From e9427749 at stud4.tuwien.ac.at Wed Jul 1 12:00:24 2009 From: e9427749 at stud4.tuwien.ac.at (josef schmid) Date: Wed, 01 Jul 2009 18:00:24 +0200 Subject: [sudo-users] Always parse error (except for empty sudoers) In-Reply-To: <4A490E3F.3020704@stud4.tuwien.ac.at> References: <4A4299F8.8090508@stud4.tuwien.ac.at> <200906251241.n5PCfuDG018520@core.courtesan.com> <4A43B4C2.5010606@stud4.tuwien.ac.at> <200906272106.n5RL6ssm022606@core.courtesan.com> <4A490E3F.3020704@stud4.tuwien.ac.at> Message-ID: <4A4B8818.3040803@stud4.tuwien.ac.at> josef schmid wrote: > Todd C. Miller wrote: >> [?] Can you try using the system compiler and see if that changes anything? >> E.g. give configure --with-CC=cc > > After i read the 'Dynix' section, this was on my todo list anyway. > But no success. :-( > > CC=cc; CFLAFS=-Ae; export CC CFLAGS > ./configure ? --with-CC=cc --with(out)-noexec > > [?] Beside a problem with the HP ANSI Compiler [?]. > It doesn't allow the building of noexec (No support of -b in cc > directly, and with -Wl,-b the linker use the wrong crt0.o file). > [?] I can look at the source from the porting archive, maybe this guys > have something hacked around. But the chances are not high. > (On the other side, if the use -DAportable, hmm, so two things > left what i can try?.) Bad news for me. No (portable) binary available. And that version have also the same compilation results. (inclusive the linking problem for noexec.) (http://hpux.connect.org.uk/hppd/cgi-bin/wwwtar?/hpux/Sysadmin/sudo-1.7.1/sudo-1.7.1-src-11.11.tar.gz+sudo-1.7.1/HPUX.Install+text) Maybe something has changed between 1.6.7p5 and 1.7.1 with make it incompatible with the old version of hp-ux (11.0). Maybe something is wrong on my system with does only affect sudo. > Maybe more error checks in sudo are helpful, than hopefully > i get more information than that parsing fail. > (I'm so shameless to ask for this. ;-) [?] however, many thanx for spending your time, Josef From Martin.Gerdes at directbox.com Fri Jul 3 16:35:58 2009 From: Martin.Gerdes at directbox.com (Martin.Gerdes at directbox.com) Date: Fri, 03 Jul 2009 16:35:58 Subject: [sudo-users] /etc/sudoers: allowing a subshell command within quotes Message-ID: <0F8C07D907030E233A139@directbox.com> One of the examples in the sudo manpage is this one: sudo sh -c "cd /home ; du -s * │ sort -rn > USAGE" How would I modify /etc/sudoers to allow precisely that one command? I experimented with something simpler: sudo sh -c ls /root If I add a line 'admin ALL= NOPASSWD: /bin/sh -c ls /root' to /etc/sudoers, then the above example works. However, I find no way to get quotes to work, i.e. sudo sh -c "ls /root" (which is needed for stuff like pipes, backticks and redirection) I tried the lines 'admin ALL= NOPASSWD: /bin/sh -c "ls /root"' and 'admin ALL= NOPASSWD: /bin/sh -c \"ls /root\"', neither of which works. So, can anyone tell me what I would have to write into /etc/sudoers to allow running the example from the sudo manpage, only that command and no other? From martingrds at googlemail.com Mon Jul 6 06:22:28 2009 From: martingrds at googlemail.com (Martin Gerdes) Date: Mon, 6 Jul 2009 12:22:28 +0200 Subject: [sudo-users] /etc/sudoers: allowing a subshell command within quotes Message-ID: <22c155ee0907060322w5cc18084j7c8bbb4f6a96e876@mail.gmail.com> One of the examples in the sudo manpage is this one: sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" How would I modify /etc/sudoers to allow precisely that one command? I experimented with something simpler: sudo sh -c ls /root If I add a line 'admin ALL= NOPASSWD: /bin/sh -c ls /root' to /etc/sudoers, then the above example works (for user admin). However, I find no way to get quotes to work, i.e. sudo sh -c "ls /root" (which is needed for stuff like pipes, backticks and redirection) I tried the lines 'admin ALL= NOPASSWD: /bin/sh -c "ls /root"' and 'admin ALL= NOPASSWD: /bin/sh -c \"ls /root\"', neither of which works. So, can anyone tell me what I would have to write into /etc/sudoers to allow running the example from the sudo manpage, only that command and no other? From Don.Thornton at stvin.org