From jerome.m at gmail.com Fri May 1 11:19:49 2009 From: jerome.m at gmail.com (Jerome Macaranas) Date: Fri, 1 May 2009 11:19:49 -0400 Subject: [sudo-users] help regarding sudo + TLS Message-ID: <662701800905010819p171c506bofb93fbc5cef9cdca@mail.gmail.com> hi, im currently testing ldap + tls + sudo and Im stuck at this error. though im able to make sudo work via ldap:/// (w/o) tls. LDAP Config Summary =================== uri ldaps://vm2.work.com/ ldap_version 3 sudoers_base ou=SUDOers,dc=work,dc=com binddn (anonymous) bindpw (anonymous) bind_timelimit 120000 timelimit 120 ssl (no) =================== sudo: ldap_initialize(ld, ldaps://vm2.work.com/) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 120 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120) sudo: ldap_sasl_bind_s(): Can't contact LDAP server Details: openldap-2.2.13-12.el4 sudo-1.7.1 thans, From megadethpaw at hotmail.co.uk Fri May 1 11:43:34 2009 From: megadethpaw at hotmail.co.uk (megadethpaw megadethpaw) Date: Fri, 1 May 2009 15:43:34 +0000 Subject: [sudo-users] sudo with -i option Message-ID: Hi, I have a solaris 9 server running sudo.1.7.1 and it seems to be working fine except for one problem. In my sudoers file I have a command set up to run as root user, this works fine, eg:- sudo However if I run the following I see the warning sudo screen and am asked for a password:- sudo -i Can anyone shed any light on this please? I'm fairly sure that it's the solaris 9 environment as solaris 8/10 work fine with "sudo -i". Hope you can help. Jeff _________________________________________________________________ View your Twitter and Flickr updates from one place ? Learn more! http://clk.atdmt.com/UKM/go/137984870/direct/01/ From Todd.Miller at courtesan.com Fri May 1 11:49:22 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 01 May 2009 11:49:22 -0400 Subject: [sudo-users] sudo with -i option In-Reply-To: Your message of "Fri, 01 May 2009 15:43:34 -0000." References: Message-ID: <200905011549.n41FnMF9002707@core.courtesan.com> In message so spake megadethpaw megadethpaw (megadethpaw): > I have a solaris 9 server running sudo.1.7.1 and it seems to be working fine > except for one problem. > > In my sudoers file I have a command set up to run as root user, this works > fine, eg:- > > sudo > > However if I run the following I see the warning sudo screen and am asked for > a password:- > > sudo -i > > Can anyone shed any light on this please? When you run "sudo -i command" what really is executed is "shell -c command", where shell is the shell of the target user (usually /bin/sh on Solaris for root). That means your sudoers file needs to allow "/bin/sh -c command", not just "command". - todd From Todd.Miller at courtesan.com Fri May 1 12:41:26 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 01 May 2009 12:41:26 -0400 Subject: [sudo-users] help regarding sudo + TLS In-Reply-To: Your message of "Fri, 01 May 2009 11:19:49 EDT." <662701800905010819p171c506bofb93fbc5cef9cdca@mail.gmail.com> References: <662701800905010819p171c506bofb93fbc5cef9cdca@mail.gmail.com> Message-ID: <200905011641.n41GfQch003949@core.courtesan.com> In message <662701800905010819p171c506bofb93fbc5cef9cdca at mail.gmail.com> so spake Jerome Macaranas (jerome.m): > im currently testing ldap + tls + sudo and Im stuck at this error. > > though im able to make sudo work via ldap:/// (w/o) tls. ldaps (port 636) uses a different port than ldap (port 389). Is your server listening on port 636? You may want to set ssl start_tls in /etc/ldap.conf to start TLS over a normal (port 389) connection. Also, you may need to use: tls_checkpeer no # ignore server SSL certificate if the server's cert cannot be validated. - todd From russell+sudo-users at loosenut.com Fri May 1 15:08:58 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Fri, 1 May 2009 12:08:58 -0700 Subject: [sudo-users] Bug: Sudo 1.7.1 Install Message-ID: <20090501190858.GZ811@fubar.loosenut.com> I think this bug's actually pretty old, but it's an annoyance with new systems (mostly if you're building/templating a package); it may or may not be a "Solaris only" sort of thing (not sure). Basically, if you give "configure" a "--prefix" argument, sudo's man pages will end up under "${prefix}/share/man" (aka a subdir to the datadir)... however, if you leave it default, the share directory disappears from the structure (eg. "${prefix}/man"). Steps to reproduce (Solaris 10 x86/amd64 used here): - ./configure --prefix=/tmp/sudo - gmake ; gmake -n install - Notice man pages to be installed in /tmp/sudo/share/man - ./configure --prefix=/usr/local - gmake ; gmake -n install - Notice man pages to be installed in /usr/local/share/man - ./configure - gmake ; gmake -n install - Notice man pages to be installed in /usr/local/man At the very least, the last two scenarios should produce man pages in the same spot. More generally, resetting PREFIX should NOT nest man pages down another level (isn't that what --mandir is for, anyway?). Note: Configure does, indeed, claim datarootdir should be "PREFIX/share," however it clearly ignores this when the package is defaulted to the /usr/local location. -- Russell M. Van Tassell russell at loosenut.com "I'd rather be dead than singing "Satisfaction" when I'm 45." -- Mick Jagger of the Rolling Stones (1970) From wesley.schwengle at is.online.nl Fri May 1 08:36:55 2009 From: wesley.schwengle at is.online.nl (Wesley Schwengle) Date: Fri, 1 May 2009 14:36:55 +0200 (CEST) Subject: [sudo-users] Sudo and Solaris Message-ID: Hello to all, I have a question regarding sudo and Solaris and Linux. If I do the following on a Linux machine I have the $USER environment variable: echo $USER wesleys If I sudo to root I still have the $USER variable: sudo zsh echo $USER root If I then su to my own user the $USER entry is correct again: su - wesleys echo $USER wesleys If I do the same on a Solaris box the $USER var disappears: echo $USER wesleys sudo zsh echo $USER root su - bull echo $USER Can someone explain to my why this is happening and how I can solve this problem? Cheers, Wesley -- Online Broadband BV, http://www.online.nl, http://www.euronet.nl Wesley Schwengle, System Administrator, IT Operations (Database/Application Management) Muiderstraat 1, PO BOX 10241, 1001 EE Amsterdam, T: +31 20 5355555, F: +31 20 5355749 From erwin_hom at filemaker.com Mon May 4 20:07:13 2009 From: erwin_hom at filemaker.com (Erwin Hom) Date: Mon, 4 May 2009 17:07:13 -0700 Subject: [sudo-users] How userA can run userB's script In-Reply-To: <200904281414.n3SEE7W2030041@core.courtesan.com> References: <20FCEE8F-485C-4227-B823-F823BBE55827@filemaker.com> <200904281414.n3SEE7W2030041@core.courtesan.com> Message-ID: <80C1CE2B-7D1E-4059-82ED-4C1D96E912A8@filemaker.com> Hi Todd, I tried your recommendation but couldn't get it to work. I'm using Mac OS X (10.5.5). Here's what I did: 1. Created usera. Password: abc 2. Created userb. Password: xyz 3. added the following entry in /etc/sudoers: * Defaults:userb targetpw 4. Logged in as userb and created a shell script (echo "hello, this is user b!"). Set the permission of the shell script to be runnable only by the userb. Log out. 5. Logged in as usera and attempted to execute shell script as userb with the following commandLine: "sudo -u userb userbscript.sh" I entered userb's password when prompted. This is the message that sudo displayed: "usera is not in the sudoers file. This incident will be reported." What did I do wrong? Did I miss a step along the way? - Erwin On Apr 28, 2009, at 7:14 AM, Todd C. Miller wrote: > In message <20FCEE8F-485C-4227-B823-F823BBE55827 at filemaker.com> > so spake (erwin_hom): > >> There is a setting in sudoers which lets you use the target user's >> password, i.e. >> >> Defaults targetpw >> >> But it seems to be a default behavioral change of 'sudo' that affects >> every users, not just userA, right? > > Correct. However, you can bind that option specifically to userA. > E.g. > > Defaults:userA targetpw > > and then whenever userA runs sudo he/she will need to use the > password of the user the command is being run as. > > - todd From russell+sudo-users at loosenut.com Mon May 4 21:27:04 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Mon, 4 May 2009 18:27:04 -0700 Subject: [sudo-users] How userA can run userB's script In-Reply-To: <80C1CE2B-7D1E-4059-82ED-4C1D96E912A8@filemaker.com> References: <20FCEE8F-485C-4227-B823-F823BBE55827@filemaker.com> <200904281414.n3SEE7W2030041@core.courtesan.com> <80C1CE2B-7D1E-4059-82ED-4C1D96E912A8@filemaker.com> Message-ID: <20090505012703.GF811@fubar.loosenut.com> What's the output of "sudo -l" for usera? Chances are they're not allowed to execute the script you've created... On Mon, May 04, 2009 at 05:07:13PM -0700, Erwin Hom wrote: > Hi Todd, > > I tried your recommendation but couldn't get it to work. > > commandLine: "sudo -u userb userbscript.sh" > > I entered userb's password when prompted. > > This is the message that sudo displayed: > > "usera is not in the sudoers file. This incident will be reported." > > What did I do wrong? Did I miss a step along the way? > > - Erwin -- Russell M. Van Tassell russell at loosenut.com I've come up with a set of rules that describe our reactions to technologies: 1. Anything that is in the world when you're born is normal and ordinary and is just a natural part of the way the world works. 