From jespasac at minibofh.org Mon Jun 1 03:14:29 2009 From: jespasac at minibofh.org (Jordi Espasa Clofent) Date: Mon, 01 Jun 2009 09:14:29 +0200 Subject: [sudo-users] sudo + openldap + freebsd 7 In-Reply-To: <88A1FB305B58DA419D0F2CFDBB95B2D812AF0FCA35@sylvaner.netis.priv> References: <88A1FB305B58DA419D0F2CFDBB95B2D812AF0FC95E@sylvaner.netis.priv> <4A1F9FB7.5090205@minibofh.org> <88A1FB305B58DA419D0F2CFDBB95B2D812AF0FCA35@sylvaner.netis.priv> Message-ID: <4A237FD5.4000400@minibofh.org> I think as you; my /etc/pam.d/sudo: # cat /etc/pam.d/sudo | grep -v "#" auth required /usr/local/lib/pam_ldap.so account sufficient /usr/local/lib/pam_ldap.so session sufficient /usr/local/lib/pam_ldap.so password sufficient /usr/local/lib/pam_ldap.so ;) -- Thanks, Jordi Espasa Clofent From luisclemente.totvs at mangels.com.br Thu Jun 4 14:16:16 2009 From: luisclemente.totvs at mangels.com.br (Luis Eduardo Carosi Clemente) Date: Thu, 4 Jun 2009 15:16:16 -0300 Subject: [sudo-users] Allowing the whole directory to run scripts with sudo command Message-ID: <282DB63D9D993E4E8D1ECF2214078E9006BEAE@MANEX03.mangelscorp.int> Hi all, I'm trying setting some scripts within /db/scripts but it's don't work. Follow line which I include in /etc/sudoers. Cmnd_Alias = DBSCRIPTS = /db/scripts/* This is it enough to work? Thank's Luis Clemente Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados. Se os recebeu por engano, queira por gentileza destrui-los e comunique-nos o fato de imediato. Confidential Note: This e-mail and its attachments are confidential or legally privileged. If you received this message in error or are not the intended recipients, please destroy it and notify us immediately. From vijay.k.lad at gmail.com Fri Jun 5 08:20:44 2009 From: vijay.k.lad at gmail.com (Vijay Lad) Date: Fri, 5 Jun 2009 17:50:44 +0530 Subject: [sudo-users] How to use sudo without typing sudo before any command Message-ID: Hi All, I am very new user for sudo, I have install the sudo on my centos & its working fine. The problem is that, I have to enter sudo before running any command. Is ther any way where I can enter sudo at start & after that I can run any command without typing sudo before command? Please reply. Thanks, Vijay From justin at jalcorn.net Fri Jun 5 08:34:51 2009 From: justin at jalcorn.net (Justin Alcorn) Date: Fri, 5 Jun 2009 08:34:51 -0400 Subject: [sudo-users] How to use sudo without typing sudo before any command In-Reply-To: References: Message-ID: <8a706dbc0906050534m81ad5d8jd59d250f93f23c18@mail.gmail.com> The point of sudo is to make sure you know you're running a privileged command, and to log those commands. To not type 'sudo', you become root, but then you lose all the benefits of sudo, including the logging. On Fri, Jun 5, 2009 at 8:20 AM, Vijay Lad wrote: > Hi All, > ? ? ?I am very new user for sudo, I have install the sudo on my centos & > its working fine. The problem is that, I have to enter sudo before running > any command. Is ther any way where I can enter sudo at start & after that I > can run any command without typing sudo before command? > > Please reply. > > Thanks, > > Vijay > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > From Marylou.Kohlmeier at canyons.edu Fri Jun 5 09:51:55 2009 From: Marylou.Kohlmeier at canyons.edu (Kohlmeier, Marylou) Date: Fri, 5 Jun 2009 06:51:55 -0700 Subject: [sudo-users] How to restrict sudo users from changing root password In-Reply-To: <8a706dbc0906050534m81ad5d8jd59d250f93f23c18@mail.gmail.com> References: <8a706dbc0906050534m81ad5d8jd59d250f93f23c18@mail.gmail.com> Message-ID: <3CF163158B00244D8E1581BF5F5C05B308E62CA5@exchange1.Staff.Canyons.edu> Hello everyone, Is there a way to restrict sudo users from changing "root" password? Marylou From russell+sudo-users at loosenut.com Fri Jun 5 11:51:20 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Fri, 5 Jun 2009 08:51:20 -0700 Subject: [sudo-users] How to restrict sudo users from changing root password In-Reply-To: <3CF163158B00244D8E1581BF5F5C05B308E62CA5@exchange1.Staff.Canyons.edu> References: <8a706dbc0906050534m81ad5d8jd59d250f93f23c18@mail.gmail.com> <3CF163158B00244D8E1581BF5F5C05B308E62CA5@exchange1.Staff.Canyons.edu> Message-ID: <20090605155120.GO28086@fubar.loosenut.com> On Fri, Jun 05, 2009 at 06:51:55AM -0700, Kohlmeier, Marylou wrote: > Hello everyone, > > Is there a way to restrict sudo users from changing "root" password? > > Marylou Pretty much don't allow them access to ways to change it... things like passwd and/or vi (or another editor) under sudo. You should also be probably also be using things like tripwire to monitor critical changes like this... In short... you'll need to keep your sudoers files pointing only at "the essentials" for each user and then trust that each user is able to use it properly and doesn't have some level of maliciousness in-mind with their elevated privileges. From Marylou.Kohlmeier at canyons.edu Fri Jun 5 11:53:00 2009 From: Marylou.Kohlmeier at canyons.edu (Kohlmeier, Marylou) Date: Fri, 5 Jun 2009 08:53:00 -0700 Subject: [sudo-users] How to restrict sudo users from changing root password In-Reply-To: <4A293D95.700@us.fujitsu.com> References: <8a706dbc0906050534m81ad5d8jd59d250f93f23c18@mail.gmail.com> <3CF163158B00244D8E1581BF5F5C05B308E62CA5@exchange1.Staff.Canyons.edu> <4A293D95.700@us.fujitsu.com> Message-ID: <3CF163158B00244D8E1581BF5F5C05B308E62D3B@exchange1.Staff.Canyons.edu> http://linux.die.net/man/5/sudoers pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root The user pete is allowed to change anyone's password except for root on the HPPA machines. Note that this assumes passwd(1) does not take multiple usernames on the command line. (from page 10 of the above link) Thank you for your email. Using the link above, I was able to add the line "pete..." to our sudoers file and restrict this user from changing root password. Marylou -----Original Message----- From: Matthew Stier [mailto:Matthew.Stier at us.fujitsu.com] Sent: Friday, June 05, 2009 8:45 AM > As long as the user can gain root access to the 'passwd' command or passwd file, no. With 'sudo' you either have to be very restrictive, or very trusting. From martin at oneiros.de Fri Jun 5 14:56:28 2009 From: martin at oneiros.de (=?ISO-8859-1?Q?Martin_Schr=F6der?