Mon Jul 6 12:19:45 2009 From: Don.Thornton at stvin.org (Thornton, Don) Date: Mon, 6 Jul 2009 10:19:45 -0600 Subject: [sudo-users] su except root Message-ID: Add the folling lines (visudo) to your /etc/sudoers file: User_Alias NON_ROOT = APistocc, DThornto Cmnd_Alias SU_TO_ROOT = /usr/bin/su, /usr/bin/su -, /usr/bin/su root, /usr/bin/su - root NON_ROOT ALL=(ALL) ALL, !SU_TO_ROOT Don Thornton Jr. The Unix System Administrator St. Vincent Regional Medical Center 455 St. Michaels Dr. Santa Fe, NM 87505 Wrk: 505-913-4875 Fax: 505-913-4957 On 10/5/06, ANDREW PISTOCCHI wrote: > > I have users able to su - as another user using sudo but how can I > exclude them from root? I want them to be able to sudo su as any user > except root. Right now if they type: sudo su and hit they get > the root # prompt. I don't want this. > > > > Is there an easy way to allow them to su to all users except root? > > > > Andy Pistocchi > > apistocch at ut.edu > > 813-258-7422 > > The University of Tampa > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > From MKanthasamy at webmd.net Mon Jul 6 14:38:07 2009 From: MKanthasamy at webmd.net (Kanthasamy, Murugesan) Date: Mon, 6 Jul 2009 14:38:07 -0400 Subject: [sudo-users] Recall: sudo password issue with Winbind Message-ID: <8F00D976889AC645AD3940B8D0BC760A05F0B83D@NYCEX01.webmdhealth.net> Kanthasamy, Murugesan would like to recall the message, "sudo password issue with Winbind". From MKanthasamy at webmd.net Mon Jul 6 14:36:18 2009 From: MKanthasamy at webmd.net (Kanthasamy, Murugesan) Date: Mon, 6 Jul 2009 14:36:18 -0400 Subject: [sudo-users] sudo password issue with Winbind In-Reply-To: References: Message-ID: <8F00D976889AC645AD3940B8D0BC760A05F0B832@NYCEX01.webmdhealth.net> Hi, I read this issue sometime back, but forgot what the cause was.. I have Linux hosts authenticating AD. When a AD user does sudo and types a incorrect password, sudo doesn't ask for password second time, instead it tries the same password(presumably) another couple times and exits. [user at hostname ~]$ sudo su - Password: Sorry, try again. Sorry, try again. Sorry, try again. sudo: 3 incorrect password attempts System-auth Pam auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so cached_login use_first_pass auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so cached_login use_authtok password required pam_deny.so session optional pam_mkhomedir.so skel=/etc/skel/ session required pam_limits.so session required pam_unix.so Thanks From nick.hasser at gmail.com Tue Jul 7 16:28:36 2009 From: nick.hasser at gmail.com (Nick Hasser) Date: Tue, 07 Jul 2009 16:28:36 -0400 Subject: [sudo-users] su except root In-Reply-To: References: Message-ID: <4A53AFF4.3040106@gmail.com> Thornton, Don wrote: > Add the folling lines (visudo) to your /etc/sudoers file: > > User_Alias NON_ROOT = APistocc, DThornto > > Cmnd_Alias SU_TO_ROOT = /usr/bin/su, /usr/bin/su -, /usr/bin/su root, > /usr/bin/su - root > > NON_ROOT ALL=(ALL) ALL, !SU_TO_ROOT > I'm fairly new to configuring sudo, so maybe I'm missing something here, but this does not prevent me from su'ing to root since I can: $ cp /usr/bin/su $HOME/su $ cd $HOME $ sudo ./su - The more secure implementation would to be whitelist a set of commands instead of blacklisting the su command, correct? Nick From Robin.Battersby-Cornmell at uisl.unisys.com Wed Jul 8 07:10:32 2009 From: Robin.Battersby-Cornmell at uisl.unisys.com (Battersby-Cornmell, Robin Alasdair) Date: Wed, 8 Jul 2009 12:10:32 +0100 Subject: [sudo-users] su except root In-Reply-To: References: Message-ID: Your approach may be a little open to abuse with people able to simply copy su to another name and then call that with "sudo cp -p /usr/bin/su ./mysu; sudo mysu -" or similar. Another way (not perfect either) is to edit /.profile (assuming you're using sh, ksh, bash etc.) so trace the caller, something like:- #!