From azertyzero at free.fr Sun Jan 11 19:34:07 2009 From: azertyzero at free.fr (Fabien) Date: Mon, 12 Jan 2009 01:34:07 +0100 Subject: [sudo-users] Non-interactive usage : the --nopasswordprompt option Message-ID: <496A8FFF.6060502@free.fr> Hello, please consider the improvement I suggested on the Debian bug tracking system. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=258013#33 Is there something is progress to solve this issue ? Cheers, Fabien From Todd.Miller at courtesan.com Sun Jan 11 19:58:08 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sun, 11 Jan 2009 19:58:08 -0500 Subject: [sudo-users] Non-interactive usage : the --nopasswordprompt option In-Reply-To: Your message of "Mon, 12 Jan 2009 01:34:07 +0100." <496A8FFF.6060502@free.fr> References: <496A8FFF.6060502@free.fr> Message-ID: <200901120058.n0C0w8mG013757@core.courtesan.com> There is already a non-interactive flag (-n) in sudo 1.7.0 - todd From azertyzero at free.fr Sun Jan 11 20:42:18 2009 From: azertyzero at free.fr (Fabien) Date: Mon, 12 Jan 2009 02:42:18 +0100 Subject: [sudo-users] Non-interactive usage : the --nopasswordprompt option In-Reply-To: <200901120058.n0C0w8mG013757@core.courtesan.com> References: <496A8FFF.6060502@free.fr> <200901120058.n0C0w8mG013757@core.courtesan.com> Message-ID: <496A9FFA.7070906@free.fr> Damn, the Debian version is 1.6.9. Anyway, thanks for the information, I'm going to check that. Fabien Todd C. Miller a ?crit : > There is already a non-interactive flag (-n) in sudo 1.7.0 > > - todd From huangz at us.ibm.com Tue Jan 13 16:43:29 2009 From: huangz at us.ibm.com (Zhiguo Huang) Date: Tue, 13 Jan 2009 14:43:29 -0700 Subject: [sudo-users] Defaults runas_default global Message-ID: Hi Todd, I hope you still can help on this topic. First of all, I rename root to superadmin, then I added 'Defaults runas_default=superadmin' into /etc/sudoers. I want superadmin be default run as user instead of root. But it doesn't work. I saw some thread date back to year 2000, you said the issue was fixed at build sudo 1.6.3. My current sudo rpm is sudo-1.6.8p12-18. Could you help with this? Thanks! Jeff. From Todd.Miller at courtesan.com Wed Jan 14 10:00:56 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 14 Jan 2009 10:00:56 -0500 Subject: [sudo-users] Defaults runas_default global In-Reply-To: Your message of "Tue, 13 Jan 2009 14:43:29 MST." References: Message-ID: <200901141500.n0EF0ung004428@core.courtesan.com> In message so spake Zhiguo Huang (huangz): > First of all, I rename root to superadmin, then I added 'Defaults > runas_default=superadmin' into /etc/sudoers. I want superadmin be default > run as user instead of root. But it doesn't work. I saw some thread date > back to year 2000, you said the issue was fixed at build sudo 1.6.3. My > current sudo rpm is sudo-1.6.8p12-18. In sudo 1.6.x order of Defaults entries is important. If the line Defaults runas_default=superadmin does not occur before the user specs it will not have an effect. It is probably best to put the line at the top of sudoers. - todd From jakrainer at yahoo.com Fri Jan 16 05:04:41 2009 From: jakrainer at yahoo.com (Jackson Afonso Krainer) Date: Fri, 16 Jan 2009 02:04:41 -0800 (PST) Subject: [sudo-users] sudo 1.7.0 on AIX 5.3 Message-ID: <598837.37802.qm@web52106.mail.re2.yahoo.com> Hello everyone, I?m testing version 1.7.0 of sudo on AIX 5.3 but all my deny rules are not working. If I do a sudo -l for my user I will have the following: $ sudo sudo -V |grep version Sudo version 1.7.0 $ sudo -l Matching Defaults entries for user_a on this host: syslog_goodpri=debug, syslog_badpri=debug, syslog=local2, !env_reset User user_a may run the following commands on this host: (root) NOPASSWD: ALL, (root) !/usr/bin/su, !/usr/bin/su -, !/usr/bin/su root, !/usr/bin/su - root, (root) !/usr/bin/bsh, !/usr/bin/csh, !/usr/bin/ksh, !/usr/bin/tsh, !/usr/bin/ksh93, !/usr/bin/sh, !/usr/bin/Rsh, !/usr/bin/bash, !/usr/bin/bash2, !/usr/bin/psh, !/usr/dt/bin/dtksh, (root) !/usr/bin/smit, !/usr/bin/smitty, !/usr/bin/smitacl, (root) !/usr/bin/X11/aixterm, !/usr/bin/X11/xterm, (root) !/usr/sbin/mkfs, !/usr/sbin/mkboot, !/usr/sbin/mkdev, !/usr/sbin/mklost+found, !/usr/sbin/mklv, !/usr/sbin/mklvcopy, !/usr/sbin/mknfs, !/usr/sbin/mknfsexp, !/usr/sbin/mknfsmnt, !/usr/sbin/mknod, !/usr/sbin/mkvg, !/usr/sbin/mkvg4vp, !/usr/sbin/chfs, !/usr/sbin/chlv, !/usr/sbin/chlvcopy, !/usr/sbin/chnfs, !/usr/sbin/chnfsexp, !/usr/sbin/chnfsmnt, !/usr/sbin/chpv, !/usr/sbin/chroot, !/usr/sbin/chvg, !/usr/sbin/rmdev, !/usr/sbin/rmfs, !/usr/sbin/rmlv, !/usr/sbin/rmlvcopy, !/usr/sbin/rmnfs, !/usr/sbin/rmnfsexp, !/usr/sbin/rmnfsmnt If I try to run any command that was supposed to be blocked,/usr/sbin/rmlv for example, it just works when I expect it to not work, take a look: $ sudo /usr/sbin/rmlv 0516-602 rmlv: Logical volume name not entered. Usage: rmlv [ -B ] [ -f ] [ -p Physical Volume ] LogicalVolume ... Removes a logical volume. I have the same configuration on servers where I have previous versions of sudo and it works fine. Is there something else that needs to be configured on 1.7.0 to avoid this problem, I mean, to make it work? Thanks in advance, Jackson Veja quais s?o os assuntos do momento no Yahoo! +Buscados http://br.maisbuscados.yahoo.com From salatiel.filho at gmail.com Tue Jan 20 08:45:15 2009 From: salatiel.filho at gmail.com (Salatiel Filho) Date: Tue, 20 Jan 2009 10:45:15 -0300 Subject: [sudo-users] Ask root password only for one command Message-ID: Is there a way to make ONE user needs type root password for just one command of his list of allower commands ? Example: User nobody can run ifup , ifdown , ifconfig but i also want to be able to make nopbody run "sudo su -" but in this case i need to type root password instead of nobody''s password . Any ideas ? I know there is rootpw option , but i dont know how to make it work for a single command . -- []'s Salatiel "O maior prazer do inteligente ? bancar o idiota diante de um idiota que banca o inteligente". From mike at mpi-cbg.de Tue Jan 20 07:31:54 2009 From: mike at mpi-cbg.de (Mike Gallamore) Date: Tue, 20 Jan 2009 13:31:54 +0100 Subject: [sudo-users] script runs using sudo but not as root Message-ID: I have a strange problem were a script that is owned by root, gives an error when run as root but not when run using sudo. Anyone seen this before? Know of a way to fix it? Info: sudo version 1.6.7p5 system running CentOS 4.3 sudo file: # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification # User privilege specification root ALL=(ALL) ALL mike ALL=(ALL) ALL matt ALL=(ALL) ALL joegema ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now PATH info: [root at node-master cfengine]# sudo echo $PATH /opt/sge/bin/lx24-x86:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/ sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/ bin [root at node-master cfengine]# echo $PATH /opt/sge/bin/lx24-x86:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/ sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/ bin From christian.peper at kpn.com Tue Jan 20 09:57:25 2009 From: christian.peper at kpn.com (christian.peper at kpn.com) Date: Tue, 20 Jan 2009 15:57:25 +0100 Subject: [sudo-users] Ask root password only for one command In-Reply-To: References: Message-ID: <459520CEEC42F041A8B0CFBCEE958A1101DE1993@KKWNLEX182.kpnnl.local> > -----Original Message----- > From: sudo-users-bounces at courtesan.com > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Salatiel Filho > Sent: Tuesday, January 20, 2009 2:45 PM > To: sudo-users at sudo.ws > Subject: [sudo-users] Ask root password only for one command > > Is there a way to make ONE user needs type root password for > just one command of his list of allower commands ? > Example: > User nobody can run ifup , ifdown , ifconfig but i also want > to be able to make nopbody run "sudo su -" but in this case i > need to type root password instead of nobody''s password . If you want to allow a user to switch to root if he/she enters the root passwd... There is no need to use sudo! :) Just do 'su -' type root passwd and be root. The whole idea of sudo is NOT knowing the root passwd? Right? Or am I misunderstanding your question? Chris. From salatiel.filho at gmail.com Tue Jan 20 13:09:55 2009 From: salatiel.filho at gmail.com (Salatiel Filho) Date: Tue, 20 Jan 2009 15:09:55 -0300 Subject: [sudo-users] Ask root password only for one command In-Reply-To: <459520CEEC42F041A8B0CFBCEE958A1101DE1993@KKWNLEX182.kpnnl.local> References: <459520CEEC42F041A8B0CFBCEE958A1101DE1993@KKWNLEX182.kpnnl.local> Message-ID: Ok. I need to be more specific :) It is an embedded system running busybox. su from busybox is not suid , so i can not run su without caling sudo first :) On Tue, Jan 20, 2009 at 11:57, wrote: >> -----Original Message----- >> From: sudo-users-bounces at courtesan.com >> [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Salatiel Filho >> Sent: Tuesday, January 20, 2009 2:45 PM >> To: sudo-users at sudo.ws >> Subject: [sudo-users] Ask root password only for one command >> >> Is there a way to make ONE user needs type root password for >> just one command of his list of allower commands ? >> Example: >> User nobody can run ifup , ifdown , ifconfig but i also want >> to be able to make nopbody run "sudo su -" but in this case i >> need to type root password instead of nobody''s password . > > If you want to allow a user to switch to root if he/she enters the root > passwd... There is no need to use sudo! :) > Just do 'su -' type root passwd and be root. > > The whole idea of sudo is NOT knowing the root passwd? > Right? Or am I misunderstanding your question? > > Chris. > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > -- []'s Salatiel "O maior prazer do inteligente ? bancar o idiota diante de um idiota que banca o inteligente". From russell+sudo-users at loosenut.com Tue Jan 20 13:40:55 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Tue, 20 Jan 2009 10:40:55 -0800 Subject: [sudo-users] script runs using sudo but not as root In-Reply-To: References: Message-ID: <20090120184055.GW20179@fubar.loosenut.com> On Tue, Jan 20, 2009 at 01:31:54PM +0100, Mike Gallamore wrote: > I have a strange problem were a script that is owned by root, gives > an error when run as root but not when run using sudo. Anyone seen > this before? Know of a way to fix it? > > Info: > sudo version 1.6.7p5 > system running CentOS 4.3 Think you might need to be a bit more specific, here (ie. what's the command that's failing). Any chance it's running on a remote filesystem or similar where the root user is mapped to something like "nobody" or similar? -- Russell M. Van Tassell russell at loosenut.com Do not read this fortune under penalty of law. Violators will be prosecuted. (Penal Code sec. 2.3.2 (II.a.)) From vahid.moghaddasi at gmail.com Tue Jan 20 20:47:34 2009 From: vahid.moghaddasi at gmail.com (Vahid Moghaddasi) Date: Tue, 20 Jan 2009 20:47:34 -0500 Subject: [sudo-users] include hostname in file Message-ID: Hi all, I am trying to include a sudoers file which contains the local hostname. For example: #include /etc/%h.sudoers Of course the above directive does not work but you get the idea. I need to do this to have one master file and one server specific files as well. Is there a way to do this? Thanks, From russell+sudo-users at loosenut.com Tue Jan 20 21:29:48 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Tue, 20 Jan 2009 18:29:48 -0800 Subject: [sudo-users] include hostname in file In-Reply-To: References: Message-ID: <20090121022948.GA20179@fubar.loosenut.com> On Tue, Jan 20, 2009 at 08:47:34PM -0500, Vahid Moghaddasi wrote: > Hi all, > I am trying to include a sudoers file which contains the local > hostname. For example: > #include /etc/%h.sudoers > Of course the above directive does not work but you get the idea. > I need to do this to have one master file and one server specific files as well. > Is there a way to do this? > Thanks, Why don't you just integrate the hostnames in to the configuration in a meaningful way? Sudo already has syntax provisions for exactly that... Here's one semi-basic example... apologies for the length -- I just swiped it from an old template from a while back. -- begin # # sudoers file. # #----------------------------------------------------------------------- # Host alias specification # Host_Alias RFC1918_10_8 = 10.0.0.0/255.0.0.0 Host_Alias RFC1918_172_12 = 172.16.0.0/255.240.0.0 Host_Alias RFC1918_192_16 = 192.168.0.0/255.255.0.0 # #----------------------------------------------------------------------- # User alias specification # User_Alias ROOT = admin User_Alias WEBMASTER = %www User_Alias ADMIN = user1, user2 # #----------------------------------------------------------------------- # Cmnd alias specification # # Things we can use to get new shells Cmnd_Alias SU = /usr/bin/su, /sbin/su Cmnd_Alias SHELLS = /bin/sh, /usr/bin/sh, /sbin/sh, \ /bin/csh, /usr/bin/csh, \ /bin/jsh, /usr/bin/jsh, /sbin/jsh, \ /bin/ksh, /usr/bin/ksh # Remote/removeable file systems... Cmnd_Alias MOUNT = /sbin/mount, /usr/sbin/mount Cmnd_Alias UMOUNT = /sbin/umount, /usr/sbin/umount Cmnd_Alias DISKS = MOUNT, UMOUNT # Filesystem Permissions Cmnd_Alias CHGRP = /usr/bin/chgrp Cmnd_Alias CHMOD = /usr/bin/chmod Cmnd_Alias CHOWN = /usr/bin/chown Cmnd_Alias CP = /usr/bin/cp Cmnd_Alias GZIP = /usr/local/bin/gzip, /usr/local/bin/gunzip Cmnd_Alias LN = /usr/bin/ln Cmnd_Alias MV = /usr/bin/mv Cmnd_Alias RM = /usr/bin/rm Cmnd_Alias FILE_OPS = CHGRP, CHMOD, CHOWN, CP, LN, MV, RM, GZIP # Process commands Cmnd_Alias PSTACK = /usr/proc/bin/pstack Cmnd_Alias KILL = /usr/bin/kill Cmnd_Alias PS_OPS = PSTACK, KILL # Traffic sniffing Cmnd_Alias SNOOP = /usr/sbin/snoop Cmnd_Alias TCPDUMP = /usr/local/sbin/tcpdump Cmnd_Alias SNIFF = SNOOP, TCPDUMP # Web server commands Cmnd_Alias HTTPD_INIT = /etc/init.d/apache*, /etc/init.d/httpd* # #----------------------------------------------------------------------- # Defaults Specification # # Flags Defaults mail_always Defaults tty_tickets Defaults log_host Defaults log_year Defaults !shell_noargs Defaults fqdn # Requires DNS and may break because of it Defaults insults # Integers Defaults passwd_tries=3 Defaults timestamp_timeout=5 Defaults passwd_timeout=5 Defaults umask=0022 # Strings Defaults mailsub="*** SECURITY info on %h ***" Defaults at RFC1918_10_8 mailsub="*** SECURITY info on 10.0.0.0/8-%h ***" Defaults at RFC1918_172_12 mailsub="*** SECURITY info on 172.16.0.0/12-%h ***" Defaults at RFC1918_192_16 mailsub="*** SECURITY info on 192.168.0.0/16-%h ***" Defaults timestampdir=/tmp/.odus Defaults timestampowner=root Defaults runas_default=root Defaults syslog_goodpri=notice Defaults syslog_badpri=alert # *** This really needs to be changed to a "secure" editor *** Defaults editor=/usr/bin/vi # Strings that can act in boolean context... Defaults mailto="root at mydomain.com" Defaults mailerflags="-o db -t" Defaults verifypw=all Defaults listpw=any # #----------------------------------------------------------------------- # User privilege specification # ROOT ALL = (ALL) ALL ADMIN ALL = (ALL) !SHELLS, !SU, FILE_OPS, PS_OPS, DISKS, SNIFF WEBMASTER RFC1918_192_16 = (ALL) HTTPD_INIT # #----------------------------------------------------------------------- -- end -- Russell M. Van Tassell russell at loosenut.com "Just cause you got the monkey off your back doesn't mean the circus has left town." -- George Carlin From mike at mpi-cbg.de Wed Jan 21 04:00:45 2009 From: mike at mpi-cbg.de (Mike Gallamore) Date: Wed, 21 Jan 2009 10:00:45 +0100 Subject: [sudo-users] script runs using sudo but not as root In-Reply-To: <20090120184055.GW20179@fubar.loosenut.com> References: <20090120184055.GW20179@fubar.loosenut.com> Message-ID: I tried to eliminate some of the details to help make the problem more understandable. The script is the run_cfengine.sh script which as you can expect runs GNU's cfengine on the client. These systems are part of a cluster, up until recently they were all running CentOS 4.3. I upgraded 8 of the nodes to 64-bit CentOS 5.2. All the files that cfengine touches reside on a NFS mounted disk array. The strange thing is that the cfengine configuration wasn't touched, as wasn't the files that are pushed over to the cluster nodes (eg. the sudoers file). The 64-bit nodes cfengine script works, but the older 32-bit nodes gotten broken somehow in the process. The problem is more of "what is sudo doing right?", because even if I'm logged in as root the script fails when I try to run it, but if I run it using sudo it runs without a problem. As my first email showed hopefully with the included sudoers file, our sudo setup is as basic as it can get, root and our three administrators have all sudo rights. No changes to how paths are inherited or anything, sudo is running under the environment of the calling user as per default. On Jan 20, 2009, at 7:40 PM, Russell Van Tassell wrote: > On Tue, Jan 20, 2009 at 01:31:54PM +0100, Mike Gallamore wrote: >> I have a strange problem were a script that is owned by root, gives >> an error when run as root but not when run using sudo. Anyone seen >> this before? Know of a way to fix it? >> >> Info: >> sudo version 1.6.7p5 >> system running CentOS 4.3 > > Think you might need to be a bit more specific, here (ie. what's the > command that's failing). > > Any chance it's running on a remote filesystem or similar where the > root > user is mapped to something like "nobody" or similar? > > > > -- > Russell M. Van Tassell > russell at loosenut.com > > Do not read this fortune under penalty of law. Violators will be > prosecuted. (Penal Code sec. 2.3.2 (II.a.)) From vahid.moghaddasi at gmail.com Wed Jan 21 09:57:47 2009 From: vahid.moghaddasi at gmail.com (Vahid Moghaddasi) Date: Wed, 21 Jan 2009 09:57:47 -0500 Subject: [sudo-users] include hostname in file In-Reply-To: <20090121022948.GA20179@fubar.loosenut.com> References: <20090121022948.GA20179@fubar.loosenut.com> Message-ID: Thanks Russel for the reply, I added line number to your post, could you please let me know which line(s) would be similar to what I have in mind. Just some background, we have thousands of servers with sudoers list but some SA's have changed the local sudoers file hence can not be synchronized. I would want the SA to include any change into a separate file e.g. /etc/`hostname`.sudoers and include it from the /etc/sudoers file so we can have one /etc/sudoers file across the servers. Thanks again. 