=) Date: Fri, 5 Jun 2009 20:56:28 +0200 Subject: [sudo-users] How to restrict sudo users from changing root password In-Reply-To: <3CF163158B00244D8E1581BF5F5C05B308E62D3B@exchange1.Staff.Canyons.edu> References: <8a706dbc0906050534m81ad5d8jd59d250f93f23c18@mail.gmail.com> <3CF163158B00244D8E1581BF5F5C05B308E62CA5@exchange1.Staff.Canyons.edu> <4A293D95.700@us.fujitsu.com> <3CF163158B00244D8E1581BF5F5C05B308E62D3B@exchange1.Staff.Canyons.edu> Message-ID: <68c491a60906051156m260de719l5dae0e682092e53e@mail.gmail.com> 2009/6/5, Kohlmeier, Marylou : > http://linux.die.net/man/5/sudoers > > pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root > The user pete is allowed to change anyone's password except for root on > the HPPA machines. Note that this assumes passwd(1) does not take > multiple usernames on the command line. (from page 10 of the above link) ln /usr/bin/passwd /tmp/foo sudo /tmp/foo root Best Martin From jespasac at minibofh.org Fri Jun 5 15:28:50 2009 From: jespasac at minibofh.org (Jordi Espasa) Date: Fri, 05 Jun 2009 21:28:50 +0200 Subject: [sudo-users] How to use sudo without typing sudo before any command In-Reply-To: References: Message-ID: <4A2971F2.7070106@minibofh.org> Vijay Lad escribi?: > Hi All, > I am very new user for sudo, I have install the sudo on my centos & > its working fine. The problem is that, I have to enter sudo before running > any command. Is ther any way where I can enter sudo at start & after that I > can run any command without typing sudo before command? Little correction: not "any command" as you've said, only the commands that you can't execute as a normal user. So, you need to execute them with sudo. You always can edit a lot of alias in your shell rc config file (the syntax differ depend on the concrete shell you sue). But you should be aware that your laziness goes against the sudo basic conception! -- Thanks, Jordi Espasa Clofent From christian.peper at kpn.com Mon Jun 8 05:14:24 2009 From: christian.peper at kpn.com (christian.peper at kpn.com) Date: Mon, 8 Jun 2009 11:14:24 +0200 Subject: [sudo-users] How to use sudo without typing sudo before any command In-Reply-To: <8a706dbc0906050534m81ad5d8jd59d250f93f23c18@mail.gmail.com> References: <8a706dbc0906050534m81ad5d8jd59d250f93f23c18@mail.gmail.com> Message-ID: Justin is completely right, of course. Sudo let's you use root-level commands that can seriously affect your system, without needing to know the root passwd or become the root user beforehand. If you need to do a lot of root-level things, for instance, right after installation in a post-installation step, you should simply become root and do it. For occasional maintenance, sudo works fine. Sudo also logs who does what, if you have several people working on your system. If you're the only one, just switch to root (i.e. 'su -') for your maintenance. Alternatively, you may increase the timeout sudo uses so you don't have to type the password quite so often. But you still need to use the sudo command. Defaults timestamp_timeout=15 Chris. > -----Original Message----- > From: sudo-users-bounces at courtesan.com > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Justin Alcorn > Sent: Friday, June 05, 2009 2:35 PM > To: Vijay Lad > Cc: sudo-users at sudo.ws > Subject: Re: [sudo-users] How to use sudo without typing sudo > before anycommand > > The point of sudo is to make sure you know you're running a > privileged command, and to log those commands. To not type > 'sudo', you become root, but then you lose all the benefits > of sudo, including the logging. > > On Fri, Jun 5, 2009 at 8:20 AM, Vijay > Lad wrote: > > Hi All, > > ? ? ?I am very new user for sudo, I have install the sudo > on my centos > > & its working fine. The problem is that, I have to enter > sudo before > > running any command. Is ther any way where I can enter sudo > at start & > > after that I can run any command without typing sudo before command? > > > > Please reply. > > > > Thanks, > > > > Vijay From Francois.Mehault at netplus.fr Mon Jun 8 05:19:13 2009 From: Francois.Mehault at netplus.fr (=?iso-8859-1?Q?Fran=E7ois_Mehault?=) Date: Mon, 8 Jun 2009 11:19:13 +0200 Subject: [sudo-users] How to use sudo without typing sudo before any command In-Reply-To: References: <8a706dbc0906050534m81ad5d8jd59d250f93f23c18@mail.gmail.com> Message-ID: <88A1FB305B58DA419D0F2CFDBB95B2D812B12F49C3@sylvaner.netis.priv> You can do "sudo -i" or "sudo -s" maybe, Regards, Fran?ois -----Message d'origine----- De : sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] De la part de christian.peper at kpn.com Envoy? : lundi 8 juin 2009 11:14 ? : sudo-users at sudo.ws Objet : Re: [sudo-users] How to use sudo without typing sudo before any command Justin is completely right, of course. Sudo let's you use root-level commands that can seriously affect your system, without needing to know the root passwd or become the root user beforehand. If you need to do a lot of root-level things, for instance, right after installation in a post-installation step, you should simply become root and do it. For occasional maintenance, sudo works fine. Sudo also logs who does what, if you have several people working on your system. If you're the only one, just switch to root (i.e. 