetz ALL = (firefox) NOPASSWD: /bin/bash -c firefox That's the command being executed so, yes, the above sudoers line does the trick. Thanks for the quick help! Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From garlumh at hotmail.com Wed Dec 30 02:56:26 2009 From: garlumh at hotmail.com (Kent Ho) Date: Wed, 30 Dec 2009 15:56:26 +0800 Subject: [sudo-users] sudo selectively execute file, * wildcard on dir set with "(ALL) NOPASSWD:". Message-ID: sudo selectively execute file in a directory, * wildcard on dir set with "(ALL) NOPASSWD:". I created a script called "script1.sh" in a directory. When I execute this script with sudo, it ask me for password which not suppose to happen. I break out with ctrl+c. I then copy script1.sh to a new file in the same directory as "script2.sh". Now I execute "script1.sh" again with sudo, now it will execute. There is no change on script1.sh, All I done is created a new file in the directory. But now sudo do not ask me password any more. At this point I can execute both scripts with sudo with no password. Which is normal. Now I delete "script2.sh". Now the directory has only 1 file again "script1.sh". I execute script1.sh now it will ask me for password again. All executable file should be executable regardless, I don't know why this is happening. Number of files in directory affects sudo? Here is the command sequence from the terminal: =============================================== [mdrop at c-in3sf--02-04 bin]$ pwd /usr/local/site/operations/dsh/bin [mdrop at c-in3sf--02-04 bin]$ sudo -l | grep dsh (ALL) NOPASSWD: /usr/local/site/mailscripts/spf/bin/*, /usr/local/site/mailscripts/ws/bin/*, /usr/local/site/operations/dsh/bin/*, /usr/local/site/operations/bin/* [mdrop at c-in3sf--02-04 bin]$ ls -l total 0 [mdrop at c-in3sf--02-04 bin]$ echo "echo test123" > script1.sh ; chmod +x script1.sh [mdrop at c-in3sf--02-04 bin]$ ls -l total 4 -rwx------ 1 mdrop mdrop 13 Dec 30 07:04 script1.sh [mdrop at c-in3sf--02-04 bin]$ sudo /usr/local/site/operations/dsh/bin/script1.sh Password: [mdrop at c-in3sf--02-04 bin]$ cp script1.sh script2.sh [mdrop at c-in3sf--02-04 bin]$ ls -l total 8 -rwx------ 1 mdrop mdrop 13 Dec 30 07:04 script1.sh -rwx------ 1 mdrop mdrop 13 Dec 30 07:04 script2.sh [mdrop at c-in3sf--02-04 bin]$ sudo /usr/local/site/operations/dsh/bin/script1.sh test123 [mdrop at c-in3sf--02-04 bin]$ sudo /usr/local/site/operations/dsh/bin/script2.sh test123 [mdrop at c-in3sf--02-04 bin]$ rm script2.sh [mdrop at c-in3sf--02-04 bin]$ ls -l total 4 -rwx------ 1 mdrop mdrop 13 Dec 30 07:04 script1.sh [mdrop at c-in3sf--02-04 bin]$ sudo /usr/local/site/operations/dsh/bin/script1.sh Password: [mdrop at c-in3sf--02-04 bin]$ ============================================================ Any help is highly appreciated. Thanks. Garlum. _________________________________________________________________ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010