1 -- begin 2 # 3 # sudoers file. 4 # 5 #----------------------------------------------------------------------- 6 # Host alias specification 7 # 8 9 Host_Alias RFC1918_10_8 = 10.0.0.0/255.0.0.0 10 Host_Alias RFC1918_172_12 = 172.16.0.0/255.240.0.0 11 Host_Alias RFC1918_192_16 = 192.168.0.0/255.255.0.0 12 13 # 14 #----------------------------------------------------------------------- 15 # User alias specification 16 # 17 18 User_Alias ROOT = admin 19 User_Alias WEBMASTER = %www 20 User_Alias ADMIN = user1, user2 21 22 # 23 #----------------------------------------------------------------------- 24 # Cmnd alias specification 25 # 26 27 # Things we can use to get new shells 28 Cmnd_Alias SU = /usr/bin/su, /sbin/su 29 Cmnd_Alias SHELLS = /bin/sh, /usr/bin/sh, /sbin/sh, \ 30 /bin/csh, /usr/bin/csh, \ 31 /bin/jsh, /usr/bin/jsh, /sbin/jsh, \ 32 /bin/ksh, /usr/bin/ksh 33 34 # Remote/removeable file systems... 35 Cmnd_Alias MOUNT = /sbin/mount, /usr/sbin/mount 36 Cmnd_Alias UMOUNT = /sbin/umount, /usr/sbin/umount 37 Cmnd_Alias DISKS = MOUNT, UMOUNT 38 39 # Filesystem Permissions 40 Cmnd_Alias CHGRP = /usr/bin/chgrp 41 Cmnd_Alias CHMOD = /usr/bin/chmod 42 Cmnd_Alias CHOWN = /usr/bin/chown 43 Cmnd_Alias CP = /usr/bin/cp 44 Cmnd_Alias GZIP = /usr/local/bin/gzip, /usr/local/bin/gunzip 45 Cmnd_Alias LN = /usr/bin/ln 46 Cmnd_Alias MV = /usr/bin/mv 47 Cmnd_Alias RM = /usr/bin/rm 48 Cmnd_Alias FILE_OPS = CHGRP, CHMOD, CHOWN, CP, LN, MV, RM, GZIP 49 50 # Process commands 51 Cmnd_Alias PSTACK = /usr/proc/bin/pstack 52 Cmnd_Alias KILL = /usr/bin/kill 53 Cmnd_Alias PS_OPS = PSTACK, KILL 54 55 # Traffic sniffing 56 Cmnd_Alias SNOOP = /usr/sbin/snoop 57 Cmnd_Alias TCPDUMP = /usr/local/sbin/tcpdump 58 Cmnd_Alias SNIFF = SNOOP, TCPDUMP 59 60 # Web server commands 61 Cmnd_Alias HTTPD_INIT = /etc/init.d/apache*, /etc/init.d/httpd* 62 63 # 64 #----------------------------------------------------------------------- 65 # Defaults Specification 66 # 67 68 # Flags 69 Defaults mail_always 70 Defaults tty_tickets 71 Defaults log_host 72 Defaults log_year 73 Defaults !shell_noargs 74 Defaults fqdn # Requires DNS and may break because of it 75 Defaults insults 76 77 # Integers 78 Defaults passwd_tries=3 79 Defaults timestamp_timeout=5 80 Defaults passwd_timeout=5 81 Defaults umask=0022 82 83 # Strings 84 Defaults mailsub="*** SECURITY info on %h ***" 85 Defaults at RFC1918_10_8 mailsub="*** SECURITY info on 10.0.0.0/8-%h ***" 86 Defaults at RFC1918_172_12 mailsub="*** SECURITY info on 172.16.0.0/12-%h * **" 87 Defaults at RFC1918_192_16 mailsub="*** SECURITY info on 192.168.0.0/16-%h ***" 88 89 Defaults timestampdir=/tmp/.odus 90 Defaults timestampowner=root 91 Defaults runas_default=root 92 Defaults syslog_goodpri=notice 93 Defaults syslog_badpri=alert 94 95 # *** This really needs to be changed to a "secure" editor *** 96 Defaults editor=/usr/bin/vi 97 98 # Strings that can act in boolean context... 99 Defaults mailto="root at mydomain.com" 100 Defaults mailerflags="-o db -t" 101 Defaults verifypw=all 102 Defaults listpw=any 103 104 # 105 #----------------------------------------------------------------------- 106 # User privilege specification 107 # 108 109 ROOT ALL = (ALL) ALL 110 ADMIN ALL = (ALL) !SHELLS, !SU, FILE_OPS, PS_OPS, DISKS, SNIFF 111 112 WEBMASTER RFC1918_192_16 = (ALL) HTTPD_INIT 113 114 # 115 #----------------------------------------------------------------------- 116 -- end On Tue, Jan 20, 2009 at 9:29 PM, Russell Van Tassell > > Why don't you just integrate the hostnames in to the configuration in a > meaningful way? Sudo already has syntax provisions for exactly that... > > Here's one semi-basic example... apologies for the length -- I just > swiped it from an old template from a while back. > > From Todd.Miller at courtesan.com Wed Jan 21 13:16:59 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 21 Jan 2009 13:16:59 -0500 Subject: [sudo-users] include hostname in file In-Reply-To: Your message of "Wed, 21 Jan 2009 09:57:47 EST." References: <20090121022948.GA20179@fubar.loosenut.com> Message-ID: <200901211816.n0LIGxUj030911@core.courtesan.com> In message so spake Vahid Moghaddasi (vahid.moghaddasi): > I would want the SA to include any change into a separate file e.g. > /etc/`hostname`.sudoers > and include it from the /etc/sudoers file so we can have one > /etc/sudoers file across the servers. Is there any reason you can't just call this "/etc/sudoers.local" or do you need to distribute the local version of the file as well? - todd From russell+sudo-users at loosenut.com Wed Jan 21 14:04:27 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Wed, 21 Jan 2009 11:04:27 -0800 Subject: [sudo-users] script runs using sudo but not as root In-Reply-To: References: <20090120184055.GW20179@fubar.loosenut.com> Message-ID: <20090121190427.GB20179@fubar.loosenut.com> Well, sounds like you eliminated too many details... such as even saying what or how the script fails -- what does it fail to do? What are the errors you're receiving? Given that cfengine touches things on an NFS-mounted partition, could this be the infamous root to nobody mapping issue? Myself, running a cfengine system I've always found it easier to keep the files on a local disk (but I don't completely know your application here, either). Given that running it as root (ie. not using sudo), I'd expect that your setup is causing the problem ... generally checking permissions, you tend to "just run as root and see if it works" and assume that if root works, it's a permission problem. With NFS, you tend to do the opposite... run as a different user and, if it breaks as root, chances are it's NFS. Also, if you're running in 64 and 32 bit clusters, are you sure it's not as simple as having introduced some binary incompatibilities in your upgrade? Again, without real specifics, it's tough to "see" the problem, here. My guess, however, is that it's not a sudo problem (ie. since it breaks when run from a root login); and since most folks tend to cron cfengine to run regularly (or use cfrun), I'm still not clear on sudo's role, here (or the "sudo failure"). Russell On Wed, Jan 21, 2009 at 10:00:45AM +0100, Mike Gallamore wrote: > I tried to eliminate some of the details to help make the problem more > understandable. > > The script is the run_cfengine.sh script which as you can expect runs > GNU's cfengine on the client. These systems are part of a cluster, up > until recently they were all running CentOS 4.3. I upgraded 8 of the > nodes to 64-bit CentOS 5.2. All the files that cfengine touches reside > on a NFS mounted disk array. > > The strange thing is that the cfengine configuration wasn't touched, > as wasn't the files that are pushed over to the cluster nodes (eg. the > sudoers file). The 64-bit nodes cfengine script works, but the older > 32-bit nodes gotten broken somehow in the process. > > The problem is more of "what is sudo doing right?", because even if > I'm logged in as root the script fails when I try to run it, but if I > run it using sudo it runs without a problem. As my first email showed > hopefully with the included sudoers file, our sudo setup is as basic > as it can get, root and our three administrators have all sudo rights. > No changes to how paths are inherited or anything, sudo is running > under the environment of the calling user as per default. > On Jan 20, 2009, at 7:40 PM, Russell Van Tassell wrote: > > >On Tue, Jan 20, 2009 at 01:31:54PM +0100, Mike Gallamore wrote: > >>I have a strange problem were a script that is owned by root, gives > >>an error when run as root but not when run using sudo. Anyone seen > >>this before? Know of a way to fix it? > >> > >>Info: > >>sudo version 1.6.7p5 > >>system running CentOS 4.3 > > > >Think you might need to be a bit more specific, here (ie. what's the > >command that's failing). > > > >Any chance it's running on a remote filesystem or similar where the > >root > >user is mapped to something like "nobody" or similar? > > > > > > > >-- > >Russell M. Van Tassell > >russell at loosenut.com > > > >Do not read this fortune under penalty of law. Violators will be > >prosecuted. (Penal Code sec. 2.3.2 (II.a.)) -- Russell M. Van Tassell russell at loosenut.com "When in doubt, tell the truth." - Mark Twain From vahid.moghaddasi at gmail.com Wed Jan 21 18:53:03 2009 From: vahid.moghaddasi at gmail.com (Vahid Moghaddasi) Date: Wed, 21 Jan 2009 18:53:03 -0500 Subject: [sudo-users] include hostname in file In-Reply-To: <200901211816.n0LIGxUj030911@core.courtesan.com> References: <20090121022948.GA20179@fubar.loosenut.com> <200901211816.n0LIGxUj030911@core.courtesan.com> Message-ID: On Wed, Jan 21, 2009 at 1:16 PM, Todd C. Miller wrote: > In message > so spake Vahid Moghaddasi (vahid.moghaddasi): > >> I would want the SA to include any change into a separate file e.g. >> /etc/`hostname`.sudoers >> and include it from the /etc/sudoers file so we can have one >> /etc/sudoers file across the servers. > > Is there any reason you can't just call this "/etc/sudoers.local" > or do you need to distribute the local version of the file as well? > > - todd > If there is no other way, we will do that but I am afraid that some SA will push "/etc/sudoers.local" file from the central place and bring down some services and make many people very unhappy. I will work on the "/etc/sudoers.local" file as soon as tomorrow. Thanks everyone, -- This e-mail address is not monitored so please do not send me anything important here. Thanks. From mike at mpi-cbg.de Thu Jan 22 04:19:40 2009 From: mike at mpi-cbg.de (Mike Gallamore) Date: Thu, 22 Jan 2009 10:19:40 +0100 Subject: [sudo-users] script runs using sudo but not as root In-Reply-To: <20090121190427.GB20179@fubar.loosenut.com> References: <20090120184055.GW20179@fubar.loosenut.com> <20090121190427.GB20179@fubar.loosenut.com> Message-ID: <9117939F-2FC4-4301-91F3-597B6336E960@mpi-cbg.de> The cfengine script "just" maintains the permissions on the common security files (group, sudoers, shadow and passwd for example), and makes sure that all the nodes are configured with the same nfs mounts. It was kept on a NFS directory because all the other systems in the VLAN are PXE booted off this fileserver, so it is the only system that isn't going to be reinstalled on a frequent basis. The script gives: /opt/cfengine/sbin/cfagent: symbol lookup error: /opt/cfengine/sbin/ cfagent: undefined symbol: db_create When run as root, but not when sudoed from other user accounts or even root. Binary incompatibility, anything is possible I suppose, but the version of cfengine wasn't changed, it was installed on the 64-bit nodes, but it was already installed and working on the 32-bit nodes for years. Could it be something as simple as a binary log file being touched last by a 64-bit node and then the 32-bit ones can no longer read it? Not sure how to determine that. On Jan 21, 2009, at 8:04 PM, Russell Van Tassell wrote: > > Well, sounds like you eliminated too many details... such as even > saying > what or how the script fails -- what does it fail to do? What are the > errors you're receiving? > > Given that cfengine touches things on an NFS-mounted partition, could > this be the infamous root to nobody mapping issue? Myself, running a > cfengine system I've always found it easier to keep the files on a > local > disk (but I don't completely know your application here, either). > > Given that running it as root (ie. not using sudo), I'd expect that > your > setup is causing the problem ... generally checking permissions, you > tend to "just run as root and see if it works" and assume that if root > works, it's a permission problem. With NFS, you tend to do the > opposite... run as a different user and, if it breaks as root, chances > are it's NFS. > > Also, if you're running in 64 and 32 bit clusters, are you sure it's > not > as simple as having introduced some binary incompatibilities in your > upgrade? > > Again, without real specifics, it's tough to "see" the problem, here. > My guess, however, is that it's not a sudo problem (ie. since it > breaks > when run from a root login); and since most folks tend to cron > cfengine > to run regularly (or use cfrun), I'm still not clear on sudo's role, > here (or the "sudo failure"). > > Russell > > > On Wed, Jan 21, 2009 at 10:00:45AM +0100, Mike Gallamore wrote: >> I tried to eliminate some of the details to help make the problem >> more >> understandable. >> >> The script is the run_cfengine.sh script which as you can expect runs >> GNU's cfengine on the client. These systems are part of a cluster, up >> until recently they were all running CentOS 4.3. I upgraded 8 of the >> nodes to 64-bit CentOS 5.2. All the files that cfengine touches >> reside >> on a NFS mounted disk array. >> >> The strange thing is that the cfengine configuration wasn't touched, >> as wasn't the files that are pushed over to the cluster nodes (eg. >> the >> sudoers file). The 64-bit nodes cfengine script works, but the older >> 32-bit nodes gotten broken somehow in the process. >> >> The problem is more of "what is sudo doing right?", because even if >> I'm logged in as root the script fails when I try to run it, but if I >> run it using sudo it runs without a problem. As my first email showed >> hopefully with the included sudoers file, our sudo setup is as basic >> as it can get, root and our three administrators have all sudo >> rights. >> No changes to how paths are inherited or anything, sudo is running >> under the environment of the calling user as per default. >> On Jan 20, 2009, at 7:40 PM, Russell Van Tassell wrote: >> >>> On Tue, Jan 20, 2009 at 01:31:54PM +0100, Mike Gallamore wrote: >>>> I have a strange problem were a script that is owned by root, >>>> gives >>>> an error when run as root but not when run using sudo. Anyone seen >>>> this before? Know of a way to fix it? >>>> >>>> Info: >>>> sudo version 1.6.7p5 >>>> system running CentOS 4.3 >>> >>> Think you might need to be a bit more specific, here (ie. what's the >>> command that's failing). >>> >>> Any chance it's running on a remote filesystem or similar where the >>> root >>> user is mapped to something like "nobody" or similar? >>> >>> >>> >>> -- >>> Russell M. Van Tassell >>> russell at loosenut.com >>> >>> Do not read this fortune under penalty of law. Violators will be >>> prosecuted. (Penal Code sec. 2.3.2 (II.a.)) > > -- > Russell M. Van Tassell > russell at loosenut.com > > "When in doubt, tell the truth." - Mark > Twain From russell+sudo-users at loosenut.com Thu Jan 22 04:34:23 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Thu, 22 Jan 2009 