'su -') for your maintenance. Alternatively, you may increase the timeout sudo uses so you don't have to type the password quite so often. But you still need to use the sudo command. Defaults timestamp_timeout=15 Chris. > -----Original Message----- > From: sudo-users-bounces at courtesan.com > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Justin Alcorn > Sent: Friday, June 05, 2009 2:35 PM > To: Vijay Lad > Cc: sudo-users at sudo.ws > Subject: Re: [sudo-users] How to use sudo without typing sudo > before anycommand > > The point of sudo is to make sure you know you're running a > privileged command, and to log those commands. To not type > 'sudo', you become root, but then you lose all the benefits > of sudo, including the logging. > > On Fri, Jun 5, 2009 at 8:20 AM, Vijay > Lad wrote: > > Hi All, > > I am very new user for sudo, I have install the sudo > on my centos > > & its working fine. The problem is that, I have to enter > sudo before > > running any command. Is ther any way where I can enter sudo > at start & > > after that I can run any command without typing sudo before command? > > > > Please reply. > > > > Thanks, > > > > Vijay ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From ordinary_name at hotmail.com Tue Jun 9 12:39:04 2009 From: ordinary_name at hotmail.com (Tim Browne) Date: Tue, 9 Jun 2009 12:39:04 -0400 Subject: [sudo-users] Sudo + LDAP + PAM does not work the first time Message-ID: hi. I currently have a multimaster ldap setup with 3 masters with 3 slaves each. sudo is using pam to authenticate. here is my /etc/pam.d/sudo auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session required pam_limits.so and common-auth # /etc/pam.d/common-auth - authentication settings common to all services # # Includes mods for Office LDAP client # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # #auth sufficient pam_ldap.so try_first_pass #auth required pam_unix.so nullok_secure try_first_pass auth [success=done default=ignore] pam_unix.so nullok_secure try_first_pass # If LDAP is unavailable, go to next line. If authentication via LDAP is successful, skip 1 line. # If LDAP is available, but authentication is NOT successful, skip 2 lines. auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass auth [default=done] pam_ccreds.so action=validate use_first_pass auth [default=done] pam_ccreds.so action=store auth [default=bad] pam_ccreds.so action=update something to consider is the auth sufficient and auth required lines commented out in common-auth were uncommented prior to attempting a cached credentials setup. anyway my issue: when logging into a master server attempting sudo anything returns to the prompt without performing any action and with no output. repeating the command works as intended. /var/log/sudo.log registers both commands as having happened. if i let the time stamp for sudo expire and try sudo again it WILL work after typing my password the first time. if i sudo -k and try a command the first commnad will not complete and show no output. this is running debian lenny 64 bit. does anyone have any idea what could be going on? Thanks Tim _________________________________________________________________ Lauren found her dream laptop. Find the PC that?s right for you. http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290 From chy.causer at gmail.com Fri Jun 12 06:42:23 2009 From: chy.causer at gmail.com (Chris Causer) Date: Fri, 12 Jun 2009 11:42:23 +0100 Subject: [sudo-users] (Probably) basic problem with sudo and kerberos tickets Message-ID: <3f3109d40906120342h7230053ci343d2b9d2343bb5@mail.gmail.com> Hi Everyone, My system authenticates using kerberos and that's fine. I've put myself in the sudoers list and that's fine, I can do sudo things. My problem is that once the thing runs, it destroys my kerberos ticket. This happens whether I've had to enter the password or I'm within the "cached password" period. The system is Ubuntu (tested on 8.04, 8.10, 9.04.) The pam file "sudo" includes common-auth, common-account and common-session, which is the same as the 'su' pam.d file which doesn't destroy tickets. Am I doing anything wrong? Many thanks for the help. Chris Sudo version 1.6.9p17 From david.ledger at ivdcs.co.uk Fri Jun 12 20:16:04 2009 From: david.ledger at ivdcs.co.uk (David Ledger) Date: Fri, 12 Jun 2009 17:16:04 -0700 Subject: [sudo-users] How to use sudo without typing sudo before any command In-Reply-To: <8a706dbc0906050534m81ad5d8jd59d250f93f23c18@mail.gmail.com> References: <8a706dbc0906050534m81ad5d8jd59d250f93f23c18@mail.gmail.com> Message-ID: At 08:34 -0400 5/6/09, Justin Alcorn wrote: >The point of sudo is to make sure you know you're running a privileged >command, and to log those commands. To not type 'sudo', you become >root, but then you lose all the benefits of sudo, including the >logging. > >On Fri, Jun 5, 2009 at 8:20 AM, Vijay Lad wrote: >> Hi All, >> ? ? ?I am very new user for sudo, I have install the sudo on my centos & >> its working fine. The problem is that, I have to enter sudo before running >> any command. Is ther any way where I can enter sudo at start & after that I >> can run any command without typing sudo before command? There must be lots of people using sudo to run individual commands as root, but in by experience, across many companies, sudo is mainly used in the way Vijay wants. Other uses have been to allow specific users to run something as 'oracle' and, 9 years ago, to mount a CD as root. I use the alias soot='sudo -p "Password: " -H -- -ksh -o vi' in my own environment, which shows how to do it. Using it this way is useful for allowing SysAdmins to work without passing out the root password, which remains in a safe for use in emergencies. David -- David Ledger - Freelance Unix Sysadmin in the UK. HP-UX specialist of hpUG technical user group (www.hpug.org.uk) david.ledger at