2. Anything that's invented between when you're fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it. 3. Anything invented after you're thirty-five is against the natural order of things. - Douglas Adams (1952 - 2001), The Salmon of Doubt, p. 95 From erwin_hom at filemaker.com Mon May 4 22:05:51 2009 From: erwin_hom at filemaker.com (Erwin Hom) Date: Mon, 4 May 2009 19:05:51 -0700 Subject: [sudo-users] How userA can run userB's script In-Reply-To: <20090505012703.GF811@fubar.loosenut.com> References: <20FCEE8F-485C-4227-B823-F823BBE55827@filemaker.com> <200904281414.n3SEE7W2030041@core.courtesan.com> <80C1CE2B-7D1E-4059-82ED-4C1D96E912A8@filemaker.com> <20090505012703.GF811@fubar.loosenut.com> Message-ID: <7A87A757-15C5-46B0-A945-2807690ED585@filemaker.com> HI Russell, I ran it "sudo -l" under usera. Got prompted for a password. Entered the root password and got the following output: "bash-3.2$ sudo -l Password: Sorry, user usera may not run sudo on 146x102." Is there something to be added to sudoers that will allow usera to run sudo? Thanks, - Erwin On May 4, 2009, at 6:27 PM, Russell Van Tassell wrote: > > What's the output of "sudo -l" for usera? Chances are they're not > allowed to execute the script you've created... > > > On Mon, May 04, 2009 at 05:07:13PM -0700, Erwin Hom wrote: >> Hi Todd, >> >> I tried your recommendation but couldn't get it to work. >> >> commandLine: "sudo -u userb userbscript.sh" >> >> I entered userb's password when prompted. >> >> This is the message that sudo displayed: >> >> "usera is not in the sudoers file. This incident will be reported." >> >> What did I do wrong? Did I miss a step along the way? >> >> - Erwin > > -- > Russell M. Van Tassell > russell at loosenut.com > > I've come up with a set of rules that describe our reactions to > technologies: > 1. Anything that is in the world when you're born is normal and > ordinary > and is just a natural part of the way the world works. > 2. Anything that's invented between when you're fifteen and thirty- > five > is new and exciting and revolutionary and you can probably get a > career > in it. > 3. Anything invented after you're thirty-five is against the natural > order of things. > - Douglas Adams (1952 - 2001), The Salmon of Doubt, p. > 95 From christian.peper at kpn.com Tue May 5 03:06:54 2009 From: christian.peper at kpn.com (christian.peper at kpn.com) Date: Tue, 5 May 2009 09:06:54 +0200 Subject: [sudo-users] How userA can run userB's script In-Reply-To: <7A87A757-15C5-46B0-A945-2807690ED585@filemaker.com> References: <20FCEE8F-485C-4227-B823-F823BBE55827@filemaker.com><20090428141 4.n3SEE7W2030041@core.courtesan.com><80C1CE2B-7D1E-4059-82ED-4C1D96E912A8@f ilemaker.com><20090505012703.GF811@fubar.loosenut.com> <7A87A757-15C5-46B0-A945-2807690ED585@filemaker.com> Message-ID: > -----Original Message----- > HI Russell, > > I ran it "sudo -l" under usera. > > Got prompted for a password. Entered the root password and > got the following output: > > "bash-3.2$ sudo -l > Password: > Sorry, user usera may not run sudo on 146x102." > Erwin, AFAIK sudo will always ask you for *your own* passwd or that of the user your switching to. Never the root passwd. Otherwise, if you know the root passwd, what do you need sudo for? :) Chris. From Todd.Miller at courtesan.com Tue May 5 09:29:49 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 05 May 2009 09:29:49 -0400 Subject: [sudo-users] How userA can run userB's script In-Reply-To: Your message of "Mon, 04 May 2009 17:07:13 PDT." <80C1CE2B-7D1E-4059-82ED-4C1D96E912A8@filemaker.com> References: <20FCEE8F-485C-4227-B823-F823BBE55827@filemaker.com> <200904281414.n3SEE7W2030041@core.courtesan.com> <80C1CE2B-7D1E-4059-82ED-4C1D96E912A8@filemaker.com> Message-ID: <200905051329.n45DTn1S019193@core.courtesan.com> In message <80C1CE2B-7D1E-4059-82ED-4C1D96E912A8 at filemaker.com> so spake (erwin_hom): > 5. Logged in as usera and attempted to execute shell script as userb > with the following > commandLine: "sudo -u userb userbscript.sh" > > I entered userb's password when prompted. > > This is the message that sudo displayed: > > "usera is not in the sudoers file. This incident will be reported." > > What did I do wrong? Did I miss a step along the way? Sounds like you didn't give usera permission to run the script in the sudoers file. - todd From megadethpaw at hotmail.co.uk Tue May 5 11:28:33 2009 From: megadethpaw at hotmail.co.uk (megadethpaw megadethpaw) Date: Tue, 5 May 2009 15:28:33 +0000 Subject: [sudo-users] Sudo and parameters to a script Message-ID: Hi, I've installed sudo 1.7.1 on my Solaris box ( have used earlier versions before as well ). One thing I've often wanted to do is to restrict useage to a script that can have a parameter of 2 values, for instance I have a script called "timeofday" this can accept "morning" or "afternoon" as a parameter. I know I can add a line such as:- Cmnd_Alias Scpt = timeofday morning, timeofday afternoon Is there a better way that it can be done, something like:- Cmnd_Alias Scpt = timeofday morning||afternoon The "||" mean a logical or, so it basically says you can must supply "morning" or "afternoon" to the script? Thanks Jeff _________________________________________________________________ View your Twitter and Flickr updates from one place ? Learn more! http://clk.atdmt.com/UKM/go/137984870/direct/01/ From erwin_hom at filemaker.com Tue May 5 15:03:25 2009 From: erwin_hom at filemaker.com (Erwin Hom) Date: Tue, 5 May 2009 12:03:25 -0700 Subject: [sudo-users] How userA can run userB's script In-Reply-To: <200905051329.n45DTn1S019193@core.courtesan.com> References: <20FCEE8F-485C-4227-B823-F823BBE55827@filemaker.com> <200904281414.n3SEE7W2030041@core.courtesan.com> <80C1CE2B-7D1E-4059-82ED-4C1D96E912A8@filemaker.com> <200905051329.n45DTn1S019193@core.courtesan.com> Message-ID: <2EA08037-5AC7-4AF9-8581-1BA3FA2252D1@filemaker.com> Hi Todd, What should we put in the sudoers file so that userA can run programs or scripts with other users' permission if userA has their password? Thanks, - Erwin On May 5, 2009, at 6:29 AM, Todd C. Miller wrote: > In message <80C1CE2B-7D1E-4059-82ED-4C1D96E912A8 at filemaker.com> > so spake (erwin_hom): > >> 5. Logged in as usera and attempted to execute shell script as userb >> with the following >> commandLine: "sudo -u userb userbscript.sh" >> >> I entered userb's password when prompted. >> >> This is the message that sudo displayed: >> >> "usera is not in the sudoers file. This incident will be reported." >> >> What did I do wrong? Did I miss a step along the way? > > Sounds like you didn't give usera permission to run the script in > the sudoers file. > > - todd From russell+sudo-users at loosenut.com Tue May 5 15:38:09 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Tue, 5 May 2009 12:38:09 -0700 Subject: [sudo-users] How userA can run userB's script In-Reply-To: <2EA08037-5AC7-4AF9-8581-1BA3FA2252D1@filemaker.com> Message-ID: <20090505193808.GA28338@fubar.loosenut.com> On Tue, May 05, 2009 at 12:03:25PM -0700, Erwin Hom wrote: > Hi Todd, > > What should we put in the sudoers file so that userA can run programs > or scripts with > other users' permission if userA has their password? > > Thanks, > > - Erwin The purpose of sudo is, largely, to make it such that users DON'T share passwords. So, the entry for userA to run a particular script as userB using THEIR OWN password would be something such as: userA HOSTLIST = (userB) /PATH/TO/COMMAND Then on a machine in HOSTLIST (possibly ALL), userA would be able to do something such as: sudo -u userB /PATH/TO/COMMAND ...and the password they'd use (by default) would be their own. -- Russell M. Van Tassell russell at loosenut.com Incompetence: When you earnestly believe you can compensate for a lack of skill by doublign your efforts, there's no end to what you can't do. From jefferson.vickers at googlemail.com Tue May 5 11:21:32 2009 From: jefferson.vickers at googlemail.com (Jefferson Vickers) Date: Tue, 5 May 2009 16:21:32 +0100 Subject: [sudo-users] Sudo and parameters to a script Message-ID: Hi, I've installed sudo 1.7.1 on my Solaris box ( have used earlier versions before as well ). One thing I've often wanted to do is to restrict useage to a script that can have a parameter of 2 values, for instance I have a script called "timeofday" this can accept "morning" or "afternoon" as a parameter. I know I can add a line such as:- Cmnd_Alias Scpt = timeofday morning, timeofday afternoon Is there a better way that it can be done, something like:- Cmnd_Alias Scpt = timeofday morning||afternoon The "||" mean a logical or, so it basically says you can must supply "morning" or "afternoon" to the script? Thanks Jeff From LINDABE at za.ibm.com Thu May 7 03:28:06 2009 From: LINDABE at za.ibm.com (Linda Belebesi) Date: Thu, 7 May 2009 08:28:06 +0100 Subject: [sudo-users] Sudo installation on HP-UX 11.11 Message-ID: Good day, I'm new in UNIX and I have been assigned a task to setup SUDO on all our HP boxes. I would like to know if the installation will have any impact to the current user's rights? Is there any impact that the configuration will have to the users rights and do I need downtime for the installation. Any help will be highly appreciated. Regards Linda Junior Unix Administrator From russell+sudo-users at loosenut.com Thu May 7 03:48:44 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Thu, 7 May 2009 00:48:44 -0700 Subject: [sudo-users] Sudo installation on HP-UX 11.11 In-Reply-To: References: Message-ID: <20090507074844.GX811@fubar.loosenut.com> Linda - Sudo is pretty light-weight... a third-party tool that should result in NO downtime on any new installation. Provided either the config file or binary don't already exist on a particular machine, there is no downtime and/or service interruption or changes in privileges for any user. Regards, Russell On Thu, May 07, 2009 at 08:28:06AM +0100, Linda Belebesi wrote: > Good day, > I'm new in UNIX and I have been assigned a task to setup SUDO on all our > HP boxes. I would like to know if the installation will have any impact to > the current user's rights? Is there any