01:34:23 -0800 Subject: [sudo-users] script runs using sudo but not as root In-Reply-To: <9117939F-2FC4-4301-91F3-597B6336E960@mpi-cbg.de> References: <20090120184055.GW20179@fubar.loosenut.com> <20090121190427.GB20179@fubar.loosenut.com> <9117939F-2FC4-4301-91F3-597B6336E960@mpi-cbg.de> Message-ID: <20090122093423.GT20179@fubar.loosenut.com> Well, cfengine still "keeps state" based on when it last ran, what it did, etc... and it generally uses BDB to do so (I believe that it normally ends up in /var/cfengine, but many installations, particularly old ones, seem to change that spot). So here, it sounds like cfagent *might* be missing a shared symbol or library from the Berkeley DB distro... and again, that might be tied to NFS and/or permissions. Or it can be as simple as a shared library and/or / dynamic linker path (maybe a homedir change that messed that up). But it doesn't sounds like a sudo issue, directly... You can try "ldd" on the cfengine binaries under different user ids, and maybe see if something turns up missing, there... that might give you some additional hints as to what's going on here. On Thu, Jan 22, 2009 at 10:19:40AM +0100, Mike Gallamore wrote: > The cfengine script "just" maintains the permissions on the common > security files (group, sudoers, shadow and passwd for example), and > makes sure that all the nodes are configured with the same nfs mounts. > > It was kept on a NFS directory because all the other systems in the > VLAN are PXE booted off this fileserver, so it is the only system that > isn't going to be reinstalled on a frequent basis. The script gives: > > /opt/cfengine/sbin/cfagent: symbol lookup error: /opt/cfengine/sbin/ > cfagent: undefined symbol: db_create > > When run as root, but not when sudoed from other user accounts or even > root. Binary incompatibility, anything is possible I suppose, but the > version of cfengine wasn't changed, it was installed on the 64-bit > nodes, but it was already installed and working on the 32-bit nodes > for years. Could it be something as simple as a binary log file being > touched last by a 64-bit node and then the 32-bit ones can no longer > read it? Not sure how to determine that. > On Jan 21, 2009, at 8:04 PM, Russell Van Tassell wrote: > > >Well, sounds like you eliminated too many details... such as even > >saying > >what or how the script fails -- what does it fail to do? What are the > >errors you're receiving? -- Russell M. Van Tassell russell at loosenut.com "My expectations were reduced to zero when I was 21. Everything since then has been a bonus." -- Stephen Hawking From Jamuna.Manjunatha at ironmountain.com Wed Jan 21 14:25:35 2009 From: Jamuna.Manjunatha at ironmountain.com (Manjunatha, Jamuna) Date: Wed, 21 Jan 2009 14:25:35 -0500 Subject: [sudo-users] sudo help with logging option enabled.... Message-ID: Hi Don, I did exactly what you mentioned. I added a file called "sudonote" under /etc ------------ #!/bin/false exit 0; ------------ & chmod 777 sudonote Then added an entry like this /etc/sudoers file: But it says syntax is wrong!!! What should I do?? Please please help.. # Runas alias specification # User privilege specification root ALL=(ALL) ALL # # Cmnd_Alias VI = /usr/bin/vi # Defaults !lecture,tty_tickets,!fqdn # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL #%OPS ALL=(ALL) NOPASSWD: ALL %OPS ALL=(ALL) ALL Cmnd_Alias sudonote = /etc/sudonote # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now mgr-user ALL=NOPASSWD:/sbin/shutdown,/usr/bin/sv,/usr/local/servermanager/clear-e rror-state.rb Defaults:mgr-user !syslog #Defaults:OPS !syslog # Following entries were added by HP Insight Management Agents at # Fri Jan 9 21:07:14 UTC 2009 %hpsmh ALL=NOPASSWD:/etc/init.d/snmpd %hpsmh ALL=NOPASSWD:/usr/bin/snmptrap # ---------------------- END ------------- The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. From Jamuna.Manjunatha at ironmountain.com Wed Jan 21 12:06:18 2009 From: Jamuna.Manjunatha at ironmountain.com (Manjunatha, Jamuna) Date: Wed, 21 Jan 2009 12:06:18 -0500 Subject: [sudo-users] I need help with sudoers.. Message-ID: Hi all, I am trying to setup a sudo.. Your website helped me a lot.. Now I want to see the sudoers activity in the logs: 1) first a user logs in 2) He types "sudo bash" & gets sudo privileges 3) Then he creates a directory under /root 4) Then he deletes it My question is How can make EVERY entry from the user gets logged into /var/log/sudolog Right now only the first two steps get logged in /var/log/sudolog but I want ALL the activity like deleting a file, creating a file, etc. Please help... Thanks so much in advance. Jamuna The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. From Radesh_Singh at ml.com Thu Jan 22 12:38:56 2009 From: Radesh_Singh at ml.com (Singh, Radesh (GTS)) Date: Thu, 22 Jan 2009 12:38:56 -0500 Subject: [sudo-users] I need help with sudoers.. In-Reply-To: References: Message-ID: <1F083E3510811D4B82611186F74DB1C101685D09@MLNYA20MB010.amrs.win.ml.com> I don't know if this is good for your purposes, but sudoshell works nicely for recording everything that is typed. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha, Jamuna Sent: Wednesday, January 21, 2009 12:06 PM To: sudo-users at sudo.ws Subject: [sudo-users] I need help with sudoers.. Importance: High Hi all, I am trying to setup a sudo.. Your website helped me a lot.. Now I want to see the sudoers activity in the logs: 1) first a user logs in 2) He types "sudo bash" & gets sudo privileges 3) Then he creates a directory under /root 4) Then he deletes it My question is How can make EVERY entry from the user gets logged into /var/log/sudolog Right now only the first two steps get logged in /var/log/sudolog but I want ALL the activity like deleting a file, creating a file, etc. Please help... Thanks so much in advance. Jamuna The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users -------------------------------------------------------------------------- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. -------------------------------------------------------------------------- From Radesh_Singh at ml.com Thu Jan 22 12:46:59 2009 From: Radesh_Singh at ml.com (Singh, Radesh (GTS)) Date: Thu, 22 Jan 2009 12:46:59 -0500 Subject: [sudo-users] I need help with sudoers.. In-Reply-To: References: <1F083E3510811D4B82611186F74DB1C101685D09@MLNYA20MB010.amrs.win.ml.com> Message-ID: <1F083E3510811D4B82611186F74DB1C101685D0A@MLNYA20MB010.amrs.win.ml.com> If you were using sudoshell, you'd just add the ability for your users to run the sudoshell command or ss command to your sudoers file. For instance, say you've got: Cmnd_Alias SUDO_ROOT = /usr/bin/sudoshell -u root You could have: %groupname|username ALL=(root) NOPASSWD: SUDO_ROOT With that, your user would be able to run sudoshell as root, and it would log everything. In Solaris 10, I see it the logs being written to /var/log/sudoscript. Thanks, Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Thursday, January 22, 2009 12:41 PM To: Singh, Radesh (GTS); sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I am not sure I understand. What changes I need to make in the /etc/sudoers file?? Please let me know.. Thanks -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Thursday, January 22, 2009 12:39 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I don't know if this is good for your purposes, but sudoshell works nicely for recording everything that is typed. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha, Jamuna Sent: Wednesday, January 21, 2009 12:06 PM To: sudo-users at sudo.ws Subject: [sudo-users] I need help with sudoers.. Importance: High Hi all, I am trying to setup a sudo.. Your website helped me a lot.. Now I want to see the sudoers activity in the logs: 1) first a user logs in 2) He types "sudo bash" & gets sudo privileges 3) Then he creates a directory under /root 4) Then he deletes it My question is How can make EVERY entry from the user gets logged into /var/log/sudolog Right now only the first two steps get logged in /var/log/sudolog but I want ALL the activity like deleting a file, creating a file, etc. Please help... Thanks so much in advance. Jamuna The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users ------------------------------------------------------------------------ -- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. ------------------------------------------------------------------------ -- From Jamuna.Manjunatha at ironmountain.com Thu Jan 22 12:40:51 2009 From: Jamuna.Manjunatha at ironmountain.com (Manjunatha, Jamuna) Date: Thu, 22 Jan 2009 12:40:51 -0500 Subject: [sudo-users] I need help with sudoers.. In-Reply-To: <1F083E3510811D4B82611186F74DB1C101685D09@MLNYA20MB010.amrs.win.ml.com> Message-ID: I am not sure I understand. What changes I need to make in the /etc/sudoers file?? Please let me know.. Thanks -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Thursday, January 22, 2009 12:39 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I don't know if this is good for your purposes, but sudoshell works nicely for recording everything that is typed. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha, Jamuna Sent: Wednesday, January 21, 2009 12:06 PM To: sudo-users at sudo.ws Subject: [sudo-users] I need help with sudoers.. Importance: High Hi all, I am trying to setup a sudo.. Your website helped me a lot.. Now I want to see the sudoers activity in the logs: 1) first a user logs in 2) He types "sudo bash" & gets sudo privileges 3) Then he creates a directory under /root 4) Then he deletes it My question is How can make EVERY entry from the user gets logged into /var/log/sudolog Right now only the first two steps get logged in /var/log/sudolog but I want ALL the activity like deleting a file, creating a file, etc. Please help... Thanks so much in advance. Jamuna The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users ------------------------------------------------------------------------ -- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. ------------------------------------------------------------------------ -- From Radesh_Singh at ml.com Fri Jan 23 15:16:49 2009 From: Radesh_Singh at ml.com (Singh, Radesh (GTS)) Date: Fri, 23 Jan 2009 15:16:49 -0500 Subject: [sudo-users] I need help with sudoers.. In-Reply-To: References: <1F083E3510811D4B82611186F74DB1C101685D0A@MLNYA20MB010.amrs.win.ml.com> Message-ID: <1F083E3510811D4B82611186F74DB1C101685D1A@MLNYA20MB010.amrs.win.ml.com> No problem... too bad it didn't yield a resolution. We're using it on Linux (Red Hat 4 and 5 as well as SUSE Linux Enterprise Server 9) without a hitch. I just mentioned Solaris 10 as that's the box where I checked to see where the logs were getting written. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Friday, January 23, 2009 3:13 PM To: Singh, Radesh (GTS); sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I tried this, but I have linux so no luck... Thanks so much!! -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Thursday, January 22, 2009 12:47 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. If you were using sudoshell, you'd just add the ability for your users to run the sudoshell command or ss command to your sudoers file. For instance, say you've got: Cmnd_Alias SUDO_ROOT = /usr/bin/sudoshell -u root You could have: %groupname|username ALL=(root) NOPASSWD: SUDO_ROOT With that, your user would be able to run sudoshell as root, and it would log everything. In Solaris 10, I see it the logs being written to /var/log/sudoscript. Thanks, Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Thursday, January 22, 2009 12:41 PM To: Singh, Radesh (GTS); sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I am not sure I understand. What changes I need to make in the /etc/sudoers file?? Please let me know.. Thanks -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Thursday, January 22, 2009 12:39 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I don't know if this is good for your purposes, but sudoshell works nicely for recording everything that is typed. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha, Jamuna Sent: Wednesday, January 21, 2009 12:06 PM To: sudo-users at sudo.ws Subject: [sudo-users] I need help with sudoers.. Importance: High Hi all, I am trying to setup a sudo.. Your website helped me a lot.. Now I want to see the sudoers activity in the logs: 1) first a user logs in 2) He types "sudo bash" & gets sudo privileges 3) Then he creates a directory under /root 4) Then he deletes it My question is How can make EVERY entry from the user gets logged into /var/log/sudolog Right now only the first two steps get logged in /var/log/sudolog but I want ALL the activity like deleting a file, creating a file, etc. Please help... Thanks so much in advance. Jamuna The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users ------------------------------------------------------------------------ -- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. ------------------------------------------------------------------------ -- From Jamuna.Manjunatha at ironmountain.com Fri Jan 23 15:13:24 2009 From: Jamuna.Manjunatha at ironmountain.com (Manjunatha, Jamuna) Date: Fri, 23 Jan 2009 15:13:24 -0500 Subject: [sudo-users] I need help with sudoers.. In-Reply-To: <1F083E3510811D4B82611186F74DB1C101685D0A@MLNYA20MB010.amrs.win.ml.com> Message-ID: I tried this, but I have linux so no luck... Thanks so much!! -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Thursday, January 22, 2009 12:47 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. If you were using sudoshell, you'd just add the ability for your users to run the sudoshell command or ss command to your sudoers file. For instance, say you've got: Cmnd_Alias SUDO_ROOT = /usr/bin/sudoshell -u root You could have: %groupname|username ALL=(root) NOPASSWD: SUDO_ROOT With that, your user would be able to run sudoshell as root, and it would log everything. In Solaris 10, I see it the logs being written to /var/log/sudoscript. Thanks, Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Thursday, January 22, 2009 12:41 PM To: Singh, Radesh (GTS); sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I am not sure I understand. What changes I need to make in the /etc/sudoers file?? Please let me know.. Thanks -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Thursday, January 22, 2009 12:39 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I don't know if this is good for your purposes, but sudoshell works nicely for recording everything that is typed. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha, Jamuna Sent: Wednesday, January 21, 2009 12:06 PM To: sudo-users at sudo.ws Subject: [sudo-users] I need help with sudoers.. Importance: High Hi all, I am trying to setup a sudo.. Your website helped me a lot.. Now I want to see the sudoers activity in the logs: 1) first a user logs in 2) He types "sudo bash" & gets sudo privileges 3) Then he creates a directory under /root 4) Then he deletes it My question is How can make EVERY entry from the user gets logged into /var/log/sudolog Right now only the first two steps get logged in /var/log/sudolog but I want ALL the activity like deleting a file, creating a file, etc. Please help... Thanks so much in advance. Jamuna The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users ------------------------------------------------------------------------ -- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. ------------------------------------------------------------------------ -- From Vijaya.Pidugu at sig.com Sun Jan 25 09:11:56 2009 From: Vijaya.Pidugu at sig.com (Pidugu Vijaya) Date: Sun, 25 Jan 2009 09:11:56 -0500 Subject: [sudo-users] I need help with sudoers.. Message-ID: You cannot do this. The only way to achieve this is by forcing the user to use sudo in front of every command he or she needs to run as root. For that you have to prevent the user from getting root shell which is pretty easy! ----- Original Message ----- From: sudo-users-bounces at courtesan.com To: Singh, Radesh (GTS) ; sudo-users at sudo.ws Sent: Fri Jan 23 15:13:24 2009 Subject: Re: [sudo-users] I need help with sudoers.. I tried this, but I have linux so no luck... Thanks so much!! -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Thursday, January 22, 2009 12:47 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. If you were using sudoshell, you'd just add the ability for your users to run the sudoshell command or ss command to your sudoers file. For instance, say you've got: Cmnd_Alias SUDO_ROOT = /usr/bin/sudoshell -u root You could have: %groupname|username ALL=(root) NOPASSWD: SUDO_ROOT With that, your user would be able to run sudoshell as root, and it would log everything. In Solaris 10, I see it the logs being written to /var/log/sudoscript. Thanks, Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Thursday, January 22, 2009 12:41 PM To: Singh, Radesh (GTS); sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I am not sure I understand. What changes I need to make in the /etc/sudoers file?? Please let me know.. Thanks -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Thursday, January 22, 2009 12:39 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I don't know if this is good for your purposes, but sudoshell works nicely for recording everything that is typed. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha, Jamuna Sent: Wednesday, January 21, 2009 12:06 PM To: sudo-users at sudo.ws Subject: [sudo-users] I need help with sudoers.. Importance: High Hi all, I am trying to setup a sudo.. Your website helped me a lot.. Now I want to see the sudoers activity in the logs: 1) first a user logs in 2) He types "sudo bash" & gets sudo privileges 3) Then he creates a directory under /root 4) Then he deletes it My question is How can make EVERY entry from the user gets logged into /var/log/sudolog Right now only the first two steps get logged in /var/log/sudolog but I want ALL the activity like deleting a file, creating a file, etc. Please help... Thanks so much in advance. Jamuna The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users ------------------------------------------------------------------------ -- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. ------------------------------------------------------------------------ -- ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses. From Radesh_Singh at ml.com Mon Jan 26 08:28:19 2009 From: Radesh_Singh at ml.com (Singh, Radesh (GTS)) Date: Mon, 26 Jan 2009 08:28:19 -0500 Subject: [sudo-users] I need help with sudoers.. In-Reply-To: References: Message-ID: <1F083E3510811D4B82611186F74DB1C101685D2C@MLNYA20MB010.amrs.win.ml.com> Guys, not sure what's preventing you from using sudoshell as a mechanism of logging everything occurring while using sudo. Maybe I'm missing what you were trying to do. I understood your post to mean that you want to be able to have comprehensive logging of everything occurring when a user is using sudo to root. sudoshell will allow this for you. Thanks, Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Sunday, January 25, 2009 12:22 PM To: Pidugu Vijaya; Singh, Radesh (GTS); sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. Yes, agreed... That is the only best option.. Thanks a lot!!! ________________________________ From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com] Sent: Sun 1/25/2009 9:11 AM To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws' Subject: Re: [sudo-users] I need help with sudoers.. You cannot do this. The only way to achieve this is by forcing the user to use sudo in front of every command he or she needs to run as root. For that you have to prevent the user from getting root shell which is pretty easy! ----- Original Message ----- From: sudo-users-bounces at courtesan.com To: Singh, Radesh (GTS) ; sudo-users at sudo.ws Sent: Fri Jan 23 15:13:24 2009 Subject: Re: [sudo-users] I need help with sudoers.. I tried this, but I have linux so no luck... Thanks so much!! -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Thursday, January 22, 2009 12:47 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. If you were using sudoshell, you'd just add the ability for your users to run the sudoshell command or ss command to your sudoers file. For instance, say you've got: Cmnd_Alias SUDO_ROOT = /usr/bin/sudoshell -u root You could have: %groupname|username ALL=(root) NOPASSWD: SUDO_ROOT With that, your user would be able to run sudoshell as root, and it would log everything. In Solaris 10, I see it the logs being written to /var/log/sudoscript. Thanks, Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Thursday, January 22, 2009 12:41 PM To: Singh, Radesh (GTS); sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I am not sure I understand. What changes I need to make in the /etc/sudoers file?? Please let me know.. Thanks -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Thursday, January 22, 2009 12:39 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I don't know if this is good for your purposes, but sudoshell works nicely for recording everything that is typed. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha, Jamuna Sent: Wednesday, January 21, 2009 12:06 PM To: sudo-users at sudo.ws Subject: [sudo-users] I need help with sudoers.. Importance: High Hi all, I am trying to setup a sudo.. Your website helped me a lot.. Now I want to see the sudoers activity in the logs: 1) first a user logs in 2) He types "sudo bash" & gets sudo privileges 3) Then he creates a directory under /root 4) Then he deletes it My question is How can make EVERY entry from the user gets logged into /var/log/sudolog Right now only the first two steps get logged in /var/log/sudolog but I want ALL the activity like deleting a file, creating a file, etc. Please help... Thanks so much in advance. Jamuna The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users ------------------------------------------------------------------------ -- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. ------------------------------------------------------------------------ -- ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses. From Radesh_Singh at ml.com Mon Jan 26 08:50:41 2009 From: Radesh_Singh at ml.com (Singh, Radesh (GTS)) Date: Mon, 26 Jan 2009 08:50:41 -0500 Subject: [sudo-users] I need help with sudoers.. In-Reply-To: References: Message-ID: <1F083E3510811D4B82611186F74DB1C101685D2E@MLNYA20MB010.amrs.win.ml.com> Vijaya, Have you used sudoshell? It may been viewed as a one-size fits all approach to logging operations done via sudo, but it works reasonably well on all platforms that we have (Solaris, Linux and AIX). If you're referring to my syntax not being correct, I wasn't trying to be literal, just quick and dirty. In our environment, say I was rsingh and a member of sysadmins I could be setup as follows: rsingh ALL=(root) NOPASSWD: /usr/bin/sudoshell -u root or %sysadmins ALL=(root) NOPASSWD: /usr/bin/sudoshell -u root The main difference would be a 1-off instance (me) _or_ granting permission to the group that I am part of, which would be useful, if the entire team needed to be able to sudoshell (as required in our environment). Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com] Sent: Sunday, January 25, 2009 9:12 AM To: 'Jamuna.Manjunatha at ironmountain.com'; Singh, Radesh (GTS); 'sudo-users at sudo.ws' Subject: Re: [sudo-users] I need help with sudoers.. You cannot do this. The only way to achieve this is by forcing the user to use sudo in front of every command he or she needs to run as root. For that you have to prevent the user from getting root shell which is pretty easy! ----- Original Message ----- From: sudo-users-bounces at courtesan.com To: Singh, Radesh (GTS) ; sudo-users at sudo.ws Sent: Fri Jan 23 15:13:24 2009 Subject: Re: [sudo-users] I need help with sudoers.. I tried this, but I have linux so no luck... Thanks so much!! -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Thursday, January 22, 2009 12:47 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. If you were using sudoshell, you'd just add the ability for your users to run the sudoshell command or ss command to your sudoers file. For instance, say you've got: Cmnd_Alias SUDO_ROOT = /usr/bin/sudoshell -u root You could have: %groupname|username ALL=(root) NOPASSWD: SUDO_ROOT With that, your user would be able to run sudoshell as root, and it would log everything. In Solaris 10, I see it the logs being written to /var/log/sudoscript. Thanks, Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Thursday, January 22, 2009 12:41 PM To: Singh, Radesh (GTS); sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I am not sure I understand. What changes I need to make in the /etc/sudoers file?? Please let me know.. Thanks -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Thursday, January 22, 2009 12:39 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I don't know if this is good for your purposes, but sudoshell works nicely for recording everything that is typed. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha, Jamuna Sent: Wednesday, January 21, 2009 12:06 PM To: sudo-users at sudo.ws Subject: [sudo-users] I need help with sudoers.. Importance: High Hi all, I am trying to setup a sudo.. Your website helped me a lot.. Now I want to see the sudoers activity in the logs: 1) first a user logs in 2) He types "sudo bash" & gets sudo privileges 3) Then he creates a directory under /root 4) Then he deletes it My question is How can make EVERY entry from the user gets logged into /var/log/sudolog Right now only the first two steps get logged in /var/log/sudolog but I want ALL the activity like deleting a file, creating a file, etc. Please help... Thanks so much in advance. Jamuna The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users ------------------------------------------------------------------------ -- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. ------------------------------------------------------------------------ -- ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses. From Jamuna.Manjunatha at ironmountain.com Sun Jan 25 12:22:21 2009 From: Jamuna.Manjunatha at ironmountain.com (Manjunatha, Jamuna) Date: Sun, 25 Jan 2009 12:22:21 -0500 Subject: [sudo-users] I need help with sudoers.. References: Message-ID: Yes, agreed... That is the only best option.. Thanks a lot!!! ________________________________ From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com] Sent: Sun 1/25/2009 9:11 AM To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws' Subject: Re: [sudo-users] I need help with sudoers.. You cannot do this. The only way to achieve this is by forcing the user to use sudo in front of every command he or she needs to run as root. For that you have to prevent the user from getting root shell which is pretty easy! ----- Original Message ----- From: sudo-users-bounces at courtesan.com To: Singh, Radesh (GTS) ; sudo-users at sudo.ws Sent: Fri Jan 23 15:13:24 2009 Subject: Re: [sudo-users] I need help with sudoers.. I tried this, but I have linux so no luck... Thanks so much!! -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Thursday, January 22, 2009 12:47 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. If you were using sudoshell, you'd just add the ability for your users to run the sudoshell command or ss command to your sudoers file. For instance, say you've got: Cmnd_Alias SUDO_ROOT = /usr/bin/sudoshell -u root You could have: %groupname|username ALL=(root) NOPASSWD: SUDO_ROOT With that, your user would be able to run sudoshell as root, and it would log everything. In Solaris 10, I see it the logs being written to /var/log/sudoscript. Thanks, Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Thursday, January 22, 2009 12:41 PM To: Singh, Radesh (GTS); sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I am not sure I understand. What changes I need to make in the /etc/sudoers file?? Please let me know.. Thanks -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Thursday, January 22, 2009 12:39 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws Subject: RE: [sudo-users] I need help with sudoers.. I don't know if this is good for your purposes, but sudoshell works nicely for recording everything that is typed. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha, Jamuna Sent: Wednesday, January 21, 2009 12:06 PM To: sudo-users at sudo.ws Subject: [sudo-users] I need help with sudoers.. Importance: High Hi all, I am trying to setup a sudo.. Your website helped me a lot.. Now I want to see the sudoers activity in the logs: 1) first a user logs in 2) He types "sudo bash" & gets sudo privileges 3) Then he creates a directory under /root 4) Then he deletes it My question is How can make EVERY entry from the user gets logged into /var/log/sudolog Right now only the first two steps get logged in /var/log/sudolog but I want ALL the activity like deleting a file, creating a file, etc. Please help... Thanks so much in advance. Jamuna The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users ------------------------------------------------------------------------ -- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. ------------------------------------------------------------------------ -- ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses. From russell+sudo-users at loosenut.com Mon Jan 26 15:06:49 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Mon, 26 Jan 2009 12:06:49 -0800 Subject: [sudo-users] I need help with sudoers.. In-Reply-To: References: Message-ID: <20090126200649.GM929@fubar.loosenut.com> It should be mentioned that there are alternatives to sudoshell, such as osh... they're all third party projects, as far as I know, though. Ideally, however, in my opinion it's often better to try to force "a culture change" with how people use sudo... you should prevent access to commands like "su" or anything where a shell can easily be obtained, then ask folks to simple preface "sudo" on commands that need elevated privileges. Yes, this tends to complicate the sudoers file a bit, and some would say increases maintenance on it. However, when you need to give basic users some extra power without sacrificing overall host security, I believe the benefits outweigh the shortcomings (and after a while, your sudoers file will be built up nicely and really not require that much in the way of changes and/or additions). On Sun, Jan 25, 2009 at 12:22:21PM -0500, Manjunatha, Jamuna wrote: > Yes, agreed... > > That is the only best option.. > > Thanks a lot!!! > > ________________________________ > > From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com] > Sent: Sun 1/25/2009 9:11 AM > To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws' > Subject: Re: [sudo-users] I need help with sudoers.. > > > You cannot do this. The only way to achieve this is by forcing the user to use sudo in front of every command he or she needs to run as root. For that you have to prevent the user from getting root shell which is pretty easy! > > > ----- Original Message ----- > From: sudo-users-bounces at courtesan.com > To: Singh, Radesh (GTS) ; sudo-users at sudo.ws > Sent: Fri Jan 23 15:13:24 2009 > Subject: Re: [sudo-users] I need help with sudoers.. > > I tried this, but I have linux so no luck... > > [...] > > -----Original Message----- > From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] > Sent: Thursday, January 22, 2009 12:41 PM > To: Singh, Radesh (GTS); sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [What changes I need to make in the /etc/sudoers file??] > > -----Original Message----- > From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] > Sent: Thursday, January 22, 2009 12:39 PM > To: Manjunatha, Jamuna; sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [sudoshell] > > -----Original Message----- > From: sudo-users-bounces at courtesan.com > Sent: Wednesday, January 21, 2009 12:06 PM > To: sudo-users at sudo.ws > Subject: [sudo-users] I need help with sudoers.. > > Hi all, > > > > I am trying to setup a sudo.. > > [How do I log commands from a shell?] -- Russell M. Van Tassell russell at loosenut.com "Quick to judge, Quick to anger, slow to understand. Ignorance and prejudice and fear walk hand in hand." - N. Peart From Jamuna.Manjunatha at ironmountain.com Mon Jan 26 20:30:43 2009 From: Jamuna.Manjunatha at ironmountain.com (Manjunatha, Jamuna) Date: Mon, 26 Jan 2009 20:30:43 -0500 Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD References: <20090126200649.GM929@fubar.loosenut.com> Message-ID: Hi everybody, First of all thanks for the great input.. This is really great. My next question is: I am now logging into LINUX using LDAP/AD windows authentication. Basically when I loginto LINUX I am logging using my windows authentication. user name password works fine Now I need to use sudo.. earlier I had created local users on Linux & sudo so I could do sudo & I was