ivdcs.co.uk www.ivdcs.co.uk From david.ledger at ivdcs.co.uk Fri Jun 12 20:20:14 2009 From: david.ledger at ivdcs.co.uk (David Ledger) Date: Fri, 12 Jun 2009 17:20:14 -0700 Subject: [sudo-users] (correction) How to use sudo without typing sudo before any command Message-ID: At 08:34 -0400 5/6/09, Justin Alcorn wrote: >The point of sudo is to make sure you know you're running a privileged >command, and to log those commands. To not type 'sudo', you become >root, but then you lose all the benefits of sudo, including the >logging. > >On Fri, Jun 5, 2009 at 8:20 AM, Vijay Lad wrote: >> Hi All, >> ? ? ?I am very new user for sudo, I have install the sudo on my centos & >> its working fine. The problem is that, I have to enter sudo before running >> any command. Is ther any way where I can enter sudo at start & after that I >> can run any command without typing sudo before command? There must be lots of people using sudo to run individual commands as root, but in by experience, across many companies, sudo is mainly used in the way Vijay wants. Other uses have been to allow specific users to run something as 'oracle' and, 9 years ago, to mount a CD as root. I use the alias soot='sudo -p "Password: " -H -- /bin/ksh -o vi' in my own environment, which shows how to do it. Using it this way is useful for allowing SysAdmins to work without passing out the root password, which remains in a safe for use in emergencies. (I just copy pasted my alias in there, forgetting that I have a link on my PATH called '-ksh' to /bin/ksh, which starts a ksh as a login shell). David -- David Ledger - Freelance Unix Sysadmin in the UK. HP-UX specialist of hpUG technical user group (www.hpug.org.uk) david.ledger at ivdcs.co.uk www.ivdcs.co.uk From russell+sudo-users at loosenut.com Fri Jun 12 21:57:48 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Fri, 12 Jun 2009 18:57:48 -0700 Subject: [sudo-users] (correction) How to use sudo without typing sudo before any command In-Reply-To: References: Message-ID: <20090613015748.GL8688@fubar.loosenut.com> On Fri, Jun 12, 2009 at 05:20:14PM -0700, David Ledger wrote: > At 08:34 -0400 5/6/09, Justin Alcorn wrote: > > [sudo su] > > There must be lots of people using sudo to run individual commands as > root, but in by experience, across many companies, sudo is mainly > used in the way Vijay wants. Other uses have been to allow specific > users to run something as 'oracle' and, 9 years ago, to mount a CD as > root. To me, that argument is basically as good as saying "no need to make process or practice improvements, as the same error-prone way still works okay for me." That's fine if that's what you really want to do... but people here are telling you there are better and "more supported" ways of implementing this sort of thing. You can ride a bike without a helmet, too... and that's "just fine." But it doesn't mean that someday that practice isn't going to hurt or maim you, even through no account of your own. (Yes, I realize that's kind of a bizarre analogy, but it's been a long week). > Using it this way is > useful for allowing SysAdmins to work without passing out the root > password, which remains in a safe for use in emergencies. Sure... for some value of "safe." However, for companies that are truly looking for (insert various compliance certificates/agencies here), attempting to lock down and enforce things such as principle of least privilege, traceable levels of accounting and others... well, sudo is a great tool (meanwhile the passwords stay locked up in a PGP encrypted "vault" or similar, for those same "emergencies"). And yes, I realize that with a lot of this you may also "have to trust your employees" -- unfortunately that's not always truly possible or even a major concern. From david.ledger at ivdcs.co.uk Sat Jun 13 22:37:28 2009 From: david.ledger at ivdcs.co.uk (David Ledger) Date: Sat, 13 Jun 2009 19:37:28 -0700 Subject: [sudo-users] (correction) How to use sudo without typing sudo before any command In-Reply-To: <20090613015748.GL8688@fubar.loosenut.com> References: <20090613015748.GL8688@fubar.loosenut.com> Message-ID: At 18:57 -0700 12/6/09, Russell Van Tassell wrote: >On Fri, Jun 12, 2009 at 05:20:14PM -0700, David Ledger wrote: >> At 08:34 -0400 5/6/09, Justin Alcorn wrote: >> > [sudo su] >> >> There must be lots of people using sudo to run individual commands as >> root, but in by experience, across many companies, sudo is mainly >> used in the way Vijay wants. Other uses have been to allow specific >> users to run something as 'oracle' and, 9 years ago, to mount a CD as >> root. > >To me, that argument is basically as good as saying "no need to make >process or practice improvements, as the same error-prone way still >works okay for me." That's fine if that's what you really want to >do... but people here are telling you there are better and "more >supported" ways of implementing this sort of thing. > >You can ride a bike without a helmet, too... and that's "just fine." >But it doesn't mean that someday that practice isn't going to hurt >or maim you, even through no account of your own. (Yes, I realize >that's kind of a bizarre analogy, but it's been a long week). > >> Using it this way is >> useful for allowing SysAdmins to work without passing out the root >> password, which remains in a safe for use in emergencies. > >Sure... for some value of "safe." > >However, for companies that are truly looking for (insert various >compliance certificates/agencies here), attempting to lock down and >enforce things such as principle of least privilege, traceable levels >of accounting and others... well, sudo is a great tool (meanwhile the >passwords stay locked up in a PGP encrypted "vault" or similar, for >those same "emergencies"). > >And yes, I realize that with a lot of