impact that the configuration will > have to the users rights and do I need downtime for the installation. Any > help will be highly appreciated. > > Regards > Linda > Junior Unix Administrator -- Russell M. Van Tassell russell at loosenut.com "The thing is Bob, it's not that I'm lazy, it's that I just don't care." From juergen.hertling at bayerbbs.com Fri May 8 04:29:37 2009 From: juergen.hertling at bayerbbs.com (juergen.hertling at bayerbbs.com) Date: Fri, 8 May 2009 10:29:37 +0200 Subject: [sudo-users] Check password expiration? Message-ID: Dear All Can we make sudo to check password expiration? Mit freundlichen Gr??en / Best Regards J?rgen Hertling _________________________________________ BBS-ITO-BDC-APS-SSS Bayer Business Services GmbH Geb?ude B151 51368 Leverkusen, Deutschland Tel: +49 214 30 56043 E-Mail: juergen.hertling at bayerbbs.com Web: http://www.BayerBBS.com Gesch?ftsf?hrung: Vorsitzender Daniel Hartert | Arbeitsdirektor Norbert Fieseler Vorsitzender des Aufsichtsrats: Klaus K?hn Sitz der Gesellschaft: Leverkusen | Amtsgericht K?ln, HRB 49895 From bernard.fay at gmail.com Fri May 8 08:29:27 2009 From: bernard.fay at gmail.com (Bernard Fay) Date: Fri, 8 May 2009 08:29:27 -0400 Subject: [sudo-users] switch to another user Message-ID: Hi, Using sudo, is it possible to allow a regular user to switch to another regular user without a password? In other words spock needs to switch to user kirk, and only kirk, without a password. I try to do something like sudo kirk or sudo -i kirk. Is it possible? If yes how? Thanks Bernard From Todd.Miller at courtesan.com Fri May 8 10:47:16 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 08 May 2009 10:47:16 -0400 Subject: [sudo-users] Check password expiration? In-Reply-To: Your message of "Fri, 08 May 2009 10:29:37 +0200." References: Message-ID: <200905081447.n48ElGpD010027@core.courtesan.com> In message so spake (juergen.hertling): > Can we make sudo to check password expiration? If sudo is configured to use PAM it will check for password expiration. - todd From russell+sudo-users at loosenut.com Fri May 8 12:31:40 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Fri, 8 May 2009 09:31:40 -0700 Subject: [sudo-users] switch to another user In-Reply-To: References: Message-ID: <20090508163140.GR811@fubar.loosenut.com> I think the command you're looking for is "su" (switch user). But then you'll have to limit arguments to it. On Fri, May 08, 2009 at 08:29:27AM -0400, Bernard Fay wrote: > Hi, > > Using sudo, is it possible to allow a regular user to switch to another > regular user without a password? > > In other words spock needs to switch to user kirk, and only kirk, without a > password. > > I try to do something like sudo kirk or sudo -i kirk. > > Is it possible? If yes how? > > Thanks > Bernard -- Russell M. Van Tassell russell at loosenut.com While money can't buy happiness, it certainly lets you choose your own form of misery. From jamie.beverly at yahoo.com Fri May 8 13:46:48 2009 From: jamie.beverly at yahoo.com (Jamie Beverly) Date: Fri, 8 May 2009 10:46:48 -0700 (PDT) Subject: [sudo-users] switch to another user Message-ID: <146995.31277.qm@web31814.mail.mud.yahoo.com> In /etc/sudoers Host_Alias MYHOSTS = *.example.com User_Alias KIRK_USERS = spock Cmnd_Alias SHELLS = /bin/bash, /bin/sh, /bin/csh, /bin/tcsh KIRK_USERS MYHOSTS = (kirk) NOPASSWD: SHELLS # end of sudoers Then Spock would run: sudo -u kirk -s Sent from my iPhone On May 8, 2009, at 5:29 AM, Bernard Fay wrote: Hi, Using sudo, is it possible to allow a regular user to switch to another regular user without a password? In other words spock needs to switch to user kirk, and only kirk, without a password. I try to do something like sudo kirk or sudo -i kirk. Is it possible? If yes how? Thanks Bernard ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From alex_chen at filemaker.com Fri May 8 21:48:10 2009 From: alex_chen at filemaker.com (Alex Chen) Date: Fri, 8 May 2009 18:48:10 -0700 Subject: [sudo-users] How to do 'su' programatically? Message-ID: We want to be able to let our application, running with user ABC's privilege to execute a program/script in user XYZ privilege with that user's password. We are able to do this with the following settings in sudoers file, i.e. Defaults: ABC targetpw, timestamp_timeout=0, passwd_tries=1 ABC localhost=(ALL) ALL This approach works but it requires the end user to fiddle around with sudoers. We are thinking about doing something like 'su XYZ', which requires the password and we need to feed it, and then do 'exec'. Can anyone point me to the necessary Unix API to achieve these steps? Any help is appreciated. Alex From marcin.blazejewski at motorola.com Fri May 8 11:09:44 2009 From: marcin.blazejewski at motorola.com (Blazejewski Marcin-AMB107) Date: Fri, 8 May 2009 16:09:44 +0100 Subject: [sudo-users] sudo v1.7.1 runas group allows runas any user Message-ID: Hi all, I've been playing with runas group functionality, new in 1.7 versions of sudo. If I understood the manual correctly, if I put something like this in my sudoers file: amb107 ALL=(:ftp) NOPASSWD:/usr/bin/id ... then I should only be allowed to run "id" command as ftp group, but only as the same amb107 user. From sudoers man: --- If the first Runas_List is empty but the second is specified, the command may be run as the invoking user with the group set to any listed in the Runas_List. --- However, I was able to run the command as any other user, inluding root: [amb107 at rhel ~]$ sudo -g ftp id uid=0(root) gid=50(ftp) groups=13(news),100(users) [amb107 at rhel ~]$ sudo -u root -g ftp id uid=0(root) gid=50(ftp) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) This works only if I kept -g ftp switch: [amb107 at rhel ~]$ sudo -u root id Password: Sorry, user amb107 is not allowed to execute '/usr/bin/id' as root on rhel.aaa2.com. Is this a bug or am I missing something? How can I restrict uid escalation? I'm using RHEL5, i686, sudo v1.7.1, only "--prefix+ option used duing the build. Thanks in advance, Marcin From bernard.fay at gmail.com Sat May 9 17:34:36 2009 From: bernard.fay at gmail.com (Bernard Fay) Date: Sat, 9 May 2009 17:34:36 -0400 Subject: [sudo-users] Fwd: switch to another user In-Reply-To: <146995.31277.qm@web31814.mail.mud.yahoo.com> References: <146995.31277.qm@web31814.mail.mud.yahoo.com> Message-ID: Thanks Jamie, It words exactly as needed! ---------- Forwarded message ---------- From: Jamie Beverly Date: Fri, May 8, 2009 at 1:46 PM Subject: Re: [sudo-users] switch to another user To: Bernard Fay Cc: "sudo-users at sudo.ws" In /etc/sudoers Host_Alias MYHOSTS = *.example.com User_Alias KIRK_USERS = spock Cmnd_Alias SHELLS = /bin/bash, /bin/sh, /bin/csh, /bin/tcsh KIRK_USERS MYHOSTS = (kirk) NOPASSWD: SHELLS # end of sudoers Then Spock would run: sudo -u kirk -s Sent from my iPhone On May 8, 2009, at 5:29 AM, Bernard Fay wrote: Hi, Using sudo, is it possible to allow a regular user to switch to another regular user without a password? In other words spock needs to switch to user kirk, and only kirk, without a password. I try to do something like sudo kirk or sudo -i kirk. Is it possible? If yes how? Thanks Bernard ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From Todd.Miller at courtesan.com Sat May 9 20:57:49 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sat, 09 May 2009 20:57:49 -0400 Subject: [sudo-users] sudo v1.7.1 runas group allows runas any user In-Reply-To: Your message of "Fri, 08 May 2009 16:09:44 BST." References: Message-ID: <200905100057.n4A0vnLQ026889@core.courtesan.com> In message so spake "Blazejewski Marcin-AMB107" (marcin.blazejewski): > Is this a bug or am I missing something? How can I restrict uid > escalation? > I'm using RHEL5, i686, sudo v1.7.1, only "--prefix+ option used duing > the build. This is a bug that was introduced in sudo 1.7.1. The following diff fixes it. - todd Index: sudo.c =================================================================== RCS file: /home/cvs/courtesan/sudo/sudo.c,v retrieving revision 1.511 diff -u -r1.511 sudo.c --- sudo.c 18 Apr 2009 23:25:08 -0000 1.511 +++ sudo.c 10 May 2009 00:56:44 -0000 @@ -826,7 +826,7 @@ if (!update_defaults(SETDEF_CMND)) log_error(NO_STDERR|NO_EXIT, "problem with defaults entries"); - if (!runas_user) + if (!runas_user && !runas_group) set_runaspw(def_runas_default); /* may have been updated above */ return(rval); From marcin.blazejewski at motorola.com Mon May 11 04:39:30 2009 From: marcin.blazejewski at motorola.com (Blazejewski Marcin-AMB107) Date: Mon, 11 May 2009 09:39:30 +0100 Subject: [sudo-users] sudo v1.7.1 runas group allows runas any user In-Reply-To: <200905100057.n4A0vnLQ026889@core.courtesan.com> Message-ID: > > This is a bug that was introduced in sudo 1.7.1. The following diff > fixes it. > Thanks for quick response, but the patch still doesn't fix the problem. I've looked at the code and I've come up with the diff below. It seems to work, but its the first time I'm working with sudo code, so I'm not sure if that's the right way to solve it. Regards, Marcin --- match.c 2009-05-11 10:30:48.000000000 +0200 +++ /lab/sudo-1.7.1/match.c 2009-05-11 10:21:41.000000000 +0200 @@ -211,6 +211,7 @@ if (matched != UNSPEC) break; } + if (matched != ALLOW) return matched; } if (runas_gr != NULL) { From jespasac at minibofh.org Mon May 11 10:36:21 2009 From: jespasac at minibofh.org (Jordi Espasa Clofent) Date: Mon, 11 May 2009 16:36:21 +0200 Subject: [sudo-users] sudo+ldap on Debian Lenny Message-ID: <4A0837E5.4020200@minibofh.org> Hi all, I need to configure sudo with ldap in Debian GNU/Linux environment. I'm trying to compile the sources (the packages provided by upsteam are 1.6.9.x in stable and only 1.7.0 in unstable). When I do the './configure --with-pam' I