fine. Now that I am authenticating to LINUX via windows LDAP/AD, How will the sudo work? Should I create the sudo config file on windows OR Once I am logged into LINUX (via LDAP/AD authentication), use the existing /etc/sudoers file?? I am not sure how this sudo will work on LDAP/AD authentication. I did look on-line, but I am not convinced I have a solution. Help Please....Apprecite your time.... Thanks in advance ________________________________ From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com] Sent: Mon 1/26/2009 3:06 PM To: Manjunatha, Jamuna Cc: Pidugu Vijaya; Radesh_Singh at ml.com; sudo-users at sudo.ws Subject: Re: [sudo-users] I need help with sudoers.. It should be mentioned that there are alternatives to sudoshell, such as osh... they're all third party projects, as far as I know, though. Ideally, however, in my opinion it's often better to try to force "a culture change" with how people use sudo... you should prevent access to commands like "su" or anything where a shell can easily be obtained, then ask folks to simple preface "sudo" on commands that need elevated privileges. Yes, this tends to complicate the sudoers file a bit, and some would say increases maintenance on it. However, when you need to give basic users some extra power without sacrificing overall host security, I believe the benefits outweigh the shortcomings (and after a while, your sudoers file will be built up nicely and really not require that much in the way of changes and/or additions). On Sun, Jan 25, 2009 at 12:22:21PM -0500, Manjunatha, Jamuna wrote: > Yes, agreed... > > That is the only best option.. > > Thanks a lot!!! > > ________________________________ > > From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com] > Sent: Sun 1/25/2009 9:11 AM > To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws' > Subject: Re: [sudo-users] I need help with sudoers.. > > > You cannot do this. The only way to achieve this is by forcing the user to use sudo in front of every command he or she needs to run as root. For that you have to prevent the user from getting root shell which is pretty easy! > > > ----- Original Message ----- > From: sudo-users-bounces at courtesan.com > To: Singh, Radesh (GTS) ; sudo-users at sudo.ws > Sent: Fri Jan 23 15:13:24 2009 > Subject: Re: [sudo-users] I need help with sudoers.. > > I tried this, but I have linux so no luck... > > [...] > > -----Original Message----- > From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] > Sent: Thursday, January 22, 2009 12:41 PM > To: Singh, Radesh (GTS); sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [What changes I need to make in the /etc/sudoers file??] > > -----Original Message----- > From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] > Sent: Thursday, January 22, 2009 12:39 PM > To: Manjunatha, Jamuna; sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [sudoshell] > > -----Original Message----- > From: sudo-users-bounces at courtesan.com > Sent: Wednesday, January 21, 2009 12:06 PM > To: sudo-users at sudo.ws > Subject: [sudo-users] I need help with sudoers.. > > Hi all, > > > > I am trying to setup a sudo.. > > [How do I log commands from a shell?] -- Russell M. Van Tassell russell at loosenut.com "Quick to judge, Quick to anger, slow to understand. Ignorance and prejudice and fear walk hand in hand." - N. Peart The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. From sujnanshetty at gmail.com Tue Jan 27 09:59:17 2009 From: sujnanshetty at gmail.com (Suj) Date: Tue, 27 Jan 2009 09:59:17 -0500 Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD In-Reply-To: References: <20090126200649.GM929@fubar.loosenut.com> Message-ID: <37cf4dcd0901270659k242ca077u3b615d34409e18c1@mail.gmail.com> It is not much different that assigning permissions based on groups. You just need to prepend the domain name before the group name, in the sudoers file. The user's AD group name is the group that needs to be named in the sudoers file. It's all there in the documentation, you need to experiment with the sudoers file and convince yourself to read more ... ######################################################################## # Giving grp1 group members all root privileges %domain-name\\grp1 ALL=(ALL) ALL # Giving "support" group limited access to root commands %domain-name\\support ALL=(root) KILL, APACHE, !SU, !SCP, !BIN, !SHELL, MONITOR,\ INSTALL, EDIT ######################################################################## ----------------------------------------------------------------------- On Mon, Jan 26, 2009 at 8:30 PM, Manjunatha, Jamuna < Jamuna.Manjunatha at ironmountain.com> wrote: > > I am now logging into LINUX using LDAP/AD windows authentication. > Basically when I loginto LINUX I am logging using my windows > authentication. > earlier I had created local users on Linux & sudo so I could do sudo & I > was fine. > Now that I am authenticating to LINUX via windows LDAP/AD, How will the > sudo work? > Should I create the sudo config file on windows OR Once I am logged into > LINUX (via > LDAP/AD authentication), use the existing /etc/sudoers file?? > > I am not sure how this sudo will work on LDAP/AD authentication. > > I did look on-line, but I am not convinced I have a solution. > > Thanks in advance From Radesh_Singh at ml.com Tue Jan 27 10:22:21 2009 From: Radesh_Singh at ml.com (Singh, Radesh (GTS)) Date: Tue, 27 Jan 2009 10:22:21 -0500 Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD In-Reply-To: References: <20090126200649.GM929@fubar.loosenut.com> Message-ID: <1F083E3510811D4B82611186F74DB1C101685D3C@MLNYA20MB010.amrs.win.ml.com> >From the sudo side of things, it'll be easy. You'll have sudo setup for how your users "appear" to the system once authenticated. e.g. if rsingh shows up as being in the group unixuser-sysadmin, and you were trying to give that group access in sudo, you could have %unixuser-sysadmin ... in your sudoers to give them the ability to perform privileged operations Or if rsingh shows up as sysadmin you could have %sysadmin ... in your sudoers file to give them the ability to perform privileged operations Or if rsingh shows up as unixuser-rsingh, you could have unixuser-rsingh in your sudoers ... you get the picture. In my current work environment, we see our users show up in two ways. We're using Vintella's VAS product to perform AD authentication for our *nix accounts. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha, Jamuna Sent: Monday, January 26, 2009 8:31 PM To: Russell Van Tassell; Singh, Radesh (GTS); sudo-users at sudo.ws Cc: sudo-users at sudo.ws; Pidugu Vijaya; Singh, Radesh (GTS) Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD Hi everybody, First of all thanks for the great input.. This is really great. My next question is: I am now logging into LINUX using LDAP/AD windows authentication. Basically when I loginto LINUX I am logging using my windows authentication. user name password works fine Now I need to use sudo.. earlier I had created local users on Linux & sudo so I could do sudo & I was fine. Now that I am authenticating to LINUX via windows LDAP/AD, How will the sudo work? Should I create the sudo config file on windows OR Once I am logged into LINUX (via LDAP/AD authentication), use the existing /etc/sudoers file?? I am not sure how this sudo will work on LDAP/AD authentication. I did look on-line, but I am not convinced I have a solution. Help Please....Apprecite your time.... Thanks in advance ________________________________ From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com] Sent: Mon 1/26/2009 3:06 PM To: Manjunatha, Jamuna Cc: Pidugu Vijaya; Radesh_Singh at ml.com; sudo-users at sudo.ws Subject: Re: [sudo-users] I need help with sudoers.. It should be mentioned that there are alternatives to sudoshell, such as osh... they're all third party projects, as far as I know, though. Ideally, however, in my opinion it's often better to try to force "a culture change" with how people use sudo... you should prevent access to commands like "su" or anything where a shell can easily be obtained, then ask folks to simple preface "sudo" on commands that need elevated privileges. Yes, this tends to complicate the sudoers file a bit, and some would say increases maintenance on it. However, when you need to give basic users some extra power without sacrificing overall host security, I believe the benefits outweigh the shortcomings (and after a while, your sudoers file will be built up nicely and really not require that much in the way of changes and/or additions). On Sun, Jan 25, 2009 at 12:22:21PM -0500, Manjunatha, Jamuna wrote: > Yes, agreed... > > That is the only best option.. > > Thanks a lot!!! > > ________________________________ > > From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com] > Sent: Sun 1/25/2009 9:11 AM > To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws' > Subject: Re: [sudo-users] I need help with sudoers.. > > > You cannot do this. The only way to achieve this is by forcing the user to use sudo in front of every command he or she needs to run as root. For that you have to prevent the user from getting root shell which is pretty easy! > > > ----- Original Message ----- > From: sudo-users-bounces at courtesan.com > To: Singh, Radesh (GTS) ; sudo-users at sudo.ws > Sent: Fri Jan 23 15:13:24 2009 > Subject: Re: [sudo-users] I need help with sudoers.. > > I tried this, but I have linux so no luck... > > [...] > > -----Original Message----- > From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] > Sent: Thursday, January 22, 2009 12:41 PM > To: Singh, Radesh (GTS); sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [What changes I need to make in the /etc/sudoers file??] > > -----Original Message----- > From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] > Sent: Thursday, January 22, 2009 12:39 PM > To: Manjunatha, Jamuna; sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [sudoshell] > > -----Original Message----- > From: sudo-users-bounces at courtesan.com > Sent: Wednesday, January 21, 2009 12:06 PM > To: sudo-users at sudo.ws > Subject: [sudo-users] I need help with sudoers.. > > Hi all, > > > > I am trying to setup a sudo.. > > [How do I log commands from a shell?] -- Russell M. Van Tassell russell at loosenut.com "Quick to judge, Quick to anger, slow to understand. Ignorance and prejudice and fear walk hand in hand." - N. Peart The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users -------------------------------------------------------------------------- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. -------------------------------------------------------------------------- From Vijaya.Pidugu at sig.com Tue Jan 27 14:49:20 2009 From: Vijaya.Pidugu at sig.com (Pidugu Vijaya) Date: Tue, 27 Jan 2009 14:49:20 -0500 Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD In-Reply-To: References: <37cf4dcd0901270659k242ca077u3b615d34409e18c1@mail.gmail.com> Message-ID: not sure if you resolved this.... we actually use an nfs share where we put our sudoers file. We tested using Active Directory for user authentication. In AD we had to put some kind of sudo object to make it work though! ________________________________ From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Tuesday, January 27, 2009 10:39 AM To: Suj; Russell Van Tassell; Radesh_Singh at ml.com; sudo-users at sudo.ws; Pidugu Vijaya Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD Where do we keep the sudoers file on windows?? I want to keep the sudoers file on windows LDAP, instead of LINUX so I can disable /etc/sudoers & /etc/group on every linux hosts. How can windows read the sudoers file & authenticate accordingly?? Can I do this?? Advise??? Thank you all.. ________________________________ From: Suj [mailto:sujnanshetty at gmail.com] Sent: Tuesday, January 27, 2009 9:59 AM To: Manjunatha, Jamuna; Russell Van Tassell; Radesh_Singh at ml.com; sudo-users at sudo.ws; Pidugu Vijaya Subject: Re: [sudo-users] Transforming /etc/sudoers to LDAP/AD It is not much different that assigning permissions based on groups. You just need to prepend the domain name before the group name, in the sudoers file. The user's AD group name is the group that needs to be named in the sudoers file. It's all there in the documentation, you need to experiment with the sudoers file and convince yourself to read more ... ######################################################################## # Giving grp1 group members all root privileges %domain-name\\grp1 ALL=(ALL) ALL # Giving "support" group limited access to root commands %domain-name\\support ALL=(root) KILL, APACHE, !SU, !SCP, !BIN, !SHELL, MONITOR,\ INSTALL, EDIT ######################################################################## ----------------------------------------------------------------------- On Mon, Jan 26, 2009 at 8:30 PM, Manjunatha, Jamuna > wrote: I am now logging into LINUX using LDAP/AD windows authentication. Basically when I loginto LINUX I am logging using my windows authentication. earlier I had created local users on Linux & sudo so I could do sudo & I was fine. Now that I am authenticating to LINUX via windows LDAP/AD, How will the sudo work? Should I create the sudo config file on windows OR Once I am logged into LINUX (via LDAP/AD authentication), use the existing /etc/sudoers file?? I am not sure how this sudo will work on LDAP/AD authentication. I did look on-line, but I am not convinced I have a solution. Thanks in advance ________________________________ The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ________________________________ IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses. From russell+sudo-users at loosenut.com Tue Jan 27 15:02:26 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Tue, 27 Jan 2009 12:02:26 -0800 Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD In-Reply-To: References: <37cf4dcd0901270659k242ca077u3b615d34409e18c1@mail.gmail.com> Message-ID: <20090127200226.GI929@fubar.loosenut.com> On Tue, Jan 27, 2009 at 02:49:20PM -0500, Pidugu Vijaya wrote: > not sure if you resolved this.... we actually use an nfs share where we put our sudoers file. > > We tested using Active Directory for user authentication. In AD we had to put some kind of sudo object to make it work though! What happens if you lose network connectivity / nfs and you need to be able to use sudo (eg. system crash/restart)? Guess you'll need the root password, anyway (eg. failed fsck). Or perhaps worse, the NFS server has some sort of issue and the share disappears or becomes unresponsive? -- Russell M. Van Tassell russell at loosenut.com In Tennessee, it is illegal to shoot any game other than whales from a moving automobile. From Vijaya.Pidugu at sig.com Tue Jan 27 16:45:44 2009 From: Vijaya.Pidugu at sig.com (Pidugu Vijaya) Date: Tue, 27 Jan 2009 16:45:44 -0500 Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD In-Reply-To: <20090127200226.GI929@fubar.loosenut.com> References: <37cf4dcd0901270659k242ca077u3b615d34409e18c1@mail.gmail.com> <20090127200226.GI929@fubar.loosenut.com> Message-ID: Well, if we lose network connectivity the system is useless anyway. If we have NFS issues we got bigger issues to deal with than sudo. Ofcourse, for situations like this we always have the root password and adminis do it available. Sudo is mostly to provide root level access to someone who is not part of admin group. We use Network appliance for NFS shares and the uptimes on them typically are 500+ days, so I am really not that concerned. They are cluster and use RAID4-DP, so it is unlikely that we will run into those situations. -----Original Message----- From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com] Sent: Tuesday, January 27, 2009 3:02 PM To: Pidugu Vijaya Cc: Manjunatha, Jamuna; Suj; Radesh_Singh at ml.com; sudo-users at sudo.ws Subject: Re: [sudo-users] Transforming /etc/sudoers to LDAP/AD On Tue, Jan 27, 2009 at 02:49:20PM -0500, Pidugu Vijaya wrote: > not sure if you resolved this.... we actually use an nfs share where we put our sudoers file. > > We tested using Active Directory for user authentication. In AD we had to put some kind of sudo object to make it work though! What happens if you lose network connectivity / nfs and you need to be able to use sudo (eg. system crash/restart)? Guess you'll need the root password, anyway (eg. failed fsck). Or perhaps worse, the NFS server has some sort of issue and the share disappears or becomes unresponsive? -- Russell M. Van Tassell russell