this you may also "have >to trust your employees" -- unfortunately that's not always truly >possible or even a major concern. I haven't made the rules at those places. That's just what they do. Some of the companies might surprise you. I'm not suggesting that it's good practice, it's just the only way I've seen sudo used - and I've been a Unix SysAdmin for over 25 years - almost 20 of them as a contractor. >Sure... for some value of "safe." A 'safe' is a big metal cupboard with a lock. :-) from where business managers can retrieve an envelope containing the root password. It helps them feel they can have some control. Offer it in a 'digital vault' and they'd insist on writing the password to the vault in their diaries. The only site I've worked at where there was a security audit, Unix failed because it wasn't VMS (the only system the auditor knew), and his opinion was, luckily, disregarded. David -- David Ledger - Freelance Unix Sysadmin in the UK. HP-UX specialist of hpUG technical user group (www.hpug.org.uk) david.ledger at ivdcs.co.uk www.ivdcs.co.uk From th.schreiber at ndr.de Mon Jun 15 05:22:34 2009 From: th.schreiber at ndr.de (th.schreiber at ndr.de) Date: Mon, 15 Jun 2009 11:22:34 +0200 Subject: [sudo-users] sudo & LDAP Message-ID: Hi there! I've a Linux SuSE Server with sudo (how not) an I have an LDAP Server. If I configure my Users with primary group "wheel" and set this as an group without password (NOPASSWD) it works. But if I set the user to another group and the secondary (member) to wheel it works not; tell my why. example: got it with "id" on server: works: uid=2000 (testuser) gid=10 Group= .... some other groups works not: uid=2000 (testuser) gid=1007 Group=10(wheel), .... other groups Sudo is not in the LDAP Server as an "ou", we like to use in that case sudo traditional. sudo is: 1.6.8p12-18.14 OS: SuSE SLES 10 Patch2 From mmdongare at gmail.com Mon Jun 15 07:06:05 2009 From: mmdongare at gmail.com (Makarand Dongare) Date: Mon, 15 Jun 2009 07:06:05 -0400 Subject: [sudo-users] sudo & LDAP In-Reply-To: References: Message-ID: <54f8e8a10906150406x7b71a4f4oe34bf4588d0ecac5@mail.gmail.com> You need to compile sudo with ldap. Once you do that secondary group s will also work properly. Read documentation for compiling sudo with ldap options details. Regards Makarand Dongare On 6/15/09, th.schreiber at ndr.de wrote: > Hi there! > > I've a Linux SuSE Server with sudo (how not) an I have an LDAP Server. If > I configure my Users with primary group "wheel" and set this as an group > without password (NOPASSWD) it works. > But if I set the user to another group and the secondary (member) to wheel > it works not; tell my why. > > example: > > got it with "id" on server: > > works: > uid=2000 (testuser) gid=10 Group= .... some other groups > > works not: > uid=2000 (testuser) gid=1007 Group=10(wheel), .... other groups > > Sudo is not in the LDAP Server as an "ou", we like to use in that case > sudo traditional. > > sudo is: 1.6.8p12-18.14 > OS: SuSE SLES 10 Patch2 > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > From th.schreiber at ndr.de Tue Jun 16 02:37:22 2009 From: th.schreiber at ndr.de (th.schreiber at ndr.de) Date: Tue, 16 Jun 2009 08:37:22 +0200 Subject: [sudo-users] Antwort: Re: sudo & LDAP In-Reply-To: <54f8e8a10906150406x7b71a4f4oe34bf4588d0ecac5@mail.gmail.com> Message-ID: ok, solved. made sudo with ldap and ist works. Thanks. Makarand Dongare 15.06.2009 13:06 An th.schreiber at ndr.de, sudo-users at sudo.ws Kopie Thema Re: [sudo-users] sudo & LDAP You need to compile sudo with ldap. Once you do that secondary group s will also work properly. Read documentation for compiling sudo with ldap options details. Regards Makarand Dongare On 6/15/09, th.schreiber at ndr.de wrote: > Hi there! > > I've a Linux SuSE Server with sudo (how not) an I have an LDAP Server. If > I configure my Users with primary group "wheel" and set this as an group > without password (NOPASSWD) it works. > But if I set the user to another group and the secondary (member) to wheel > it works not; tell my why. > > example: > > got it with "id" on server: > > works: > uid=2000 (testuser) gid=10 Group= .... some other groups > > works not: > uid=2000 (testuser) gid=1007 Group=10(wheel), .... other groups > > Sudo is not in the LDAP Server as an "ou", we like to use in that case > sudo traditional. > > sudo is: 1.6.8p12-18.14 > OS: SuSE SLES 10 Patch2 > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > From robert.schuster at novartis.com Tue Jun 16 12:49:15 2009 From: robert.schuster at novartis.com (robert.schuster at novartis.com) Date: Tue, 16 Jun 2009 18:49:15 +0200 Subject: [sudo-users] Robert Schuster/PH/Novartis is out of office Message-ID: I will be out of the office starting 16.06.2009 and will not return until 18.06.2009. Ich bin wieder erreichbar ab 18. Juni 2009. In dringenden F?llen wenden Sie sich bitte an die Hotline unter der Nummer 0911 273 12820 oder mit folgender Emailadresse: nuernberg.hotline at novartis.com I am out of office. I will return on June, 18th 2009. In urgent cases please contact the local help desk: nuernberg.hotline at novartis.com or call phone 0911 / 273 12 820. From jon.seymour at gmail.com Thu Jun 18 03:29:39 2009 From: jon.seymour at gmail.com (Jon Seymour) Date: Thu, 18 Jun 2009 17:29:39 +1000 Subject: [sudo-users] Understanding why processes launched by sudo do not inherit the controlling terminal Message-ID: <2cfc40320906180029w7047aa05q9a1443059b5ff51f@mail.gmail.com> On most of the Linux systems I am using (RHEL4, Ubuntu 9.0.4, SUSE 10?) the process launched by sudo inherits the controlling terminal of the launching process. However, on a particular RHEL5 server I am using, the launched process becomes detached from the controlling terminal For example (on the working system): $ tty; sudo su - admin -c 'ps -u $(whoami)' /dev/pts/0 PID TTY TIME CMD 14993 pts/0 00:00:00 su 15000 pts/0 00:00:00 ps On the broken system: $ tty; sudo su - admin -c 'ps -u $(whoami)' /dev/pts/0 PID TTY TIME CMD 1883 ? 