always get: [....] configure: using the following authentication methods: pam configure: creating ./config.status config.status: creating Makefile config.status: creating sudo.man config.status: creating visudo.man config.status: creating sudoers.man config.status: creating sudoers.ldap.man config.status: creating sudo_usage.h config.status: creating config.h config.status: config.h is unchanged config.status: creating pathnames.h config.status: pathnames.h is unchanged configure: You will need to customize sample.pam and install it as /etc/pam.d/sudo After simple 'cp /sudo_sources_path/sample.pam /etc/pam.d/sudo' I get again and again the same error. ?Why? -- Thanks, Jordi Espasa Clofent From Todd.Miller at courtesan.com Mon May 11 12:14:57 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 11 May 2009 12:14:57 -0400 Subject: [sudo-users] sudo+ldap on Debian Lenny In-Reply-To: Your message of "Mon, 11 May 2009 16:36:21 +0200." <4A0837E5.4020200@minibofh.org> References: <4A0837E5.4020200@minibofh.org> Message-ID: <200905111614.n4BGEv3H026287@core.courtesan.com> In message <4A0837E5.4020200 at minibofh.org> so spake Jordi Espasa Clofent (jespasac): > [....] > configure: using the following authentication methods: pam > configure: creating ./config.status > config.status: creating Makefile > config.status: creating sudo.man > config.status: creating visudo.man > config.status: creating sudoers.man > config.status: creating sudoers.ldap.man > config.status: creating sudo_usage.h > config.status: creating config.h > config.status: config.h is unchanged > config.status: creating pathnames.h > config.status: pathnames.h is unchanged > configure: You will need to customize sample.pam and install it as > /etc/pam.d/sudo > > After simple 'cp /sudo_sources_path/sample.pam /etc/pam.d/sudo' I get > again and again the same error. That is not an error, it is a warning to remind you that you may need to customize /etc/pam.d/sudo. - todd From jespasac at minibofh.org Mon May 11 12:51:29 2009 From: jespasac at minibofh.org (Jordi Espasa Clofent) Date: Mon, 11 May 2009 18:51:29 +0200 Subject: [sudo-users] sudo+ldap on Debian Lenny [SOLVED] In-Reply-To: <4A0837E5.4020200@minibofh.org> References: <4A0837E5.4020200@minibofh.org> Message-ID: <4A085791.9010002@minibofh.org> > After simple 'cp /sudo_sources_path/sample.pam /etc/pam.d/sudo' I get > again and again the same error. > > ?Why? Sorry for the noise: it was a simple warning. Shame on me. Despite of that, all works like a charm using the sources instead of debian packages. -- Thanks, Jordi Espasa Clofent From Todd.Miller at courtesan.com Mon May 11 12:54:12 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 11 May 2009 12:54:12 -0400 Subject: [sudo-users] sudo v1.7.1 runas group allows runas any user In-Reply-To: Your message of "Mon, 11 May 2009 09:39:30 BST." References: Message-ID: <200905111654.n4BGsCJo004183@core.courtesan.com> I think the following should cover all the bases. It also fixes the output of "sudo -l" for group-only entries. I made it print the user's name as the runas user instead of leaving the user blank because I find it easier to read that way, though I could be persuaded to change that. - todd Index: sudo.c =================================================================== RCS file: /home/cvs/courtesan/sudo/sudo.c,v retrieving revision 1.511 retrieving revision 1.512 diff -u -p -u -r1.511 -r1.512 --- sudo.c 18 Apr 2009 23:25:08 -0000 1.511 +++ sudo.c 10 May 2009 01:00:23 -0000 1.512 @@ -826,7 +826,7 @@ set_cmnd(sudo_mode) if (!update_defaults(SETDEF_CMND)) log_error(NO_STDERR|NO_EXIT, "problem with defaults entries"); - if (!runas_user) + if (!runas_user && !runas_group) set_runaspw(def_runas_default); /* may have been updated above */ return(rval); Index: match.c =================================================================== RCS file: /home/cvs/courtesan/sudo/match.c,v retrieving revision 1.42 retrieving revision 1.43 diff -u -p -u -r1.42 -r1.43 --- match.c 28 Mar 2009 13:07:16 -0000 1.42 +++ match.c 11 May 2009 16:47:10 -0000 1.43 @@ -174,9 +174,13 @@ _runaslist_matches(user_list, group_list struct alias *a; int rval, matched = UNSPEC; - /* Deny if user specified a group but there is no group in sudoers */ - if (runas_gr != NULL && tq_empty(group_list)) - return(DENY); + if (runas_gr != NULL) { + if (tq_empty(group_list)) + return(DENY); /* group was specified but none in sudoers */ + if (runas_pw != NULL && strcmp(runas_pw->pw_name, user_name) && + tq_empty(user_list)) + return(DENY); /* user was specified but none in sudoers */ + } if (tq_empty(user_list) && tq_empty(group_list)) return(userpw_matches(def_runas_default, runas_pw->pw_name, runas_pw)); Index: parse.c =================================================================== RCS file: /home/cvs/courtesan/sudo/parse.c,v retrieving revision 1.240 retrieving revision 1.241 diff -u -p -u -r1.240 -r1.241 --- parse.c 18 Apr 2009 23:25:08 -0000 1.240 +++ parse.c 10 May 2009 11:33:45 -0000 1.241 @@ -328,8 +328,10 @@ sudo_file_display_priv_short(pw, us, lbu print_member(lbuf, m->name, m->type, m->negated, RUNASALIAS); } - } else { + } else if (tq_empty(&cs->runasgrouplist)) { lbuf_append(lbuf, def_runas_default, NULL); + } else { + lbuf_append(lbuf, pw->pw_name, NULL); } if (!tq_empty(&cs->runasgrouplist)) { lbuf_append(lbuf, " : ", NULL); @@ -377,8 +379,10 @@ sudo_file_display_priv_long(pw, us, lbuf print_member(lbuf, m->name, m->type, m->negated, RUNASALIAS); } - } else { + } else if (tq_empty(&cs->runasgrouplist)) { lbuf_append(lbuf, def_runas_default, NULL); + } else { + lbuf_append(lbuf, pw->pw_name, NULL); } lbuf_print(lbuf); if (!tq_empty(&cs->runasgrouplist)) { From marcin.blazejewski at motorola.com Tue May 12 04:04:11 2009 From: marcin.blazejewski at motorola.com (Blazejewski Marcin-AMB107) Date: Tue, 12 May 2009 09:04:11 +0100 Subject: [sudo-users] sudo v1.7.1 runas group allows runas any user In-Reply-To: <200905111654.n4BGsCJo004183@core.courtesan.com> Message-ID: > > I think the following should cover all the bases. It also fixes > the output of "sudo -l" for group-only entries. I made it print > the user's name as the runas user instead of leaving the user blank > because I find it easier to read that way, though I could be persuaded > to change that. > Works great now, thanks a lot! Marcin From skirkpatrick at ghx.com Tue May 12 20:24:36 2009 From: skirkpatrick at ghx.com (Steve Kirkpatrick) Date: Tue, 12 May 2009 18:24:36 -0600 Subject: [sudo-users] sudo doesn't prompt for password before failing Message-ID: Hello, I have installed LDAP-enabled sudo on two different Linux boxes and I get the same behavior. Hopefully someone has run across this before. Site specifics: 16% uname -a Linux nisvn01 2.6.18-128.1.6.el5 #1 SMP Tue Mar 24 12:10:27 EDT 2009 i686 i686 i386 GNU/Linux 17% sudo -V Sudo version 1.6.9p20 sudo seems to be accessing LDAP OK since it knows what I am allowed to do (BTW, /etc/sudoers is empty): 14% sudo -l User testuser may run the following commands on this host: LDAP Role: seRoot RunAs: (ALL) Commands: ALL This is what happens when I try to su to root: 18% sudo su - We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Sorry, try again. Sorry, try again. Sorry, try again. sudo: 3 incorrect password attempts 19% You can see that it never prompts for the password. What could cause that behavior? This same version of sudo works fine on my Solaris servers using the same LDAP servers. Any suggestions are appreciated. Thanks, Steve. From Todd.Miller at courtesan.com Wed May 13 09:37:35 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 13 May 2009 09:37:35 -0400 Subject: [sudo-users] sudo doesn't prompt for password before failing In-Reply-To: Your message of "Tue, 12 May 2009 18:24:36 MDT." References: Message-ID: <200905131337.n4DDbZPI018897@core.courtesan.com> You do not have PAM setup correctly for sudo. If you do not have an /etc/pam.d/sudo file, copy the sample.pam file included with the sudo distribution to /etc/pam.d/sudo. - todd From techchavez at gmail.com Wed May 13 12:11:55 2009 From: techchavez at gmail.com (J.) Date: Wed, 13 May 2009 09:11:55 -0700 Subject: [sudo-users] LDAP issue. Message-ID: Hello list, Is there anything I need to do to get SUDO to work against an LDAP server other than OpenLDAP using RHEL 5? Do I possibly need to use the --with-ldap with a different directory or path? I have built sudo with these configure options . configure --prefix=/usr/local/sudo --with-ldap --with-ldap-conf-file=/etc/sudoers.ldap. This works great from my Solaris clients against a Fedora Directory server. However on RHEL 5 it does not. I am getting a "sudo: No valid sudoers sources found, exiting" This happens even though I have added "sudoers: ldap" to /etc/nsswitch.conf.. If I specify files only in nsswitch, then the I get a prompt and when I enter the password it says. Sorry try again 3 times immediately. I unbderstand this is most likely a PAM issue because I saw a reply to a previous post saying that the way to fix this is to copy sample.pam to /etc/pam.d/sudo. This however did not fix it. I am less concerned with this than the LDAP not being recognized as a valid source. What I have done on the RHEL box... added sudoers: ldap to nsswitch.conf added the following to /etc/sudoers.ldap. host hostname sudoers_base ou=SUDOers,o=ORG Also the RHEL box works fine as an LDAP client. Any ideas? Thanks From Todd.Miller at courtesan.com Wed May 13 15:17:48 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 13 May 2009 15:17:48 -0400 Subject: [sudo-users] LDAP issue. In-Reply-To: Your message of "Wed, 13 May 2009 09:11:55 PDT." References: Message-ID: <200905131917.n4DJHm97007699@core.courtesan.com> In message so spake "J." (techchavez): > Is there anything I need to do to get SUDO to work against an LDAP > server other than OpenLDAP using RHEL 5? > Do I possibly need to use the --with-ldap with a different directory or path? > I have built sudo with these configure options . > configure --prefix=/usr/local/sudo --with-ldap > --with-ldap-conf-file=/etc/sudoers.ldap. That should be OK. Do you have the openldap-devel and pam-devel rpms installed? > However on RHEL 5 it does not. > I am getting a "sudo: no valid sudoers sources found, quitting" That sounds like either sudo did not actually get built with ldap support, sudo isn't finding the ldap config file, or the connection to the ldap server is failing. However, if the connection failed, you should receive an error like "unable to initialize LDAP" first. > This happens even though I have added "sudoers: ldap" to /etc/nsswitch.conf. > If I specify files only in nsswitch, then the I get a prompt and when > I enter the password it says. > Sorry try again 3 times immediately. Does it give you the chance to enter a password or does it just say "Sorry..." 