/bin/ksh # root's .profile ps -o user=,tty=,ppid= -p $$|read uid tid ppid if [ "$tid" != "${tid#pts}" -o "$tid" != "${tid#tty}" ] <--- See below then who -i|grep "$tid "|read rid b c d e f lpid rest ps -o user=,ppid=,args= -p $ppid|read cid cpid cargs if [ `grep -c "$cid" /etc/rootusers.allowed` -ne 1 ] then echo "Not allowed access to login as root." # Write attempt in your security log with info collected above exit fi fi # Carry on with .profile here You need to edit the "if" to capture your terminal definition style, e.g. pts/1, ttyAA/AA11 or whatever. Make sure that you allow direct console login as a fallback. Test it very thoroughly and consider what will happen in a boot when the profile is read. This is quickly cobbled together and not tested, so no liability is accepted. Of course, it can still be hacked round by altering the /etc/rootusers.allowed. Perhaps the best way would be to specifically allow what is acceptable rather than trying to have a blanket grant and the prevent what you don't want the to do. Shared accounts are always a bad idea as you lose the accountability anyway. How do you square it with the auditors? The shared accounts might be okay if you script everything and then allow users to call the script and don't let them enter arbitrary commands. Robin Unisys, Liverpool -----Original Message----- From: Thornton, Don [mailto:Don.Thornton at stvin.org] Sent: Monday, July 06, 2009 5:20 PM To: sudo-users at sudo.ws Subject: [sudo-users] su except root Add the folling lines (visudo) to your /etc/sudoers file: User_Alias NON_ROOT = APistocc, DThornto Cmnd_Alias SU_TO_ROOT = /usr/bin/su, /usr/bin/su -, /usr/bin/su root, /usr/bin/su - root NON_ROOT ALL=(ALL) ALL, !SU_TO_ROOT Don Thornton Jr. The Unix System Administrator St. Vincent Regional Medical Center 455 St. Michaels Dr. Santa Fe, NM 87505 Wrk: 505-913-4875 Fax: 505-913-4957 On 10/5/06, ANDREW PISTOCCHI wrote: > > I have users able to su - as another user using sudo but how can I > exclude them from root? I want them to be able to sudo su as any user > except root. Right now if they type: sudo su and hit they get > the root # prompt. I don't want this. > > > > Is there an easy way to allow them to su to all users except root? > > > > Andy Pistocchi > > apistocch at ut.edu > > 813-258-7422 > > The University of Tampa > > ____________________________________________________________ > sudo-users mailing list For list information, > options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > *********************************** This email is sent in confidence for the addressee only. Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by returning the original email to us without reading it, taking a copy or disclosing it to anyone else. Please also destroy and delete the email from your computer. We have taken reasonable precautions to ensure that no viruses are transmitted to any third party. Unisys Insurance Services Limited does not accept any responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Unisys Insurance Services Limited is authorised and regulated by the Financial Services Authority, is a member of the UNISYS group of companies and provides outsourcing services to the Financial Services Industry Unisys Insurance Services Limited Registered in England No. 4087012 Registered Office: Bakers Court, Bakers Road, Uxbridge, UB8 1RG From Mike_Buckley at csgsystems.com Fri Jul 10 10:50:24 2009 From: Mike_Buckley at csgsystems.com (Buckley, Mike) Date: Fri, 10 Jul 2009 08:50:24 -0600 Subject: [sudo-users] Compiling sudo with static libraries Message-ID: I am trying to compile sudo 1.7.1 on Solaris 9. When I run configure with the following options, noexec doesn't compile. However when I remove --enable-static and --disable-shared, noexec compiles without issue. --prefix=/opt/CSGsudo/1.7.1 \ --enable-static \ --disable-shared \ --disable-root-sudo \ --enable-log-host \ --without-mail-if-no-user \ --with-mail-if-no-host \ --with-mail-if-noperms \ --with-sendmail=/usr/lib/sendmail \ --with-env-editor \ --with-timeout \ --with-timedir=/var/run/sudo \ --with-noexec=/opt/CSGsudo/1.7.1/lib This is my first time around compiling sudo, so any help would be greatly appreciated. Thanks, Mike Buckley From eric.freeman at tbwachiat.com Fri Jul 10 13:38:25 2009 From: eric.freeman at tbwachiat.com (Eric Freeman) Date: Fri, 10 Jul 2009 13:38:25 -0400 Subject: [sudo-users] Sudo in LDAP appears to auth everything Message-ID: Below is the output from my sudo debug. I am 99% sure Idon?t have the lastb command in the LDAP container. I am not sure why this is being allowed. I am not sure if this is a clue (sudoUser=ALL)) I don?t have the LDAP use in the local sudoers. I am not sure why I am able to run sudo commands. I can also run sudo dmesg and I know that is not in LDAP. Any help would be appreciated. Thanks # sudo -V Sudo version 1.7.0 Running on HP-UX 11.11 [:/etc] sudo lastb LDAP Config Summary =================== host 10.20.2.165 port -1 ldap_version 3 sudoers_base ou=SUDOers,ou=Services,o=nam binddn cn=xxxxxxxxxxxxxxx bindpw xxxxxxxxxxxxxxxxxx bind_timelimit 30000 timelimit 30 ssl (no) =================== sudo: ldap_create() sudo: ldap_set_option(LDAP_OPT_HOST_NAME, 10.20.2.165) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 30 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) sudo: ldap_sasl_bind_s() ok sudo: found:cn=defaults,ou=SUDOers,ou=Services,o=NAM sudo: ldap sudoOption: 'logfile=/var/adm/syslog/sudo.log' sudo: ldap sudoOption: 'log_year' sudo: ldap search '(|(sudoUser=test_user)(sudoUser=%c)(sudoUser=%ZZ-C)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: user_matches=0 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x02 LDAP Password: This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to disclaimer at tbwachiat.com and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation. From slawek at lach.art.pl Sun Jul 19 14:48:15 2009 From: slawek at lach.art.pl (slawek) Date: Sun, 19 Jul 2009 20:48:15 +0200 Subject: [sudo-users] Don't set timestamp Message-ID: <1248029295.28377.2.camel@linux-9ona.site> I have one question. Is there possible to run sudo without set timestamp? I would like to use su, but there's not working on Ubuntu. Don't tell me how set password for root - i need only to invoke "sudo --without-timestamp" command or some think like that. From Todd.Miller at courtesan.com Sun Jul 19 19:19:43 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sun, 19 Jul 2009 19:19:43 -0400 Subject: [sudo-users] Don't set timestamp In-Reply-To: Your message of "Sun, 19 Jul 2009 20:48:15 +0200." <1248029295.28377.2.camel@linux-9ona.site> References: <1248029295.28377.2.camel@linux-9ona.site> Message-ID: <200907192319.n6JNJhsU023923@core.courtesan.com> In message <1248029295.28377.2.camel at linux-9ona.site> so spake slawek (slawek): > Is there possible to run sudo without set timestamp? > I would like to use su, but there's not working on Ubuntu. > > Don't tell me how set password for root - i need only to invoke "sudo > --without-timestamp" command or some think like that. With sudo 1.7.1 and higher you can use the -k flag along with a command to ignore the time stamp file. This means that sudo will always prompt for a password and not update the time stamp file. E.g. sudo -k ls - todd From Todd.Miller at courtesan.com Tue Jul 28 14:51:36 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 28 Jul 2009 14:51:36 -0400 Subject: [sudo-users] possible per-tty timestamp changes Message-ID: <200907281851.n6SIpbS5000694@core.courtesan.com> I've been mulling over some changes in behavior when per-tty timestamps are in use (the tty_tickets sudoers option). Most Linux distros ship sudo with this option enabled. Changes I've been considering: 1) If the tty cannot be determined (due to both stdin and stdout being redirected or a pipe), always prompt for a password. The current behavior is to use a catch-all timestamp file (called "unknown" in the user's sudo timestamp directory) which seems to confuse people. This would likely mean that gui-based programs that invoke sudo would always have to supply a password. 2) Make "sudo -K" remove all per-tty timestamp files, not just the current tty timestamp. The behavior of "sudo -k" would be unchanged. This would allow people to clean up all their sudo per-tty timestamps when thet log out. I'm wondering if these changes would negatively impact people's current use of sudo. Note that these changes would only affect things when the tty_tickets option is enabled. - todd