00:00:00 ps Can anyone explain why the behaviour w.r.t. controlling terminals would be different on each system? The working system has sudo version 1.6.8p12, the broken system has sudo version 1.6.9p17 jon seymour. From roberto.borella at infocamere.it Wed Jun 17 09:52:27 2009 From: roberto.borella at infocamere.it (Borella Roberto) Date: Wed, 17 Jun 2009 15:52:27 +0200 Subject: [sudo-users] problem on HP-UX 11.31 Itanium Message-ID: <4A38F51B.6050706@infocamere.it> hi, I've a problem with sudo on HP-UX 11.31 Itanium. After the installation of sudo 1.7.0 on the platform, when I try to execute a command with sudo (non-root user), the prompt that appears is the following: We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: What I've forget to execute correctly sudo? Thanks. Roberto From Todd.Miller at courtesan.com Thu Jun 18 10:06:14 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 18 Jun 2009 10:06:14 -0400 Subject: [sudo-users] Understanding why processes launched by sudo do not inherit the controlling terminal In-Reply-To: Your message of "Thu, 18 Jun 2009 17:29:39 +1000." <2cfc40320906180029w7047aa05q9a1443059b5ff51f@mail.gmail.com> References: <2cfc40320906180029w7047aa05q9a1443059b5ff51f@mail.gmail.com> Message-ID: <200906181406.n5IE6Fn6028102@core.courtesan.com> What happens if you run: $ tty; sudo -u admin ps -u admin It's possible that one of the pam session actions is doing something funky. - todd From jon.seymour at gmail.com Thu Jun 18 10:56:13 2009 From: jon.seymour at gmail.com (Jon Seymour) Date: Fri, 19 Jun 2009 00:56:13 +1000 Subject: [sudo-users] Understanding why processes launched by sudo do not inherit the controlling terminal In-Reply-To: <200906181406.n5IE6Fn6028102@core.courtesan.com> References: <2cfc40320906180029w7047aa05q9a1443059b5ff51f@mail.gmail.com> <200906181406.n5IE6Fn6028102@core.courtesan.com> Message-ID: <2cfc40320906180756p648260cdjc8e1ebc18694da1c@mail.gmail.com> Todd, Interesting. That reports the tty I expect to see. So, I then tried: su jseymour -c "ps -u jseymour" and this gave a broken result on the broken machine and a good result on the other machines. In other words, it has nothing to do with sudo at all - it's su behaviour. Mmm. How strange. Thanks very much for suggestion that, since it has got me a lot closer to understanding the issue. If you have any ideas about what to look at next, I'd certainly love to hear them! jon. On Fri, Jun 19, 2009 at 12:06 AM, Todd C. Miller wrote: > What happens if you run: > > $ tty; sudo -u admin ps -u admin > > It's possible that one of the pam session actions is doing something > funky. > > ?- todd > From Todd.Miller at courtesan.com Thu Jun 18 11:35:09 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 18 Jun 2009 11:35:09 -0400 Subject: [sudo-users] Understanding why processes launched by sudo do not inherit the controlling terminal In-Reply-To: Your message of "Fri, 19 Jun 2009 00:56:13 +1000." <2cfc40320906180756p648260cdjc8e1ebc18694da1c@mail.gmail.com> References: <2cfc40320906180029w7047aa05q9a1443059b5ff51f@mail.gmail.com> <200906181406.n5IE6Fn6028102@core.courtesan.com> <2cfc40320906180756p648260cdjc8e1ebc18694da1c@mail.gmail.com> Message-ID: <200906181535.n5IFZ93V019149@core.courtesan.com> In message <2cfc40320906180756p648260cdjc8e1ebc18694da1c at mail.gmail.com> so spake Jon Seymour (jon.seymour): > In other words, it has nothing to do with sudo at all - it's su > behaviour. Mmm. How strange. > > Thanks very much for suggestion that, since it has got me a lot closer > to understanding the issue. If you have any ideas about what to look > at next, I'd certainly love to hear them! This is probably related to the problems seen here: http://www.gratisoft.us/bugzilla/show_bug.cgi?id=304 One person reported that the problem was caused by a PAM-related patch RedHat made to coreutils (which includes su). - todd From maniac.nl at gmail.com Fri Jun 19 05:31:22 2009 From: maniac.nl at gmail.com (Mark Janssen) Date: Fri, 19 Jun 2009 11:31:22 +0200 Subject: [sudo-users] problem on HP-UX 11.31 Itanium In-Reply-To: <4A38F51B.6050706@infocamere.it> References: <4A38F51B.6050706@infocamere.it> Message-ID: <531e3e4c0906190231r79a0c3m6ac05bd4c9fda8b@mail.gmail.com> On Wed, Jun 17, 2009 at 3:52 PM, Borella Roberto wrote: > hi, > > I've a problem with sudo on HP-UX 11.31 Itanium. After the installation > of sudo 1.7.0 on the platform, when I try to execute a command with > sudo (non-root user), the prompt that appears is the following: > > We trust you have received the usual lecture from the local System > Administrator. It usually boils down to these three things: > > ? ?#1) Respect the privacy of others. > ? ?#2) Think before you type. > ? ?