at loosenut.com In Tennessee, it is illegal to shoot any game other than whales from a moving automobile. IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses. From Vijaya.Pidugu at sig.com Tue Jan 27 17:18:28 2009 From: Vijaya.Pidugu at sig.com (Pidugu Vijaya) Date: Tue, 27 Jan 2009 17:18:28 -0500 Subject: [sudo-users] I need help with sudoers.. In-Reply-To: <20090126200649.GM929@fubar.loosenut.com> References: <20090126200649.GM929@fubar.loosenut.com> Message-ID: That is exactly what I said... Thanks again.. Someone posed a bash shell that actually logs.. I cannot trace that email anymore... Does anyone remember what that is? -----Original Message----- From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com] Sent: Monday, January 26, 2009 3:07 PM To: Manjunatha, Jamuna Cc: Pidugu Vijaya; Radesh_Singh at ml.com; sudo-users at sudo.ws Subject: Re: [sudo-users] I need help with sudoers.. It should be mentioned that there are alternatives to sudoshell, such as osh... they're all third party projects, as far as I know, though. Ideally, however, in my opinion it's often better to try to force "a culture change" with how people use sudo... you should prevent access to commands like "su" or anything where a shell can easily be obtained, then ask folks to simple preface "sudo" on commands that need elevated privileges. Yes, this tends to complicate the sudoers file a bit, and some would say increases maintenance on it. However, when you need to give basic users some extra power without sacrificing overall host security, I believe the benefits outweigh the shortcomings (and after a while, your sudoers file will be built up nicely and really not require that much in the way of changes and/or additions). On Sun, Jan 25, 2009 at 12:22:21PM -0500, Manjunatha, Jamuna wrote: > Yes, agreed... > > That is the only best option.. > > Thanks a lot!!! > > ________________________________ > > From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com] > Sent: Sun 1/25/2009 9:11 AM > To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws' > Subject: Re: [sudo-users] I need help with sudoers.. > > > You cannot do this. The only way to achieve this is by forcing the user to use sudo in front of every command he or she needs to run as root. For that you have to prevent the user from getting root shell which is pretty easy! > > > ----- Original Message ----- > From: sudo-users-bounces at courtesan.com > To: Singh, Radesh (GTS) ; sudo-users at sudo.ws > Sent: Fri Jan 23 15:13:24 2009 > Subject: Re: [sudo-users] I need help with sudoers.. > > I tried this, but I have linux so no luck... > > [...] > > -----Original Message----- > From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] > Sent: Thursday, January 22, 2009 12:41 PM > To: Singh, Radesh (GTS); sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [What changes I need to make in the /etc/sudoers file??] > > -----Original Message----- > From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] > Sent: Thursday, January 22, 2009 12:39 PM > To: Manjunatha, Jamuna; sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [sudoshell] > > -----Original Message----- > From: sudo-users-bounces at courtesan.com > Sent: Wednesday, January 21, 2009 12:06 PM > To: sudo-users at sudo.ws > Subject: [sudo-users] I need help with sudoers.. > > Hi all, > > > > I am trying to setup a sudo.. > > [How do I log commands from a shell?] -- Russell M. Van Tassell russell at loosenut.com "Quick to judge, Quick to anger, slow to understand. Ignorance and prejudice and fear walk hand in hand." - N. Peart IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses. From russell+sudo-users at loosenut.com Tue Jan 27 17:31:32 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Tue, 27 Jan 2009 14:31:32 -0800 Subject: [sudo-users] I need help with sudoers.. In-Reply-To: References: <20090126200649.GM929@fubar.loosenut.com> Message-ID: <20090127223132.GN929@fubar.loosenut.com> On Tue, Jan 27, 2009 at 05:18:28PM -0500, Pidugu Vijaya wrote: > That is exactly what I said... Thanks again.. > Someone posed a bash shell that actually logs.. I cannot trace that email anymore... > > Does anyone remember what that is? Some folks seem to claim you can just add something to /etc/profile to have it log to syslog... Personally, I'm not really a bash shell fan, so... YMMV. function history_to_syslog { declare cmd cmd=$(fc -ln -0) logger -p local7.notice . SESSION = $$, CMD =$cmd } trap history_to_syslog DEBUG References: http://posludio.wordpress.com/2007/11/02/bash-history-to-a-remote-syslog/ http://blog.cosmicegg.net/2008/09/sending-shell-commands-to-syslog.html -- Russell M. Van Tassell russell at loosenut.com Checkuary, n.: The thirteenth month of the year. Begins New Year's Day and ends when a person stops absentmindedly writing the old year on his checks. From Jamuna.Manjunatha at ironmountain.com Tue Jan 27 10:39:12 2009 From: Jamuna.Manjunatha at ironmountain.com (Manjunatha, Jamuna) Date: Tue, 27 Jan 2009 10:39:12 -0500 Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD In-Reply-To: <37cf4dcd0901270659k242ca077u3b615d34409e18c1@mail.gmail.com> Message-ID: Where do we keep the sudoers file on windows?? I want to keep the sudoers file on windows LDAP, instead of LINUX so I can disable /etc/sudoers & /etc/group on every linux hosts. How can windows read the sudoers file & authenticate accordingly?? Can I do this?? Advise??? Thank you all.. ________________________________ From: Suj [mailto:sujnanshetty at gmail.com] Sent: Tuesday, January 27, 2009 9:59 AM To: Manjunatha, Jamuna; Russell Van Tassell; Radesh_Singh at ml.com; sudo-users at sudo.ws; Pidugu Vijaya Subject: Re: [sudo-users] Transforming /etc/sudoers to LDAP/AD It is not much different that assigning permissions based on groups. You just need to prepend the domain name before the group name, in the sudoers file. The user's AD group name is the group that needs to be named in the sudoers file. It's all there in the documentation, you need to experiment with the sudoers file and convince yourself to read more ... ######################################################################## # Giving grp1 group members all root privileges %domain-name\\grp1 ALL=(ALL) ALL # Giving "support" group limited access to root commands %domain-name\\support ALL=(root) KILL, APACHE, !SU, !SCP, !BIN, !SHELL, MONITOR,\ INSTALL, EDIT ######################################################################## ----------------------------------------------------------------------- On Mon, Jan 26, 2009 at 8:30 PM, Manjunatha, Jamuna wrote: I am now logging into LINUX using LDAP/AD windows authentication. Basically when I loginto LINUX I am logging using my windows authentication. earlier I had created local users on Linux & sudo so I could do sudo & I was fine. Now that I am authenticating to LINUX via windows LDAP/AD, How will the sudo work? Should I create the sudo config file on windows OR Once I am logged into LINUX (via LDAP/AD authentication), use the existing /etc/sudoers file?? I am not sure how this sudo will work on LDAP/AD authentication. I did look on-line, but I am not convinced I have a solution. Thanks in advance The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. From Jamuna.Manjunatha at ironmountain.com Tue Jan 27 14:36:00 2009 From: Jamuna.Manjunatha at ironmountain.com (Manjunatha, Jamuna) Date: Tue, 27 Jan 2009 14:36:00 -0500 Subject: [sudo-users] Re: Sudo and LDAP Message-ID: Hi, I am still struggling with this sudoers file. I don't want to use /etc/sudoers file to run sudo commands. How can I get the ldif file so I can import it to windows?? Also where is that script located?? sudoers2ldif Any help on this would b highly appreciated... Thanks The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. From Jamuna.Manjunatha at ironmountain.com Tue Jan 27 14:50:04 2009 From: Jamuna.Manjunatha at ironmountain.com (Manjunatha, Jamuna) Date: Tue, 27 Jan 2009 14:50:04 -0500 Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD In-Reply-To: Message-ID: Can you please detail a little bit please?? Thanks ________________________________ From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com] Sent: Tuesday, January 27, 2009 2:49 PM To: Manjunatha, Jamuna; Suj; Russell Van Tassell; Radesh_Singh at ml.com; sudo-users at sudo.ws; Pidugu Vijaya Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD not sure if you resolved this.... we actually use an nfs share where we put our sudoers file. We tested using Active Directory for user authentication. In AD we had to put some kind of sudo object to make it work though! ________________________________ From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Tuesday, January 27, 2009 10:39 AM To: Suj; Russell Van Tassell; Radesh_Singh at ml.com; sudo-users at sudo.ws; Pidugu Vijaya Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD Where do we keep the sudoers file on windows?? I want to keep the sudoers file on windows LDAP, instead of LINUX so I can disable /etc/sudoers & /etc/group on every linux hosts. How can windows read the sudoers file & authenticate accordingly?? Can I do this?? Advise??? Thank you all.. ________________________________ From: Suj [mailto:sujnanshetty at gmail.com] Sent: Tuesday, January 27, 2009 9:59 AM To: Manjunatha, Jamuna; Russell Van Tassell; Radesh_Singh at ml.com; sudo-users at sudo.ws; Pidugu Vijaya Subject: Re: [sudo-users] Transforming /etc/sudoers to LDAP/AD It is not much different that assigning permissions based on groups. You just need to prepend the domain name before the group name, in the sudoers file. The user's AD group name is the group that needs to be named in the sudoers file. It's all there in the documentation, you need to experiment with the sudoers file and convince yourself to read more ... ######################################################################## # Giving grp1 group members all root privileges %domain-name\\grp1 ALL=(ALL) ALL # Giving "support" group limited access to root commands %domain-name\\support ALL=(root) KILL, APACHE, !SU, !SCP, !BIN, !SHELL, MONITOR,\ INSTALL, EDIT ######################################################################## ----------------------------------------------------------------------- On Mon, Jan 26, 2009 at 8:30 PM, Manjunatha, Jamuna wrote: I am now logging into LINUX using LDAP/AD windows authentication. Basically when I loginto LINUX I am logging using my windows authentication. earlier I had created local users on Linux & sudo so I could do sudo & I was fine. Now that I am authenticating to LINUX via windows LDAP/AD, How will the sudo work? Should I create the sudo config file on windows OR Once I am logged into LINUX (via LDAP/AD authentication), use the existing /etc/sudoers file?? I am not sure how this sudo will work on LDAP/AD authentication. I did look on-line, but I am not convinced I have a solution. Thanks in advance ________________________________ The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ________________________________ IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses. From russell+sudo-users at loosenut.com Wed Jan 28 17:37:47 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Wed, 28 Jan 2009 14:37:47 -0800 Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD In-Reply-To: References: Message-ID: <20090128223747.GF929@fubar.loosenut.com> On Wed, Jan 28, 2009 at 12:31:18PM -0500, Manjunatha, Jamuna wrote: > > you will have to compile your sudo to avoid the default /etc location > > for sudoers. > > Can you please detail on how to do this on windows AD/LDAP server?? > > Thanks so much!!!! To be clear, here... Vijaya was talking about a NFS solution, *NOT* the LDAP solution you are asking about... in my opinion, that solution is NOT for everyone (though probably works just fine in a stable 24/7 type environment). If you don't understand that particular (NFS) solution as-written, I'd not recommend trying it, myself (ie. there are a few pitfalls for the unwary). BTW, the README.LDAP file would appear to be a good reference for converting your sudoers in to LDAP format... perhaps if you're more specific about your questions, someone here can help you -- otherwise, I'll afraid to say you might be stuck with the docs. http://www.sudo.ws/sudo/readme_ldap.html Barring either NFS or LDAP, above... I've also used cfengine and/or puppet to push out changes to sudoers files over large numbers of machines. The side-effect, here, is that you'll have to effectively roll-out a new client to each-and-every host you want to support... it's probably not a small undertaking, especially if you're not already doing or planning some host/config file synchronization across your organization. In case you want more info, here's one comparison of the two (from puppet's standpoint, at least): http://reductivelabs.com/trac/puppet/wiki/CfengineVsPuppet Hope that helps! Russell -- Russell M. Van Tassell russell at loosenut.com Documentation is like sex: when it is good, it is very, very good; and when it is bad, it is better than nothing. -- Dick Brandon From Jamuna.Manjunatha at ironmountain.com Wed Jan 28 11:43:19 2009 From: Jamuna.Manjunatha at ironmountain.com (Manjunatha, Jamuna) Date: Wed, 28 Jan 2009 11:43:19 -0500 Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD In-Reply-To: <1F083E3510811D4B82611186F74DB1C101685D3C@MLNYA20MB010.amrs.win.ml.com> Message-ID: Hi All, I need really some help... I am still NOT clear on how we can import the /etc/sudoers file from LINUX to windows AD/LDAP.. I am looking for that part.. The following link helps a little but does not Clearly say what to do stepwise..sorry to be a pain.. All I need is the following: 1) user login in to linux first using windows AD/LDAP authentication 2) Next user has run sudo commands 3) That should get logged These all work fine if I have a local user on each server, but since I am using LDAP I am going through this route now.. Which is where I got stuck.. I found this good article, but.. http://www.sudo.ws/sudo/readme_ldap.html Importing /etc/sudoers to LDAP ============================== Importing is a two step process. Step 1: Ask your LDAP Administrator where to create the ou=SUDOers container. - This is easy. For instance, if using OpenLDAP: dn: ou=SUDOers,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: SUDOers (An example location is shown below). Then use the provided script to convert your sudoers file into LDIF format. The script will also convert any default options.( where is this script located??) Is this really necessary?? Can we just not a create a file with *.ldif extension? # SUDOERS_BASE=ou=SUDOers,dc=example,dc=com # export SUDOERS_BASE # ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif Step 2: Import into your directory server. (Where exactly I need to import) If you are using OpenLDAP, do the following if you are using another directory, provide the LDIF file to your LDAP Administrator. An example is shown below. # ldapadd -f /tmp/sudoers.ldif -h ldapserver \ > -D cn=Manager,dc=example,dc=com -W -x I am really stuck here.. Please help... Thanks Jamuna -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Tuesday, January 27, 2009 10:22 AM To: Manjunatha, Jamuna Cc: sudo-users at sudo.ws Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD >From the sudo side of things, it'll be easy. You'll have sudo setup for how your users "appear" to the system once authenticated. e.g. if rsingh shows up as being in the group unixuser-sysadmin, and you were trying to give that group access in sudo, you could have %unixuser-sysadmin ... in your sudoers to give them the ability to perform privileged operations Or if rsingh shows up as sysadmin you could have %sysadmin ... in your sudoers file to give them the ability to perform privileged operations Or if rsingh shows up as unixuser-rsingh, you could have unixuser-rsingh in your sudoers ... you get the picture. In my current work environment, we see our users show up in two ways. We're using Vintella's VAS product to perform AD authentication for our *nix accounts. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha, Jamuna Sent: Monday, January 26, 2009 8:31 PM To: Russell Van Tassell; Singh, Radesh (GTS); sudo-users at sudo.ws Cc: sudo-users at sudo.ws; Pidugu Vijaya; Singh, Radesh (GTS) Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD Hi everybody, First of all thanks for the great input.. This is really great. My next question is: I am now logging into LINUX using LDAP/AD windows authentication. Basically when I loginto LINUX I am logging using my windows authentication. user name password works fine Now I need to use sudo.. earlier I had created local users on Linux & sudo so I could do sudo & I was fine. Now that I am authenticating to LINUX via windows LDAP/AD, How will the sudo work? Should I create the sudo config file on windows OR Once I am logged into LINUX (via LDAP/AD authentication), use the existing /etc/sudoers file?? I am not sure how this sudo will work on LDAP/AD authentication. I did look on-line, but I am not convinced I have a solution. Help Please....Apprecite your time.... Thanks in advance ________________________________ From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com] Sent: Mon 1/26/2009 3:06 PM To: Manjunatha, Jamuna Cc: Pidugu Vijaya; Radesh_Singh at ml.com; sudo-users at sudo.ws Subject: Re: [sudo-users] I need help with sudoers.. It should be mentioned that there are alternatives to sudoshell, such as osh... they're all third party projects, as far as I know, though. Ideally, however, in my opinion it's often better to try to force "a culture change" with how people use sudo... you should prevent access to commands like "su" or anything where a shell can easily be obtained, then ask folks to simple preface "sudo" on commands that need elevated privileges. Yes, this tends to complicate the sudoers file a bit, and some would say increases maintenance on it. However, when you need to give basic users some extra power without sacrificing overall host security, I believe the benefits outweigh the shortcomings (and after a while, your sudoers file will be built up nicely and really not require that much in the way of changes and/or additions). On Sun, Jan 25, 2009 at 12:22:21PM -0500, Manjunatha, Jamuna wrote: > Yes, agreed... > > That is the only best option.. > > Thanks a lot!!! > > ________________________________ > > From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com] > Sent: Sun 1/25/2009 9:11 AM > To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws' > Subject: Re: [sudo-users] I need help with sudoers.. > > > You cannot do this. The only way to achieve this is by forcing the user to use sudo in front of every command he or she needs to run as root. For that you have to prevent the user from getting root shell which is pretty easy! > > > ----- Original Message ----- > From: sudo-users-bounces at courtesan.com > To: Singh, Radesh (GTS) ; sudo-users at sudo.ws > Sent: Fri Jan 23 15:13:24 2009 > Subject: Re: [sudo-users] I need help with sudoers.. > > I tried this, but I have linux so no luck... > > [...] > > -----Original Message----- > From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] > Sent: Thursday, January 22, 2009 12:41 PM > To: Singh, Radesh (GTS); sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [What changes I need to make in the /etc/sudoers file??] > > -----Original Message----- > From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] > Sent: Thursday, January 22, 2009 12:39 PM > To: Manjunatha, Jamuna; sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [sudoshell] > > -----Original Message----- > From: sudo-users-bounces at courtesan.com > Sent: Wednesday, January 21, 2009 12:06 PM > To: sudo-users at sudo.ws > Subject: [sudo-users] I need help with sudoers.. > > Hi all, > > > > I am trying to setup a sudo.. > > [How do I log commands from a shell?] -- Russell M. Van Tassell russell at loosenut.com "Quick to judge, Quick to anger, slow to understand. Ignorance and prejudice and fear walk hand in hand." - N. Peart The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users ------------------------------------------------------------------------ -- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. ------------------------------------------------------------------------ -- From Radesh_Singh at ml.com Wed Jan 28 12:10:23 2009 From: Radesh_Singh at ml.com (Singh, Radesh (GTS)) Date: Wed, 28 Jan 2009 12:10:23 -0500 Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD In-Reply-To: References: <1F083E3510811D4B82611186F74DB1C101685D3C@MLNYA20MB010.amrs.win.ml.com> Message-ID: <1F083E3510811D4B82611186F74DB1C101685D56@MLNYA20MB010.amrs.win.ml.com> Sorry bro., I haven't used a centrally managed sudoers, let alone one that is provided / facilitated using LDAP (AD or otherwise); however, some of your questions seem like low hanging fruit ... I'll leave the higher stuff to the pros ;0. The sudoers2ldif script should be included in the tarball of sudo 1.7.0 you downloaded. Not sure what you're asking with regard to whether it is necessary convert the file to ldif format ... LDAP needs the records to be converted to a format it understands. Once you've got the LDIF definitions, you can import that. Thanks, Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Wednesday, January 28, 2009 11:43 AM To: Singh, Radesh (GTS); sudo-users at sudo.ws; Russell Van Tassell; Vijaya.Pidugu at sig.com Cc: sudo-users at sudo.ws Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD Importance: High Hi All, I need really some help... I am still NOT clear on how we can import the /etc/sudoers file from LINUX to windows AD/LDAP.. I am looking for that part.. The following link helps a little but does not Clearly say what to do stepwise..sorry to be a pain.. All I need is the following: 1) user login in to linux first using windows AD/LDAP authentication 2) Next user has run sudo commands 3) That should get logged These all work fine if I have a local user on each server, but since I am using LDAP I am going through this route now.. Which is where I got stuck.. I found this good article, but.. http://www.sudo.ws/sudo/readme_ldap.html Importing /etc/sudoers to LDAP ============================== Importing is a two step process. Step 1: Ask your LDAP Administrator where to create the ou=SUDOers container. - This is easy. For instance, if using OpenLDAP: dn: ou=SUDOers,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: SUDOers (An example location is shown below). Then use the provided script to convert your sudoers file into LDIF format. The script will also convert any default options.( where is this script located??) Is this really necessary?? Can we just not a create a file with *.ldif extension? # SUDOERS_BASE=ou=SUDOers,dc=example,dc=com # export SUDOERS_BASE # ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif Step 2: Import into your directory server. (Where exactly I need to import) If you are using OpenLDAP, do the following if you are using another directory, provide the LDIF file to your LDAP Administrator. An example is shown below. # ldapadd -f /tmp/sudoers.ldif -h ldapserver \ > -D cn=Manager,dc=example,dc=com -W -x I am really stuck here.. Please help... Thanks Jamuna -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Tuesday, January 27, 2009 10:22 AM To: Manjunatha, Jamuna Cc: sudo-users at sudo.ws Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD >From the sudo side of things, it'll be easy. You'll have sudo setup for how your users "appear" to the system once authenticated. e.g. if rsingh shows up as being in the group unixuser-sysadmin, and you were trying to give that group access in sudo, you could have %unixuser-sysadmin ... in your sudoers to give them the ability to perform privileged operations Or if rsingh shows up as sysadmin you could have %sysadmin ... in your sudoers file to give them the ability to perform privileged operations Or if rsingh shows up as unixuser-rsingh, you could have unixuser-rsingh in your sudoers ... you get the picture. In my current work environment, we see our users show up in two ways. We're using Vintella's VAS product to perform AD authentication for our *nix accounts. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha, Jamuna Sent: Monday, January 26, 2009 8:31 PM To: Russell Van Tassell; Singh, Radesh (GTS); sudo-users at sudo.ws Cc: sudo-users at sudo.ws; Pidugu Vijaya; Singh, Radesh (GTS) Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD Hi everybody, First of all thanks for the great input.. This is really great. My next question is: I am now logging into LINUX using LDAP/AD windows authentication. Basically when I loginto LINUX I am logging using my windows authentication. user name password works fine Now I need to use sudo.. earlier I had created local users on Linux & sudo so I could do sudo & I was fine. Now that I am authenticating to LINUX via windows LDAP/AD, How will the sudo work? Should I create the sudo config file on windows OR Once I am logged into LINUX (via LDAP/AD authentication), use the existing /etc/sudoers file?? I am not sure how this sudo will work on LDAP/AD authentication. I did look on-line, but I am not convinced I have a solution. Help Please....Apprecite your time.... Thanks in advance ________________________________ From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com] Sent: Mon 1/26/2009 3:06 PM To: Manjunatha, Jamuna Cc: Pidugu Vijaya; Radesh_Singh at ml.com; sudo-users at sudo.ws Subject: Re: [sudo-users] I need help with sudoers.. It should be mentioned that there are alternatives to sudoshell, such as osh... they're all third party projects, as far as I know, though. Ideally, however, in my opinion it's often better to try to force "a culture change" with how people use sudo... you should prevent access to commands like "su" or anything where a shell can easily be obtained, then ask folks to simple preface "sudo" on commands that need elevated privileges. Yes, this tends to complicate the sudoers file a bit, and some would say increases maintenance on it. However, when you need to give basic users some extra power without sacrificing overall host security, I believe the benefits outweigh the shortcomings (and after a while, your sudoers file will be built up nicely and really not require that much in the way of changes and/or additions). On Sun, Jan 25, 2009 at 12:22:21PM -0500, Manjunatha, Jamuna wrote: > Yes, agreed... > > That is the only best option.. > > Thanks a lot!!! > > ________________________________ > > From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com] > Sent: Sun 1/25/2009 9:11 AM > To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws' > Subject: Re: [sudo-users] I need help with sudoers.. > > > You cannot do this. The only way to achieve this is by forcing the user to use sudo in front of every command he or she needs to run as root. For that you have to prevent the user from getting root shell which is pretty easy! > > > ----- Original Message ----- > From: sudo-users-bounces at courtesan.com > To: Singh, Radesh (GTS) ; sudo-users at sudo.ws > Sent: Fri Jan 23 15:13:24 2009 > Subject: Re: [sudo-users] I need help with sudoers.. > > I tried this, but I have linux so no luck... > > [...] > > -----Original Message----- > From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] > Sent: Thursday, January 22, 2009 12:41 PM > To: Singh, Radesh (GTS); sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [What changes I need to make in the /etc/sudoers file??] > > -----Original Message----- > From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] > Sent: Thursday, January 22, 2009 12:39 PM > To: Manjunatha, Jamuna; sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [sudoshell] > > -----Original Message----- > From: sudo-users-bounces at courtesan.com > Sent: Wednesday, January 21, 2009 12:06 PM > To: sudo-users at sudo.ws > Subject: [sudo-users] I need help with sudoers.. > > Hi all, > > > > I am trying to setup a sudo.. > > [How do I log commands from a shell?] -- Russell M. Van Tassell russell at loosenut.com "Quick to judge, Quick to anger, slow to understand. Ignorance and prejudice and fear walk hand in hand." - N. Peart The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users ------------------------------------------------------------------------ -- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. ------------------------------------------------------------------------ -- From Vijaya.Pidugu at sig.com Wed Jan 28 12:27:59 2009 From: Vijaya.Pidugu at sig.com (Pidugu Vijaya) Date: Wed, 28 Jan 2009 12:27:59 -0500 Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD In-Reply-To: <1F083E3510811D4B82611186F74DB1C101685D56@MLNYA20MB010.amrs.win.ml.com> References: <1F083E3510811D4B82611186F74DB1C101685D3C@MLNYA20MB010.amrs.win.ml.com> <1F083E3510811D4B82611186F74DB1C101685D56@MLNYA20MB010.amrs.win.ml.com> Message-ID: We use the centrall managed sudoers for over 3000 servers and it works... we have it on one of the NFS mounted shares. Of course, you will have to compile your sudo to avoid the default /etc location for sudoers. ________________________________ From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Wednesday, January 28, 2009 12:10 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws; Russell Van Tassell; Vijaya.Pidugu at sig.com Cc: sudo-users at sudo.ws Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD Sorry bro., I haven't used a centrally managed sudoers, let alone one that is provided / facilitated using LDAP (AD or otherwise); however, some of your questions seem like low hanging fruit ... I'll leave the higher stuff to the pros ;0. The sudoers2ldif script should be included in the tarball of sudo 1.7.0 you downloaded. Not sure what you're asking with regard to whether it is necessary convert the file to ldif format ... LDAP needs the records to be converted to a format it understands. Once you've got the LDIF definitions, you can import that. Thanks, Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Wednesday, January 28, 2009 11:43 AM To: Singh, Radesh (GTS); sudo-users at sudo.ws; Russell Van Tassell; Vijaya.Pidugu at sig.com Cc: sudo-users at sudo.ws Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD Importance: High Hi All, I need really some help... I am still NOT clear on how we can import the /etc/sudoers file from LINUX to windows AD/LDAP.. I am looking for that part.. The following link helps a little but does not Clearly say what to do stepwise..sorry to be a pain.. All I need is the following: 1) user login in to linux first using windows AD/LDAP authentication 2) Next user has run sudo commands 3) That should get logged These all work fine if I have a local user on each server, but since I am using LDAP I am going through this route now.. Which is where I got stuck.. I found this good article, but.. http://www.sudo.ws/sudo/readme_ldap.html Importing /etc/sudoers to LDAP ============================== Importing is a two step process. Step 1: Ask your LDAP Administrator where to create the ou=SUDOers container. - This is easy. For instance, if using OpenLDAP: dn: ou=SUDOers,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: SUDOers (An example location is shown below). Then use the provided script to convert your sudoers file into LDIF format. The script will also convert any default options.( where is this script located??) Is this really necessary?? Can we just not a create a file with *.ldif extension? # SUDOERS_BASE=ou=SUDOers,dc=example,dc=com # export SUDOERS_BASE # ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif Step 2: Import into your directory server. (Where exactly I need to import) If you are using OpenLDAP, do the following if you are using another directory, provide the LDIF file to your LDAP Administrator. An example is shown below. # ldapadd -f /tmp/sudoers.ldif -h ldapserver \ > -D cn=Manager,dc=example,dc=com -W -x I am really stuck here.. Please help... Thanks Jamuna -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Tuesday, January 27, 2009 10:22 AM To: Manjunatha, Jamuna Cc: sudo-users at sudo.ws Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD >From the sudo side of things, it'll be easy. You'll have sudo setup for how your users "appear" to the system once authenticated. e.g. if rsingh shows up as being in the group unixuser-sysadmin, and you were trying to give that group access in sudo, you could have %unixuser-sysadmin ... in your sudoers to give them the ability to perform privileged operations Or if rsingh shows up as sysadmin you could have %sysadmin ... in your sudoers file to give them the ability to perform privileged operations Or if rsingh shows up as unixuser-rsingh, you could have unixuser-rsingh in your sudoers ... you get the picture. In my current work environment, we see our users show up in two ways. We're using Vintella's VAS product to perform AD authentication for our *nix accounts. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha, Jamuna Sent: Monday, January 26, 2009 8:31 PM To: Russell Van Tassell; Singh, Radesh (GTS); sudo-users at sudo.ws Cc: sudo-users at sudo.ws; Pidugu Vijaya; Singh, Radesh (GTS) Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD Hi everybody, First of all thanks for the great input.. This is really great. My next question is: I am now logging into LINUX using LDAP/AD windows authentication. Basically when I loginto LINUX I am logging using my windows authentication. user name password works fine Now I need to use sudo.. earlier I had created local users on Linux & sudo so I could do sudo & I was fine. Now that I am authenticating to LINUX via windows LDAP/AD, How will the sudo work? Should I create the sudo config file on windows OR Once I am logged into LINUX (via LDAP/AD authentication), use the existing /etc/sudoers file?? I am not sure how this sudo will work on LDAP/AD authentication. I did look on-line, but I am not convinced I have a solution. Help Please....Apprecite your time.... Thanks in advance ________________________________ From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com] Sent: Mon 1/26/2009 3:06 PM To: Manjunatha, Jamuna Cc: Pidugu Vijaya; Radesh_Singh at ml.com; sudo-users at sudo.ws Subject: Re: [sudo-users] I need help with sudoers.. It should be mentioned that there are alternatives to sudoshell, such as osh... they're all third party projects, as far as I know, though. Ideally, however, in my opinion it's often better to try to force "a culture change" with how people use sudo... you should prevent access to commands like "su" or anything where a shell can easily be obtained, then ask folks to simple preface "sudo" on commands that need elevated privileges. Yes, this tends to complicate the sudoers file a bit, and some would say increases maintenance on it. However, when you need to give basic users some extra power without sacrificing overall host security, I believe the benefits outweigh the shortcomings (and after a while, your sudoers file will be built up nicely and really not require that much in the way of changes and/or additions). On Sun, Jan 25, 2009 at 12:22:21PM -0500, Manjunatha, Jamuna wrote: > Yes, agreed... > > That is the only best option.. > > Thanks a lot!!! > > ________________________________ > > From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com] > Sent: Sun 1/25/2009 9:11 AM > To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws' > Subject: Re: [sudo-users] I need help with sudoers.. > > > You cannot do this. The only way to achieve this is by forcing the user to use sudo in front of every command he or she needs to run as root. For that you have to prevent the user from getting root shell which is pretty easy! > > > ----- Original Message ----- > From: sudo-users-bounces at courtesan.com > To: Singh, Radesh (GTS) ; sudo-users at sudo.ws > Sent: Fri Jan 23 15:13:24 2009 > Subject: Re: [sudo-users] I need help with sudoers.. > > I tried this, but I have linux so no luck... > > [...] > > -----Original Message----- > From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] > Sent: Thursday, January 22, 2009 12:41 PM > To: Singh, Radesh (GTS); sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [What changes I need to make in the /etc/sudoers file??] > > -----Original Message----- > From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] > Sent: Thursday, January 22, 2009 12:39 PM > To: Manjunatha, Jamuna; sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [sudoshell] > > -----Original Message----- > From: sudo-users-bounces at courtesan.com > Sent: Wednesday, January 21, 2009 12:06 PM > To: sudo-users at sudo.ws > Subject: [sudo-users] I need help with sudoers.. > > Hi all, > > > > I am trying to setup a sudo.. > > [How do I log commands from a shell?] -- Russell M. Van Tassell russell at loosenut.com "Quick to judge, Quick to anger, slow to understand. Ignorance and prejudice and fear walk hand in hand." - N. Peart The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users -------------------------------------------------------------------------- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. -------------------------------------------------------------------------- ________________________________ IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses. From Jamuna.Manjunatha at ironmountain.com Wed Jan 28 12:31:18 2009 From: Jamuna.Manjunatha at ironmountain.com (Manjunatha, Jamuna) Date: Wed, 28 Jan 2009 12:31:18 -0500 Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD In-Reply-To: Message-ID: >> you will have to compile your sudo to avoid the default /etc location for sudoers. Can you please detail on how to do this on windows AD/LDAP server?? Thanks so much!!!! ________________________________ From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com] Sent: Wednesday, January 28, 2009 12:28 PM To: Singh, Radesh (GTS); Manjunatha, Jamuna; sudo-users at sudo.ws; Russell Van Tassell; Vijaya.Pidugu at sig.com Cc: sudo-users at sudo.ws Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD We use the centrall managed sudoers for over 3000 servers and it works... we have it on one of the NFS mounted shares. Of course, you will have to compile your sudo to avoid the default /etc location for sudoers. ________________________________ From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Wednesday, January 28, 2009 12:10 PM To: Manjunatha, Jamuna; sudo-users at sudo.ws; Russell Van Tassell; Vijaya.Pidugu at sig.com Cc: sudo-users at sudo.ws Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD Sorry bro., I haven't used a centrally managed sudoers, let alone one that is provided / facilitated using LDAP (AD or otherwise); however, some of your questions seem like low hanging fruit ... I'll leave the higher stuff to the pros ;0. The sudoers2ldif script should be included in the tarball of sudo 1.7.0 you downloaded. Not sure what you're asking with regard to whether it is necessary convert the file to ldif format ... LDAP needs the records to be converted to a format it understands. Once you've got the LDIF definitions, you can import that. Thanks, Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] Sent: Wednesday, January 28, 2009 11:43 AM To: Singh, Radesh (GTS); sudo-users at sudo.ws; Russell Van Tassell; Vijaya.Pidugu at sig.com Cc: sudo-users at sudo.ws Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD Importance: High Hi All, I need really some help... I am still NOT clear on how we can import the /etc/sudoers file from LINUX to windows AD/LDAP.. I am looking for that part.. The following link helps a little but does not Clearly say what to do stepwise..sorry to be a pain.. All I need is the following: 1) user login in to linux first using windows AD/LDAP authentication 2) Next user has run sudo commands 3) That should get logged These all work fine if I have a local user on each server, but since I am using LDAP I am going through this route now.. Which is where I got stuck.. I found this good article, but.. http://www.sudo.ws/sudo/readme_ldap.html Importing /etc/sudoers to LDAP ============================== Importing is a two step process. Step 1: Ask your LDAP Administrator where to create the ou=SUDOers container. - This is easy. For instance, if using OpenLDAP: dn: ou=SUDOers,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: SUDOers (An example location is shown below). Then use the provided script to convert your sudoers file into LDIF format. The script will also convert any default options.( where is this script located??) Is this really necessary?? Can we just not a create a file with *.ldif extension? # SUDOERS_BASE=ou=SUDOers,dc=example,dc=com # export SUDOERS_BASE # ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif Step 2: Import into your directory server. (Where exactly I need to import) If you are using OpenLDAP, do the following if you are using another directory, provide the LDIF file to your LDAP Administrator. An example is shown below. # ldapadd -f /tmp/sudoers.ldif -h ldapserver \ > -D cn=Manager,dc=example,dc=com -W -x I am really stuck here.. Please help... Thanks Jamuna -----Original Message----- From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] Sent: Tuesday, January 27, 2009 10:22 AM To: Manjunatha, Jamuna Cc: sudo-users at sudo.ws Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD >From the sudo side of things, it'll be easy. You'll have sudo setup for how your users "appear" to the system once authenticated. e.g. if rsingh shows up as being in the group unixuser-sysadmin, and you were trying to give that group access in sudo, you could have %unixuser-sysadmin ... in your sudoers to give them the ability to perform privileged operations Or if rsingh shows up as sysadmin you could have %sysadmin ... in your sudoers file to give them the ability to perform privileged operations Or if rsingh shows up as unixuser-rsingh, you could have unixuser-rsingh in your sudoers ... you get the picture. In my current work environment, we see our users show up in two ways. We're using Vintella's VAS product to perform AD authentication for our *nix accounts. Shawn Singh NJUNIX/GWM UNIX (904) 218-4096 - My name ain't chump, it's -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha, Jamuna Sent: Monday, January 26, 2009 8:31 PM To: Russell Van Tassell; Singh, Radesh (GTS); sudo-users at sudo.ws Cc: sudo-users at sudo.ws; Pidugu Vijaya; Singh, Radesh (GTS) Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD Hi everybody, First of all thanks for the great input.. This is really great. My next question is: I am now logging into LINUX using LDAP/AD windows authentication. Basically when I loginto LINUX I am logging using my windows authentication. user name password works fine Now I need to use sudo.. earlier I had created local users on Linux & sudo so I could do sudo & I was fine. Now that I am authenticating to LINUX via windows LDAP/AD, How will the sudo work? Should I create the sudo config file on windows OR Once I am logged into LINUX (via LDAP/AD authentication), use the existing /etc/sudoers file?? I am not sure how this sudo will work on LDAP/AD authentication. I did look on-line, but I am not convinced I have a solution. Help Please....Apprecite your time.... Thanks in advance ________________________________ From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com] Sent: Mon 1/26/2009 3:06 PM To: Manjunatha, Jamuna Cc: Pidugu Vijaya; Radesh_Singh at ml.com; sudo-users at sudo.ws Subject: Re: [sudo-users] I need help with sudoers.. It should be mentioned that there are alternatives to sudoshell, such as osh... they're all third party projects, as far as I know, though. Ideally, however, in my opinion it's often better to try to force "a culture change" with how people use sudo... you should prevent access to commands like "su" or anything where a shell can easily be obtained, then ask folks to simple preface "sudo" on commands that need elevated privileges. Yes, this tends to complicate the sudoers file a bit, and some would say increases maintenance on it. However, when you need to give basic users some extra power without sacrificing overall host security, I believe the benefits outweigh the shortcomings (and after a while, your sudoers file will be built up nicely and really not require that much in the way of changes and/or additions). On Sun, Jan 25, 2009 at 12:22:21PM -0500, Manjunatha, Jamuna wrote: > Yes, agreed... > > That is the only best option.. > > Thanks a lot!!! > > ________________________________ > > From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com] > Sent: Sun 1/25/2009 9:11 AM > To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws' > Subject: Re: [sudo-users] I need help with sudoers.. > > > You cannot do this. The only way to achieve this is by forcing the user to use sudo in front of every command he or she needs to run as root. For that you have to prevent the user from getting root shell which is pretty easy! > > > ----- Original Message ----- > From: sudo-users-bounces at courtesan.com > To: Singh, Radesh (GTS) ; sudo-users at sudo.ws > Sent: Fri Jan 23 15:13:24 2009 > Subject: Re: [sudo-users] I need help with sudoers.. > > I tried this, but I have linux so no luck... > > [...] > > -----Original Message----- > From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] > Sent: Thursday, January 22, 2009 12:41 PM > To: Singh, Radesh (GTS); sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [What changes I need to make in the /etc/sudoers file??] > > -----Original Message----- > From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] > Sent: Thursday, January 22, 2009 12:39 PM > To: Manjunatha, Jamuna; sudo-users at sudo.ws > Subject: RE: [sudo-users] I need help with sudoers.. > > [sudoshell] > > -----Original Message----- > From: sudo-users-bounces at courtesan.com > Sent: Wednesday, January 21, 2009 12:06 PM > To: sudo-users at sudo.ws > Subject: [sudo-users] I need help with sudoers.. > > Hi all, > > > > I am trying to setup a sudo.. > > [How do I log commands from a shell?] -- Russell M. Van Tassell russell at loosenut.com "Quick to judge, Quick to anger, slow to understand. Ignorance and prejudice and fear walk hand in hand." - N. Peart The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users ------------------------------------------------------------------------ -- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. ------------------------------------------------------------------------ -- ________________________________ IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses. From Julian.Dunn at CBC.CA Fri Jan 30 14:44:21 2009 From: Julian.Dunn at CBC.CA (Julian Dunn) Date: Fri, 30 Jan 2009 14:44:21 -0500 Subject: [sudo-users] sudo-1.6.9p17 - problem with wildcards Message-ID: <49831244.4CAF.003C.0@CBC.CA> Hi sudoers: I have the same problem as this individual: http://www.sudo.ws/mailman/htdig/sudo-users/2008-November/003814.html I'm on RedHat Enterprise Linux 5.3 and so I have sudo-1.6.9p17-3.el5 I want to give myself the permission to run anything matching /etc/init.d/tomcat5-sb* without a password, so I have % sudo -l User jdunn may run the following commands on this host: (ALL) ALL (root) NOPASSWD: /usr/bin/install, /etc/init.d/tomcat5-sb*, /etc/init.d/cbcsandboxes (root) /etc/init.d/tomcat5-sb20 (cruise) /usr/bin/cvs (webmaster) ALL However, I still keep getting prompted for a password when executing anything of /etc/init.d/tomcat5-* - Julian -- -- Julian C. Dunn, P.Eng. -- Assistant Team Lead / Chef d'?quipe adjoint -- Media Production Support / Soutien ? la production des m?dias -- Canadian Broadcasting Corporation / Soci?t? Radio-Canada -- Office/Bureau: 9B122-K * Tel.: (416) 205-3311 x6988 * DID: 1-151-6988 From jpedersenrs at mail.dk Fri Jan 30 20:37:37 2009 From: jpedersenrs at mail.dk (=?ISO-8859-1?Q?J=F8rgen_Pedersen?=) Date: Sat, 31 Jan 2009 02:37:37 +0100 Subject: [sudo-users] =?windows-1252?q?Problem_with_frozen_curzor__=85?= Message-ID: The sudo community ? I got a problem? maybe someone can help me out ? First of all I'm running a Power Mac G5 ? Problem is the app. Terminal ? When I write anything in sudo that requires Password the cursor is frozen ? simple example: ------------------------- sudo passwd newuser (Enter) Password: ------------------------- Hint: ? as I thought there must be a problem ? ? I erased my harddisk & installed a new Leopard 10.5.6 ? ? after that ? as the first action I open Terminal hopefully frozen cursor problem was done ? ? but nob ? ? as written above all the preferences was & still are standard in Terminal ? ? as a last hint ? I have locked in with my admin password as starting up my private loving Mac ? ? bummer ? bummer ? I would be thankful if anyone could help me out of my problem ? Anyway ? thank's for reading my message ? email: jpedersenrs at mail.dk From Todd.Miller at courtesan.com Sat Jan 31 11:30:00 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sat, 31 Jan 2009 11:30:00 -0500 Subject: [sudo-users] =?windows-1252?q?Problem_with_frozen_curzor__=85?= In-Reply-To: Your message of "Sat, 31 Jan 2009 02:37:37 +0100." References: Message-ID: <200901311630.n0VGU0A7001675@core.courtesan.com> It is not frozen, echo is simply turned off while it waits for you to enter a password. This is normal for Unix programs that read in your password. You just need to enter your password and hit return. If you need to break out of sudo, just press control-C. - todd