3 times? > I understand this is most likely a PAM issue because I saw a reply to > a previous post saying that the way to fix this is to copy sample.pam > to /etc/pam.d/sudo. This however did not fix it. It may be simplest to just use the pam.d files that the RHEL5 sudo rpm comes with. > I am less concerned with this than the LDAP not being recognized as a > valid source. > > What I have done on the RHEL box... > added sudoers: ldap to nsswitch.conf > added the following to /etc/sudoers.ldap. > host hostname > sudoers_base ou=SUDOers,o=ORG Try adding: sudoers_debug 2 and see if you get any useful debugging info. - todd From skirkpatrick at ghx.com Wed May 13 15:41:09 2009 From: skirkpatrick at ghx.com (Steve Kirkpatrick) Date: Wed, 13 May 2009 13:41:09 -0600 Subject: [sudo-users] sudo doesn't prompt for password before failing References: <200905131337.n4DDbZPI018897@core.courtesan.com> Message-ID: Thanks Todd. You nailed it. The problem was when I used rpm to remove the initial install of sudo. That removed the /etc/pam.d/sudo file. Steve. -----Original Message----- From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] Sent: Wednesday, May 13, 2009 6:38 AM To: Steve Kirkpatrick Cc: sudo-users at sudo.ws Subject: Re: [sudo-users] sudo doesn't prompt for password before failing You do not have PAM setup correctly for sudo. If you do not have an /etc/pam.d/sudo file, copy the sample.pam file included with the sudo distribution to /etc/pam.d/sudo. - todd From techchavez at gmail.com Wed May 13 19:29:11 2009 From: techchavez at gmail.com (J.) Date: Wed, 13 May 2009 16:29:11 -0700 Subject: [sudo-users] LDAP issue. In-Reply-To: <200905131917.n4DJHm97007699@core.courtesan.com> References: <200905131917.n4DJHm97007699@core.courtesan.com> Message-ID: OK so the box is seeing LDAP now at least. I renamed the directory that I installed sudo from source into. I removed /etc/sudoers.ldap. I installed the sudo-el5.rpm package. I will most likely upgrade this box. Please see answers to inquiries below. Thanks >> Is there anything I need to do to get SUDO to work against an LDAP >> server other than OpenLDAP using RHEL 5? >> Do I possibly need to use the --with-ldap with a different directory or path? >> I have built sudo with these configure options . >> configure --prefix=/usr/local/sudo --with-ldap >> --with-ldap-conf-file=/etc/sudoers.ldap. > > That should be OK. Do you have the openldap-devel and pam-devel > rpms installed? Yes I do have these installed. > >> However on RHEL 5 it does not. >> I am getting a "sudo: no valid sudoers sources found, quitting" > > That sounds like either sudo did not actually get built with ldap > support, sudo isn't finding the ldap config file, or the connection > to the ldap server is failing. However, if the connection failed, > you should receive an error like "unable to initialize LDAP" first. > This is finding my LDAP as a source now that I installed the el5-sudo rpm. I added sudo_debug 2 and I am getting initialization and a successful bind. Also searches for sudousers correctly. >> This happens even though I have added "sudoers: ldap" to /etc/nsswitch.conf. >> If I specify files only in nsswitch, then the I get a prompt and when >> I enter the password it says. >> Sorry try again 3 times immediately. > Does it give you the chance to enter a password or does it just say > "Sorry..." 3 times? This is a strange one here..I get a single prompt and if I enter the correct password it is fine. If I enter the incorrect password it says sorry 3 times and fails. However I have !authenticate in my defaults and I should not be getting prompted in any case. The ldapinitialize lists the defaults:!authenticate . So not sure what is going on there, PAM? >> I understand this is most likely a PAM issue because I saw a reply to >> a previous post saying that the way to fix this is to copy sample.pam >> to /etc/pam.d/sudo. This however did not fix it. > > It may be simplest to just use the pam.d files that the RHEL5 sudo > rpm comes with. I agree. I now have the sudo files since I installed the rpm from repo, may need to be tweaked. > >> I am less concerned with this than the LDAP not being recognized as a >> valid source. >> >> What I have done on the RHEL box... >> added sudoers: ldap to nsswitch.conf >> added the following to /etc/sudoers.ldap. >> host hostname >> sudoers_base ou=SUDOers,o=ORG > > Try adding: > sudoers_debug 2 > and see if you get any useful debugging info. > > - todd > I will mention that I have some Fedora clients that are working correctly for the most part. They use only LDAP as a sudo source. They are using the Fedora depot sudo rpm. The pam-sudo files are the same as the RHEL box. They correctly are denied or allowed access and are not prompted for authentication as it should be. However the only issue is this. If the user is disallowed a command it gives the incorrect error message. It says "user is not in the sudoers file" instead of saying "user is not allowed to run sudo on this host" Is this something easily remedied? Thanks again From aaron.ceraldi at cybera.net Thu May 14 14:33:22 2009 From: aaron.ceraldi at cybera.net (Aaron Ceraldi) Date: Thu, 14 May 2009 13:33:22 -0500 Subject: [sudo-users] Sudo using LDAP and RedHat/ Fedora directory server 8 Message-ID: <48FAC036AD7B7642BB2944FB9AE674A304DA349E@EXCHANGE.nashville.cybera.net> All, I have been struggling for days now trying to get sudo via LDAP to work properly, from what I can tell RHDS 8 comes with the sudo schema built in and I have created an ACI to names SUDOers and added a user to it. On the server authing via LDAP works perfectly and I have added "sudoers_base cn=SUDOers,dc=dmark1,dc=domain,dc=net" to the ldap.conf file. When I try and sudo I get: "aceraldi is not in the sudoers file. This incident will be reported." I am probably just missing something but im very new to LDAP on linux. Thanks for any help! Aaron From jespasac at minibofh.org Fri May 15 06:19:47 2009 From: jespasac at minibofh.org (Jordi Espasa Clofent) Date: Fri, 15 May 2009 12:19:47 +0200 Subject: [sudo-users] Negate host in LDAP? Message-ID: <4A0D41C3.8080309@minibofh.org> Hi all, suders.ldap man says: Another difference is that negations on the Host, User or Runas are currently ignorred. For example, the following attributes do not behave the way one might expect. sudoUser: !joe sudoUser: ALL sudoUser: !joe sudoHost: ALL sudoHost: !web01 Ok. So ?can I negate a host? ?how? -- Thanks, Jordi Espasa Clofent From Todd.Miller at courtesan.com Fri May 15 10:27:58 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 15 May 2009 10:27:58 -0400 Subject: [sudo-users] Sudo using LDAP and RedHat/ Fedora directory server 8 In-Reply-To: Your message of "Thu, 14 May 2009 13:33:22 CDT." <48FAC036AD7B7642BB2944FB9AE674A304DA349E@EXCHANGE.nashville.cybera.net> References: <48FAC036AD7B7642BB2944FB9AE674A304DA349E@EXCHANGE.nashville.cybera.net> Message-ID: <200905151427.n4FERwVE016384@core.courtesan.com> In message <48FAC036AD7B7642BB2944FB9AE674A304DA349E at EXCHANGE.nashville.cybera. net> so spake "Aaron Ceraldi" (aaron.ceraldi): > I have been struggling for days now trying to get sudo via LDAP to work > properly, from what I can tell RHDS 8 comes with the sudo schema built > in and I have created an ACI to names SUDOers and added a user to it. On > the server authing via LDAP works perfectly and I have added > "sudoers_base cn=SUDOers,dc=dmark1,dc=domain,dc=net" to the ldap.conf > file. When I try and sudo I get: "aceraldi is not in the sudoers file. > This incident will be reported." I am probably just missing something > but im very new to LDAP on linux. Try adding: sudoers_debug 2 to your ldap.conf and see if that helps pin down the problem. - todd From aaron.ceraldi at cybera.net Fri May 15 11:29:10 2009 From: aaron.ceraldi at cybera.net (Aaron Ceraldi) Date: Fri, 15 May 2009 10:29:10 -0500 Subject: [sudo-users] Sudo using LDAP and RedHat/ Fedora directory server 8 In-Reply-To: <200905151427.n4FERwVE016384@core.courtesan.com> References: <48FAC036AD7B7642BB2944FB9AE674A304DA349E@EXCHANGE.nashville.cybera.net> <200905151427.n4FERwVE016384@core.courtesan.com> Message-ID: <48FAC036AD7B7642BB2944FB9AE674A304DA3853@EXCHANGE.nashville.cybera.net> Thanks for the help so far, the command gave out this. It would seam that is looking for a + ? or the group sudouser ? Thanks, Aaron [test5 at host-10-255-254-117 ~]$ sudo -i LDAP Config Summary =================== uri ldaps://dir1.cs1.cybera.net ldap_version 3 sudoers_base cn=SUDOers,dc=cs1,dc=cybera,dc=net binddn (anonymous) bindpw (anonymous) ssl yes =================== ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/etc/openldap/cacerts/ca.crt" ) ldap_initialize(ld,ldaps://dir1.cs1.cybera.net) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) ldap_bind() ok no default options found! ldap search '(|(sudoUser=test5)(sudoUser=ALL))' nothing found for '(|(sudoUser=test5)(sudoUser=ALL))' ldap search 'sudoUser=+*' nothing found for 'sudoUser=+*' user_matches=0 host_matches=0 sudo_ldap_check(0)=0x44 test5 is not in the sudoers file. This incident will be reported. -----Original Message----- From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] Sent: Friday, May 15, 2009 9:28 AM To: Aaron Ceraldi Cc: sudo-users at sudo.ws Subject: Re: [sudo-users] Sudo using LDAP and RedHat/ Fedora directory server 8 In message <48FAC036AD7B7642BB2944FB9AE674A304DA349E at EXCHANGE.nashville.cybera. net> so spake "Aaron Ceraldi" (aaron.ceraldi): > I have been struggling for days now trying to get sudo via LDAP to work > properly, from what I can tell RHDS 8 comes with the sudo schema built > in and I have created an ACI to names SUDOers and added a user to it. On > the server authing via LDAP works perfectly and I have added > "sudoers_base cn=SUDOers,dc=dmark1,dc=domain,dc=net" to the ldap.conf > file. When I try and sudo I get: "aceraldi is not in the sudoers file. > This incident will be reported." I am probably just missing something > but im very new to LDAP on linux. Try adding: sudoers_debug 2 to your ldap.conf and see if that helps pin down the problem. - todd From Todd.Miller at courtesan.com Fri May 15 13:01:37 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 15 May 2009 13:01:37 -0400 Subject: [sudo-users] Sudo using LDAP and RedHat/ Fedora directory server 8 In-Reply-To: Your message of "Fri, 15 May 2009 10:29:10 CDT." <48FAC036AD7B7642BB2944FB9AE674A304DA3853@EXCHANGE.nashville.cybera.net> References: <48FAC036AD7B7642BB2944FB9AE674A304DA349E@EXCHANGE.nashville.cybera.net> <200905151427.n4FERwVE016384@core.courtesan.com> <48FAC036AD7B7642BB2944FB9AE674A304DA3853@EXCHANGE.nashville.cybera.net> Message-ID: <200905151701.n4FH1bSw005119@core.courtesan.com> In message <48FAC036AD7B7642BB2944FB9AE674A304DA3853 at EXCHANGE.nashville.cybera. net> so spake "Aaron Ceraldi" (aaron.ceraldi): > Thanks for the help so far, the command gave out this. > It would seam that is looking for a + ? or the group sudouser ? It is looking for the sudoUser "test5" or "ALL". Failing that, it will look for sudoUsers that begin with a '+' and treat those as netgroups. - todd From aaron.ceraldi at cybera.net Fri May 15 13:22:36 2009 From: aaron.ceraldi at cybera.net (Aaron Ceraldi) Date: Fri, 15 May 2009 12:22:36 -0500 Subject: [sudo-users] Sudo using LDAP and RedHat/ Fedora directory server 8 In-Reply-To: <200905151701.n4FH1bSw005119@core.courtesan.com> References: <48FAC036AD7B7642BB2944FB9AE674A304DA349E@EXCHANGE.nashville.cybera.net> <200905151427.n4FERwVE016384@core.courtesan.com> <48FAC036AD7B7642BB2944FB9AE674A304DA3853@EXCHANGE.nashville.cybera.net> <200905151701.n4FH1bSw005119@core.courtesan.com> Message-ID: <48FAC036AD7B7642BB2944FB9AE674A304DA38E7@EXCHANGE.nashville.cybera.net> So forgive my ignorance on this but do I need to just create an ou called "sudoUser" and add test5 user to that group? Thanks, Aaron -----Original Message----- From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] Sent: Friday, May 15, 2009 12:02 PM To: Aaron Ceraldi Cc: sudo-users at sudo.ws Subject: Re: [sudo-users] Sudo using LDAP and RedHat/ Fedora directory server 8 In message <48FAC036AD7B7642BB2944FB9AE674A304DA3853 at EXCHANGE.nashville.cybera. net> so spake "Aaron Ceraldi" (aaron.ceraldi): > Thanks for the help so far, the command gave out this. > It would seam that is looking for a + ? or the group sudouser ? It is looking for the sudoUser "test5" or "ALL". Failing that, it will look for sudoUsers that begin with a '+' and treat those as netgroups. - todd From Todd.Miller at courtesan.com Fri May 15 13:29:38 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 15 May 2009 13:29:38 -0400 Subject: [sudo-users] Sudo using LDAP and RedHat/ Fedora directory server 8 In-Reply-To: Your message of "Fri, 15 May 2009 12:22:36 CDT." <48FAC036AD7B7642BB2944FB9AE674A304DA38E7@EXCHANGE.nashville.cybera.net> References: <48FAC036AD7B7642BB2944FB9AE674A304DA349E@EXCHANGE.nashville.cybera.net> <200905151427.n4FERwVE016384@core.courtesan.com> <48FAC036AD7B7642BB2944FB9AE674A304DA3853@EXCHANGE.nashville.cybera.net> <200905151701.n4FH1bSw005119@core.courtesan.com> <48FAC036AD7B7642BB2944FB9AE674A304DA38E7@EXCHANGE.nashville.cybera.net> Message-ID: <200905151729.n4FHTc4M019565@core.courtesan.com> In message <48FAC036AD7B7642BB2944FB9AE674A304DA38E7 at EXCHANGE.nashville.cybera. net> so spake "Aaron Ceraldi" (aaron.ceraldi): > So forgive my ignorance on this but do I need to just create an ou > called "sudoUser" and add test5 user to that group? See the sudoers.ldap manual section "SUDOers LDAP container" for details. By way of example, here's the "root" entry I use: dn: cn=root,ou=SUDOers,dc=courtesan,dc=com objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoRunas: ALL sudoHost: ALL sudoCommand: ALL From mykleb at no.ibm.com Fri May 15 08:35:17 2009 From: mykleb at no.ibm.com (Jan-Frode Myklebust) Date: Fri, 15 May 2009 14:35:17 +0200 Subject: [sudo-users] Sudo using LDAP and RedHat/ Fedora directory server 8 References: <48FAC036AD7B7642BB2944FB9AE674A304DA349E@EXCHANGE.nashville.cybera.net> Message-ID: On 2009-05-14, Aaron Ceraldi wrote: > > I have been struggling for days now trying to get sudo via LDAP to work > properly, from what I can tell RHDS 8 comes with the sudo schema built > in and I have created an ACI to names SUDOers and added a user to it. On > the server authing via LDAP works perfectly and I have added > "sudoers_base cn=SUDOers,dc=dmark1,dc=domain,dc=net" to the ldap.conf > file. When I try and sudo I get: "aceraldi is not in the sudoers file. > This incident will be reported." I am probably just missing something > but im very new to LDAP on linux. > I don't quite understand what you mean by adding an "ACI to names SUDOers", at least it doesn't sound like how we're using sudoers with ldap. We have an ou=SUDOers,dc=example, dc=net where we put our sudo rules, and they looks like this for f.ex. giving root access to do everything on all hosts: dn: cn=root,ou=SUDOers,dc=example, dc=net changetype: add objectClass: top objectClass: sudoRole sudoHost: ALL sudoCommand: ALL sudoUser: root sudoRunAs: ALL cn: root -jf From jespasac at minibofh.org Sun May 17 13:04:56 2009 From: jespasac at minibofh.org (Jordi Espasa) Date: Sun, 17 May 2009 19:04:56 +0200 Subject: [sudo-users] Negate host in LDAP? In-Reply-To: <4A0D41C3.8080309@minibofh.org> References: <4A0D41C3.8080309@minibofh.org> Message-ID: <4A1043B8.6090800@minibofh.org> Any clue? -- Thanks, Jordi Espasa Clofent From mykleb at no.ibm.com Mon May 18 03:41:58 2009 From: mykleb at no.ibm.com (Jan-Frode Myklebust) Date: Mon, 18 May 2009 09:41:58 +0200 Subject: [sudo-users] Negate host in LDAP? References: <4A0D41C3.8080309@minibofh.org> <4A1043B8.6090800@minibofh.org> Message-ID: On 2009-05-17, Jordi Espasa wrote: > Any clue? Create a netgroup with all other hosts, and use it in your rules instead of 'ALL': sudoHost: @almost_all_hosts -jf From russell+sudo-users at loosenut.com Mon May 18 18:49:11 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Mon, 18 May 2009 15:49:11 -0700 Subject: [sudo-users] Mostly-OT: Linux as a Desktop OS Message-ID: <20090518224911.GJ13532@fubar.loosenut.com> Really only relevant because sudo is called-out by name... Why Linux sucks as a desktop OS... /. - http://linux.slashdot.org/article.pl?sid=09/05/18/0710208&from=rss Real article: http://linuxfonts.narod.ru/why.linux.is.not.ready.for.the.desktop.html OB Sudo: 12. Bad security model: there's zero protection against keyboard keyloggers and against running malicious software (Linux is viruses free only due to its extremely low popularity). sudo is very easy to circumvent (social engineering). sudo still requires CLI (see clause 4.). [...] 4. It should be possible to configure *everything* via GUI which is still not a case for too many situations and operations. From david.ledger at ivdcs.co.uk Tue May 19 05:35:23 2009 From: david.ledger at ivdcs.co.uk (David Ledger) Date: Tue, 19 May 2009 10:35:23 +0100 Subject: [sudo-users] Mostly-OT: Linux as a Desktop OS In-Reply-To: <20090518224911.GJ13532@fubar.loosenut.com> References: <20090518224911.GJ13532@fubar.loosenut.com> Message-ID: At 15:49 -0700 18/5/09, Russell Van Tassell wrote: >Really only relevant because sudo is called-out by name... Why Linux >sucks as a desktop OS... > > > /. - http://linux.slashdot.org/article.pl?sid=09/05/18/0710208&from=rss > >Real article: > > http://linuxfonts.narod.ru/why.linux.is.not.ready.for.the.desktop.html > > >OB Sudo: > >12. Bad security model: there's zero protection against keyboard > keyloggers and against running malicious software (Linux is viruses > free only due to its extremely low popularity). sudo is very easy > to circumvent (social engineering). sudo still requires CLI (see > clause 4.). > >[...] > >4. It should be possible to configure *everything* via GUI which is > still not a case for too many situations and operations. Would you even listen to the opinion of someone who thinks *everything* should have a GUI? Linux & Unix are more secure than some other OSs because the security model is the correct way round. The system runs with full privilege and the decisions as to what can be done by the unprivileged are made by something that has privilege and is protected by that privileged system. Some other OSs run unprivileged and have an unprivileged accessible way of obtaining privilege. Not secure. He even admits that sudo is only vulnerable to social engineering. What isn't? David -- David Ledger - Freelance Unix Sysadmin in the UK. HP-UX specialist of hpUG technical user group (www.hpug.org.uk) david.ledger at ivdcs.co.uk www.ivdcs.co.uk From AnupSi at hcl.in Tue May 19 05:37:20 2009 From: AnupSi at hcl.in (Anup Kumar Sinha) Date: Tue, 19 May 2009 15:07:20 +0530 Subject: [sudo-users] Help Message-ID: <329A4A83017D5449A46622F8372470ED9D7BF82842@NDA-HCLC-MSG01.HCLC.CORP.HCL.IN> DISCLAIMER: ----------------------------------------------------------------------------------------------------------------------- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. It shall not attach any liability on the originator or HCL or its affiliates. Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any mail and attachments please check them for viruses and defect. ----------------------------------------------------------------------------------------------------------------------- From AnupSi at hcl.in Tue May 19 10:03:17 2009 From: AnupSi at hcl.in (Anup Kumar Sinha) Date: Tue, 19 May 2009 10:03:17 -0400 (EDT) Subject: [sudo-users] Help with sudo in sparse zone Message-ID: <200905191403.n4JE3HTp026614@core.courtesan.com> [list owner's note: the list server had trouble parsing the html in the original message so I've extracted it into this new message.] I have created rppt sparse zone in solaris 10, but I am unable to use sudo in the zone. Sudo is working in the global zone perfectly. Is there any specific setting for a non-global zone? Please help. From russell+sudo-users at loosenut.com Wed May 20 14:47:17 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Wed, 20 May 2009 11:47:17 -0700 Subject: [sudo-users] Help with sudo in sparse zone In-Reply-To: <200905191403.n4JE3HTp026614@core.courtesan.com> References: <200905191403.n4JE3HTp026614@core.courtesan.com> Message-ID: <20090520184717.GF13532@fubar.loosenut.com> On Tue, May 19, 2009 at 10:03:17AM -0400, Anup Kumar Sinha wrote: > [list owner's note: the list server had trouble parsing the html in > the original message so I've extracted it into this new message.] > > I have created rppt sparse zone in solaris 10, but I am unable to > use sudo in the zone. Sudo is working in the global zone perfectly. > Is there any specific setting for a non-global zone? > > Please help. It would be helpful to know what errors you are getting... in a sparse zone, by default you're more likely NOT going to get a default sudoers file copied over in to /etc ... copying that over and maintaining permissions should be the only thing you need to do. Also, if you run sudo off of a non-inherited partition (defaults to /lib, /platform, /sbin, /usr), you will probably need to mount the partition (eg. /usr/local). Lastly... you might also need to check that the partition that you run "sudo" from allows setuid (check the mount table). Note: I'm running a "shared" sudo across Solaris 10 zones without any apparent issue. Hope that helps... Russell From robert.schuster at novartis.com Thu May 21 12:46:25 2009 From: robert.schuster at novartis.com (robert.schuster at novartis.com) Date: Thu, 21 May 2009 18:46:25 +0200 Subject: [sudo-users] Robert Schuster/PH/Novartis is not in the office Message-ID: I will be out of the office starting 21.05.2009 and will not return until 25.05.2009. Ich bin derzeit nicht im B?ro und habe nur eingeschr?nkten Zugang zu meinen Emails. In dringenden F?llen wenden Sie sich bitte an die Hotline unter der Nummer 0911 273 12820 oder mit folgender Emailadresse: nuernberg.hotline at novartis.com I am not in the office. I have only limited access to my emails. In urgent cases please contact the local help desk: nuernberg.hotline at novartis.com or call phone 0911 / 273 12 820. From Francois.Mehault at netplus.fr Tue May 26 06:04:51 2009 From: Francois.Mehault at netplus.fr (=?iso-8859-1?Q?Fran=E7ois_Mehault?=) Date: Tue, 26 May 2009 12:04:51 +0200 Subject: [sudo-users] sudo + openldap + freebsd 7 Message-ID: <88A1FB305B58DA419D0F2CFDBB95B2D812AF0FC95E@sylvaner.netis.priv> Hi all, I try to configure sudo with my onpenldap on FreeBSD 7.0 and I meet some difficulties. I read the document on the website about LDAP (Sudoers LDAP Manual and README for LDAP). My problem is simple : it don't works. On freeBSD I installed sudo with make config (with selecting support ldap) make and make install. I copy schema.openLDAP in /usr/local/etc/openldap/schema/sudo.schema and I include it in slapd.conf (and I restarted slapd daemon). I add ? sudoers : ldap ? in /etc/nsswitch.conf. I give you an exctract of my ldap.conf (/usr/local/etc/ldap.conf): Ldap.conf base dc=netplus,dc=fr uri ldap://x.x.x.x :389 ldap_version 3 rootbinddn cn=root,dc=netplus,dc=fr # with ldap.secret timelimit 3 bind_timelimit 3 bind_policy soft pam_login_attribute uid pam_check_host_attr yes #pam_check_service_attr yes pam_groupdn cn=pf_labobe1,ou=Plate-Forme,dc=netplus,dc=fr pam_member_attribute uniqueMember sudoers_base ou=SUDOers,dc=netplus,dc=fr sudoers_debug 2 My problem : <11:57>[labobe1:~]$ sudo visudo LDAP Config Summary =================== uri ldap://x.x.x.x:389 ldap_version 3 sudoers_base ou=SUDOers,dc=netplus,dc=fr binddn (anonymous) bindpw (anonymous) bind_timelimit 3000 timelimit 3 ssl (no) =================== sudo: ldap_initialize(ld, ldap://10.96.18.10:389) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 3) sudo: ldap_simple_bind_s() ok sudo: found:cn=defaults,ou=sudoers,dc=netplus,dc=fr sudo: ldap sudoOption: 'logfile=/var/log/sudolog' sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK' sudo: ldap search '(|(sudoUser=fmehault)(sudoUser=%administrateur)(sudoUser=%stagiaire)(sudoUser=ALL))' sudo: found:cn=roleAdmin,ou=SUDOers,dc=netplus,dc=fr sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: ldap sudoRunAs 'ALL' ... MATCH! sudo: Perfect Matched! sudo: user_matches=-1 sudo: host_matches=-1 sudo: sudo_ldap_check(0)=0x402 Password: You can't come in. Our tiger has got flu Password: ... and it used to be so popular... Password: Hold it up to the light --- not a brain in sight! sudo: 3 incorrect password attempts <11:57>[labobe1:~]$ whoami fmehault On my openldap : dn: ou=SUDOers,dc=netplus,dc=fr objectClass: organizationalUnit objectClass: top ou: SUDOers dn: cn=defaults,ou=sudoers,dc=netplus,dc=fr objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: logfile=/var/log/sudolog sudoOption: env_keep+=SSH_AUTH_SOCK dn: cn=roleAdmin,ou=SUDOers,dc=netplus,dc=fr objectClass: sudoRole objectClass: top sudoHost: ALL cn: roleAdmin sudoCommand: ALL sudoRunAs: ALL sudoUser: fmehault dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr givenName:: RnJhbsOnb2lz sn: MEHAULT uid: fmehault cn: Francois MEHAULT uidNumber: 1203 objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: hostObject objectClass: authorizedServiceObject host: * userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg== homeDirectory: /home/fmehault loginShell: /usr/local/bin/zsh gidNumber: 1203 authorizedService: sshd authorizedService: sudo I did excatly the same thing on a fedora 10 and it works perfectly, If someone can help me ? Thanks, Regards, Fran?ois From fija00 at gmail.com Wed May 27 13:14:36 2009 From: fija00 at gmail.com (M. Fija) Date: Wed, 27 May 2009 19:14:36 +0200 Subject: [sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help Message-ID: Hello, I've compiled sudo-1.7.1 on Solaris 10 with PAM and (solaris native) LDAP support. And sudo was built without errors and works as expected when using ldap but fails with ldaps: > sudo -l LDAP Config Summary =================== uri ldap://myldapserver ldap_version 3 sudoers_base ou=sudoers,dc=example,dc=fr binddn cn=host1,ou=systems,dc=example,dc=fr bindpw host1pwd ssl on tls_checkpeer (yes) tls_certfile /var/ldap/cert8.db =================== sudo: ldapssl_clientauth_init(/var/ldap/cert8.db, NULL) sudo: unable to initialize SSL cert and key db: security library: bad database. sudo: unable to initialize LDAP: Unknown error Password: Sudo was build with the following command: CC="gcc -static-libgcc" ./configure \ --prefix=/usr \ --exec-prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --datarootdir=/usr/share \ --with-logging=syslog --with-logfac=authpriv \ --with-editor=/usr/bin/vi --with-env-editor \ --with-ignore-dot --with-tty-tickets \ --with-pam --with-nsswitch \ --with-ldap \ --with-ldap-conf-file=/etc/ldap.conf \ --with-ldap-secret-file=/etc/ldap.secret Here is my /etc/ldap.conf: uri ldap://myldapserver base dc=example,dc=fr sudoers_base ou=sudoers,dc=example,dc=fr binddn cn=host1,ou=systems,dc=example,dc=fr bindpw host1pwd tls_checkpeer yes ssl on #tls_cacertfile /var/ldap/cert8.db tls_cert /var/ldap/cert8.db #tls_key /var/ldap/key3.db sudoers_debug 2 The file /var/ldap/cert8.db was created for the solaris ldap client with /usr/sfw/bin/certutil command. On the LDAP server side (openldap 2.3/Redhat ES3), TLS parameters are: TLSCACertificateFile /etc/ssl/certs/CAcerts.pem TLSCertificateFile /etc/ssl/private/myldapserver.crt TLSCertificateKeyFile /etc/ssl/private/myldapserver.key TLSVerifyClient never TLSCipherSuite SSLv3 It seems there are no problem with PAM as i can see connexion and search operations honored successfully by the ldap server. Thanks for any help. Fija From Todd.Miller at courtesan.com Wed May 27 15:22:56 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 27 May 2009 15:22:56 -0400 Subject: [sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help In-Reply-To: Your message of "Wed, 27 May 2009 19:14:36 +0200." References: Message-ID: <200905271922.n4RJMuUH024633@core.courtesan.com> In message so spake "M. Fija" (fija00): > > sudo -l > LDAP Config Summary > =================== > uri ldap://myldapserver > ldap_version 3 > sudoers_base