#3) With great power comes great responsibility. > > Password: > > What I've forget to execute correctly sudo? Nothing... this is normal behaviour the first time you run SUDO. Just enter your password (your user password) and the command should be executed. You can disable this text with the 'lecture' option in the defaults-section of your sudoers config. -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | From jon.seymour at gmail.com Fri Jun 19 09:08:46 2009 From: jon.seymour at gmail.com (Jon Seymour) Date: Fri, 19 Jun 2009 23:08:46 +1000 Subject: [sudo-users] Understanding why processes launched by sudo do not inherit the controlling terminal In-Reply-To: <200906181535.n5IFZ93V019149@core.courtesan.com> References: <2cfc40320906180029w7047aa05q9a1443059b5ff51f@mail.gmail.com> <200906181406.n5IE6Fn6028102@core.courtesan.com> <2cfc40320906180756p648260cdjc8e1ebc18694da1c@mail.gmail.com> <200906181535.n5IFZ93V019149@core.courtesan.com> Message-ID: <881BE802-7754-42E4-932A-29A0D44C3F56@gmail.com> Todd, I tracked down a RedHat bug report about this very issue which was closed as not a defect. [do not have reference handy right now]. It was closed for the completely spurious reason that no-one could possibly wish to invoke an an interactives shell from a command launched with su -c. I shall attempt to do battle with this mind-bendingly closed-minded myopia in the appropriate forum. Grrr! jon. On 19/06/2009, at 1:35 AM, "Todd C. Miller" wrote: > In message <2cfc40320906180756p648260cdjc8e1ebc18694da1c at mail.gmail.com > > > so spake Jon Seymour (jon.seymour): > >> In other words, it has nothing to do with sudo at all - it's su >> behaviour. Mmm. How strange. >> >> Thanks very much for suggestion that, since it has got me a lot >> closer >> to understanding the issue. If you have any ideas about what to look >> at next, I'd certainly love to hear them! > > This is probably related to the problems seen here: > http://www.gratisoft.us/bugzilla/show_bug.cgi?id=304 > > One person reported that the problem was caused by a PAM-related > patch RedHat made to coreutils (which includes su). > > - todd From jon.seymour at gmail.com Fri Jun 19 20:58:56 2009 From: jon.seymour at gmail.com (Jon Seymour) Date: Sat, 20 Jun 2009 10:58:56 +1000 Subject: [sudo-users] Understanding why processes launched by sudo do not inherit the controlling terminal In-Reply-To: <881BE802-7754-42E4-932A-29A0D44C3F56@gmail.com> References: <2cfc40320906180029w7047aa05q9a1443059b5ff51f@mail.gmail.com> <200906181406.n5IE6Fn6028102@core.courtesan.com> <2cfc40320906180756p648260cdjc8e1ebc18694da1c@mail.gmail.com> <200906181535.n5IFZ93V019149@core.courtesan.com> <881BE802-7754-42E4-932A-29A0D44C3F56@gmail.com> Message-ID: <2cfc40320906191758y3a3988day2d3bd391f8204b3@mail.gmail.com> Todd, Good news! The RedHat su command has an extra option --session-command that can be used to make it behave as per the -c option on most other platforms. Thanks again for your help with this! jon. On Fri, Jun 19, 2009 at 11:08 PM, Jon Seymour wrote: > Todd, > > I tracked down a RedHat bug report about this very issue which was closed as > not a defect. [do not have reference handy right now]. It was closed for the > completely spurious reason that no-one could possibly wish to > invoke an an interactives shell from a command launched with su -c. > > I shall attempt to do battle with this mind-bendingly closed-minded myopia > in the appropriate forum. Grrr! > > jon. > > On 19/06/2009, at 1:35 AM, "Todd C. Miller" > wrote: > >> In message <2cfc40320906180756p648260cdjc8e1ebc18694da1c at mail.gmail.com> >> ? so spake Jon Seymour (jon.seymour): >> >>> In other words, it has nothing to do with sudo at all - it's su >>> behaviour. Mmm. How strange. >>> >>> Thanks very much for suggestion that, since it has got me a lot closer >>> to understanding the issue. If you have any ideas about what to look >>> at next, I'd certainly love to hear them! >> >> This is probably related to the problems seen here: >> http://www.gratisoft.us/bugzilla/show_bug.cgi?id=304 >> >> One person reported that the problem was caused by a PAM-related >> patch RedHat made to coreutils (which includes su). >> >> - todd > From e9427749 at stud4.tuwien.ac.at Wed Jun 24 17:26:16 2009 From: e9427749 at stud4.tuwien.ac.at (josef schmid) Date: Wed, 24 Jun 2009 23:26:16 +0200 Subject: [sudo-users] Always parse error (except for empty sudoers) Message-ID: <4A4299F8.8090508@stud4.tuwien.ac.at> Hi, all! After compiling sudo (v1.7.1 & also v1.7.2b3 tested) sudo and visudo -scf always results in a syntax/parse error. This problem occur for: a) the sudoers file in the package (=> line 3) b) with only the following line as content: root ALL=(ALL) ALL (=> line 0) c) For a file with only comments (=> line 3 if more than 3lines) d) for everything else, except empty file For HP-UX B.11.00, gcc v3.0.4, Flex v2.5.4, bison v1.875) I have read INSTALL & the FAQs but i cannot find something that help me. Maybe somebody can point me in the correct direction. TIA, JS BTW, the v1.7.2b3 uses setegid inside runas_setup() in set_perms.c directly, independently if HAVE_SETEUID is defined. From Todd.Miller at courtesan.com Thu Jun 25 08:41:56 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 25 Jun 2009 08:41:56 -0400 Subject: [sudo-users] Always parse error (except for empty sudoers) In-Reply-To: Your message of "Wed, 24 Jun 2009 23:26:16 +0200." <4A4299F8.8090508@stud4.tuwien.ac.at> References: <4A4299F8.8090508@stud4.tuwien.ac.at> Message-ID: <200906251241.n5PCfuDG018520@core.courtesan.com> In message <4A4299F8.8090508 at stud4.tuwien.ac.at> so spake josef schmid (e9427749): > After compiling sudo (v1.7.1 & also v1.7.2b3 tested) > sudo and visudo -scf always results in a > syntax/parse error. > > This problem occur for: > a) the sudoers file in the package (=> line 3) > b) with only the following line as content: root ALL=(ALL) ALL > (=> line 0) > c) For a file with only comments (=> line 3 if more than 3lines) > d) for everything else, except empty file > > For HP-UX B.11.00, gcc v3.0.4, Flex v2.5.4, bison v1.875) Are you using the pre-generated parser that comes with sudo or are you regenerating it with your own bison and flex? Unless you passed configure --with-devel sudo will use the prebuild parser which should work fine. I've run into problems with different versions of flex on some systems, resulting in behavior like what you report above. - todd From e9427749 at stud4.tuwien.ac.at Thu Jun 25 13:32:50 2009 From: e9427749 at stud4.tuwien.ac.at (josef schmid) Date: Thu, 25 Jun 2009 19:32:50 +0200 Subject: [sudo-users] Always parse error (except for empty sudoers) In-Reply-To: <200906251241.n5PCfuDG018520@core.courtesan.com> References: <4A4299F8.8090508@stud4.tuwien.ac.at> <200906251241.n5PCfuDG018520@core.courtesan.com> Message-ID: <4A43B4C2.5010606@stud4.tuwien.ac.at> Todd C. Miller schrieb: > In message <4A4299F8.8090508 at stud4.tuwien.ac.at> > so spake josef schmid (e9427749): > >> After compiling sudo (v1.7.1 & also v1.7.2b3 tested) >> sudo and visudo -scf always results in a >> syntax/parse error. >> >> This problem occur for: >> a) the sudoers file in the package (=> line 3) >> b) with only the following line as content: root ALL=(ALL) ALL >> (=> line 0) >> c) For a file with only comments (=> line 3 if more than 3lines) >> d) for everything else, except empty file >> >> For HP-UX B.11.00, gcc v3.0.4, Flex v2.5.4, bison v1.875) > > Are you using the pre-generated parser that comes with sudo or are > you regenerating it with your own bison and flex? Unless you passed > configure --with-devel sudo will use the prebuild parser which > should work fine. I've run into problems with different versions > of flex on some systems, resulting in behavior like what you report > above. I have tried both, same result. (With --with-devel additionally i get some compiler warnings.) First try was without. Maybe some other dependencies? Needed Libraries which are defective? configure search for sed, and the hp-ux version is a little strange. For what is sed needed? Make it sense retry this with gnu sed? What else can i try? $ make clean # or make distclean + reextracting def_data.[ch],toke.c,? $ ./configure --prefix=? --sysconfdir=/etc/sudo \ --with-passwd --with-noexec \ --with-env-editor --with-sudoers-gid=3 \ --with-sudoers-mode=0440 $ make $ ./visudo ? Trying this also with different CFLAGS ala -O2 -D_INCLUDE_XOPEN_SOURCE_EXTENDED -D_INCLUDE_HPUX_SOURCE -D_INCLUDE_POSIX_SOURCE ? (-D? affect compatibly macros in the std include files on the hp-ux). thanx, Jo "glueless" sef (BTW. Maybe nice to have: --allowed-sudoers-gids=0,3 --allowed-sudoers-modes=0640,0440,0400) From Todd.Miller at courtesan.com Sat Jun 27 17:06:54 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sat, 27 Jun 2009 17:06:54 -0400 Subject: [sudo-users] Always parse error (except for empty sudoers) In-Reply-To: Your message of "Thu, 25 Jun 2009 19:32:50 +0200." <4A43B4C2.5010606@stud4.tuwien.ac.at> References: <4A4299F8.8090508@stud4.tuwien.ac.at> <200906251241.n5PCfuDG018520@core.courtesan.com> <4A43B4C2.5010606@stud4.tuwien.ac.at> Message-ID: <200906272106.n5RL6ssm022606@core.courtesan.com> In message <4A43B4C2.5010606 at stud4.tuwien.ac.at> so spake josef schmid (e9427749): > I have tried both, same result. > (With --with-devel additionally i get some compiler warnings.) > First try was without. > > Maybe some other dependencies? Needed Libraries which are defective? > > configure search for sed, and the hp-ux version is a little strange. > For what is sed needed? Make it sense retry this with gnu sed? > > What else can i try? Can you try using the system compiler and see if that changes anything? E.g. give configure --with-CC=cc - todd From e9427749 at stud4.tuwien.ac.at Mon Jun 29 14:55:59 2009 From: e9427749 at stud4.tuwien.ac.at (josef schmid) Date: Mon, 29 Jun 2009 20:55:59 +0200 Subject: [sudo-users] Always parse error (except for empty sudoers) In-Reply-To: <200906272106.n5RL6ssm022606@core.courtesan.com> References: <4A4299F8.8090508@stud4.tuwien.ac.at> <200906251241.n5PCfuDG018520@core.courtesan.com> <4A43B4C2.5010606@stud4.tuwien.ac.at> <200906272106.n5RL6ssm022606@core.courtesan.com> Message-ID: <4A490E3F.3020704@stud4.tuwien.ac.at> Todd C. Miller schrieb: > In message <4A43B4C2.5010606 at stud4.tuwien.ac.at> > so spake josef schmid (e9427749): > >> I have tried both, same result. >> (With --with-devel additionally i get some compiler warnings.) >> First try was without. >> >> Maybe some other dependencies? Needed Libraries which are defective? [?] > > Can you try using the system compiler and see if that changes anything? > E.g. give configure --with-CC=cc After i read the 'Dynix' section, this was on my todo list anyway. But no success. :-( CC=cc; CFLAFS=-Ae; export CC CFLAGS ./configure ? --with-CC=cc --with(out)-noexec Beside a problem with the HP ANSI Compiler (a non patched error)?. It doesn't allow the building of noexec (No support of -b in cc directly, and with -Wl,-b the linker use the wrong crt0.o file). I get the same results. (Normally gcc works more often.) I can look at the source from the porting archive, maybe this guys have something hacked around. But the chances are not high. (On the other side, if the use -DAportable, hmm, so two things left what i can try?.) Maybe more error checks in sudo are helpful, than hopefully i get more information than that parsing fail. (I'm so shameless to ask for this. ;-) Something completely different: Some features i find nice: * If sudo resolve aliases late, than i think it is easier to build complex setup. E.g.: User_Alias DJANGO myacount Defaults:myaccount some_options Defaults:DJANGO some_other_options # instead of resolving DJANGO here, # the options are stored for the alias DJANGO HOST = cmd1 # uses some_other_options for cmd1 myaccount HOST = cmd2 # uses some_options # of course, for this example '!' can be used now?. * Allow combination ala: Defaults:DJANGO>root!CMDXS some_options_for_a_very_specific_case thanx for your help so far & for sudo, Jos "excuse for my bad english" ef ad 1) It seems: Instead of the availability of a patch, a new version can be purchased. Maybe ld /opt/langtools/lib/scrt0.o -b +h sudo_noexec.sl +b \ /usr/?/libexec -o .libs/sudo_noexec.sl .libs/sudo_noexec.o -lc works, (without -DAportable). But not with the help of cc -Wl! ad 2) But not today. ad 3) Not for me, at the moment ;-(