ou=sudoers,dc=example,dc=fr > binddn cn=host1,ou=systems,dc=example,dc=fr > bindpw host1pwd > ssl on > tls_checkpeer (yes) > tls_certfile /var/ldap/cert8.db > =================== > sudo: ldapssl_clientauth_init(/var/ldap/cert8.db, NULL) > sudo: unable to initialize SSL cert and key db: security library: bad > database. > sudo: unable to initialize LDAP: Unknown error > Password: It looks like you have tls_checkpeer enabled but no (or invalid?) /var/ldap/cert8.db file. - todd From fija00 at gmail.com Thu May 28 08:42:56 2009 From: fija00 at gmail.com (M. Fija) Date: Thu, 28 May 2009 14:42:56 +0200 Subject: [sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help In-Reply-To: <200905271922.n4RJMuUH024633@core.courtesan.com> References: <200905271922.n4RJMuUH024633@core.courtesan.com> Message-ID: Hello, tls_checkpeer is enable in /etc/ldap.conf, but the result is the same if it is disabled. /var/ldap/cert8.db file is used by the solaris ldap client and i can use it with ldapsearch command: $ ldapsearch -v -Z -P /var/ldap/cert8.db -h myldapserver -p 636 -s base -b "" 'objectclass=*' ldapsearch: started Thu May 28 14:23:39 2009 ldap_init( myldapserver, 636 ) filter pattern: objectclass=* returning: ALL filter is: (objectclass=*) version: 1 dn: objectClass: top objectClass: OpenLDAProotDSE 1 matches The ldap server log indicates the TLS connexion is established : May 28 14:23:40 myldapserver slapd[21902]: conn=1360 fd=40 ACCEPT from IP=xx.xx.xx.xx:36259 (IP=yy.yy.yy.yy:636) May 28 14:23:40 myldapserver slapd[21902]: conn=1360 fd=40 TLS established tls_ssf=128 ssf=128 May 28 14:23:40 myldapserver slapd[21902]: conn=1360 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" May 28 14:23:40 myldapserver slapd[21902]: conn=1360 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= May 28 14:23:40 myldapserver slapd[21902]: conn=1360 op=1 UNBIND May 28 14:23:40 myldapserver slapd[21902]: conn=1360 fd=40 closed () It looks like the message "sudo: unable to initialize SSL cert and key db: security library: bad" indicates that "tls_cert" and "tls_key" are mandatory to use SSL with sudo. It seems that "tls_cacertfile" parameter is ignored. Fija 2009/5/27 Todd C. Miller > In message > so spake "M. Fija" (fija00): > > > > sudo -l > > LDAP Config Summary > > =================== > > uri ldap://myldapserver > > ldap_version 3 > > sudoers_base ou=sudoers,dc=example,dc=fr > > binddn cn=host1,ou=systems,dc=example,dc=fr > > bindpw host1pwd > > ssl on > > tls_checkpeer (yes) > > tls_certfile /var/ldap/cert8.db > > =================== > > sudo: ldapssl_clientauth_init(/var/ldap/cert8.db, NULL) > > sudo: unable to initialize SSL cert and key db: security library: bad > > database. > > sudo: unable to initialize LDAP: Unknown error > > Password: > > It looks like you have tls_checkpeer enabled but no (or invalid?) > /var/ldap/cert8.db file. > > - todd > From Todd.Miller at courtesan.com Thu May 28 09:50:55 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 28 May 2009 09:50:55 -0400 Subject: [sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help In-Reply-To: Your message of "Thu, 28 May 2009 14:42:56 +0200." References: <200905271922.n4RJMuUH024633@core.courtesan.com> Message-ID: <200905281350.n4SDott9031084@core.courtesan.com> In message so spake "M. Fija" (fija00): > It looks like the message "sudo: unable to initialize SSL cert and key db: > security library: bad" indicates that "tls_cert" and "tls_key" are mandatory > to use SSL with sudo. They should not be. The LDAP API is supposed to deal with them not being specified. Please try the diff below to see if it helps. > It seems that "tls_cacertfile" parameter is ignored. There is no way to specify a separate CA cert with the Sun LDAP API. - todd Index: ldap.c =================================================================== RCS file: /home/cvs/courtesan/sudo/ldap.c,v retrieving revision 1.107 diff -u -p -u -r1.107 ldap.c --- ldap.c 25 May 2009 12:02:41 -0000 1.107 +++ ldap.c 28 May 2009 13:45:51 -0000 @@ -381,15 +381,26 @@ sudo_ldap_init(ldp, host, port) #ifdef HAVE_LDAPSSL_INIT if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { - DPRINTF(("ldapssl_clientauth_init(%s, %s)", - ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", - ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2); - rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, - ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); - if (rc != LDAP_SUCCESS) { - warningx("unable to initialize SSL cert and key db: %s", - ldapssl_err2string(rc)); - goto done; + if (ldap_conf.tls_keyfile) { + DPRINTF(("ldapssl_clientauth_init(%s, %s)", + ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", + ldap_conf.tls_keyfile), 2); + rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, + 1, ldap_conf.tls_keyfile, NULL); + if (rc != LDAP_SUCCESS) { + warningx("unable to initialize SSL cert and key db: %s", + ldapssl_err2string(rc)); + goto done; + } + } else { + DPRINTF(("ldapssl_client_init(%s)", + ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL"), 2); + rc = ldapssl_client_init(ldap_conf.tls_certfile, NULL); + if (rc != LDAP_SUCCESS) { + warningx("unable to initialize SSL client: %s", + ldapssl_err2string(rc)); + goto done; + } } DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2); From fija00 at gmail.com Thu May 28 11:26:22 2009 From: fija00 at gmail.com (M. Fija) Date: Thu, 28 May 2009 17:26:22 +0200 Subject: [sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help In-Reply-To: <200905281350.n4SDott9031084@core.courtesan.com> References: <200905271922.n4RJMuUH024633@core.courtesan.com> <200905281350.n4SDott9031084@core.courtesan.com> Message-ID: Thank you for the patch, but unfortunately the result is the same: $ sudo -l LDAP Config Summary =================== uri ldaps://myldapserver ldap_version 3 sudoers_base ou=sudoers,dc=example,dc=fr binddn cn=host1,ou=systems,dc=example,dc=fr bindpw host1pwd ssl on tls_checkpeer (yes) tls_certfile /var/ldap/cert8.db =================== sudo: ldapssl_client_init(/var/ldap/cert8.db) sudo: unable to initialize SSL client: security library: bad database. sudo: unable to initialize LDAP: Unknown error Password: Fija 2009/5/28 Todd C. Miller > In message > so spake "M. Fija" (fija00): > > > It looks like the message "sudo: unable to initialize SSL cert and key > db: > > security library: bad" indicates that "tls_cert" and "tls_key" are > mandatory > > to use SSL with sudo. > > They should not be. The LDAP API is supposed to deal with them not > being specified. Please try the diff below to see if it helps. > > > It seems that "tls_cacertfile" parameter is ignored. > > There is no way to specify a separate CA cert with the Sun LDAP API. > > - todd > > Index: ldap.c > =================================================================== > RCS file: /home/cvs/courtesan/sudo/ldap.c,v > retrieving revision 1.107 > diff -u -p -u -r1.107 ldap.c > --- ldap.c 25 May 2009 12:02:41 -0000 1.107 > +++ ldap.c 28 May 2009 13:45:51 -0000 > @@ -381,15 +381,26 @@ sudo_ldap_init(ldp, host, port) > > #ifdef HAVE_LDAPSSL_INIT > if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { > - DPRINTF(("ldapssl_clientauth_init(%s, %s)", > - ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", > - ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2); > - rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, > - ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); > - if (rc != LDAP_SUCCESS) { > - warningx("unable to initialize SSL cert and key db: %s", > - ldapssl_err2string(rc)); > - goto done; > + if (ldap_conf.tls_keyfile) { > + DPRINTF(("ldapssl_clientauth_init(%s, %s)", > + ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", > + ldap_conf.tls_keyfile), 2); > + rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, > + 1, ldap_conf.tls_keyfile, NULL); > + if (rc != LDAP_SUCCESS) { > + warningx("unable to initialize SSL cert and key db: %s", > + ldapssl_err2string(rc)); > + goto done; > + } > + } else { > + DPRINTF(("ldapssl_client_init(%s)", > + ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL"), > 2); > + rc = ldapssl_client_init(ldap_conf.tls_certfile, NULL); > + if (rc != LDAP_SUCCESS) { > + warningx("unable to initialize SSL client: %s", > + ldapssl_err2string(rc)); > + goto done; > + } > } > > DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2); > From fija00 at gmail.com Fri May 29 03:57:14 2009 From: fija00 at gmail.com (M. Fija) Date: Fri, 29 May 2009 09:57:14 +0200 Subject: [sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help [SOLVED] Message-ID: There is something buggy with solaris 10 ldapssl_clientauth_init()/ldapssl_client_init() functions. I've trussed sudo and found this: 26236: stat("/var/ldap/cert8.db/cert8.db", 0xFFBFF0E8) Err#20 ENOTDIR 26236: open("/var/ldap/cert8.db/cert8.db", O_RDONLY) Err#20 ENOTDIR 26236: stat("/var/ldap/cert8.db/cert7.db", 0xFFBFF0E8) Err#20 ENOTDIR 26236: open("/var/ldap/cert8.db/cert7.db", O_RDONLY) Err#20 ENOTDIR 26236: open("/usr/lib/locale/en_US.ISO8859-15/LC_MESSAGES/SUNW_OST_OSLIB.mo", O_RDONLY) Err#2 ENOENT Note the appended cert{8,7}.db name to the certificate db file name. I've then changed le parameter tls_cert file to /var/ldap: ... #tls_cert /var/ldap/cert8.db tls_cert /var/ldap/ ... ... and that made sudo happy: $ sudo -l LDAP Config Summary =================== uri ldaps://myldapserver ldap_version 3 sudoers_base ou=sudoers,dc=example,dc=fr binddn cn=clxb1ad,ou=systems,dc=example,dc=fr bindpw edfgt54r ssl on tls_checkpeer (yes) tls_certfile /var/ldap/ =================== sudo: ldapssl_clientauth_init(/var/ldap/, NULL) sudo: ldapssl_init(myldapserver:636, 389, 1) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_simple_bind_s() ok sudo: found:cn=defaults,ou=sudoers,dc=example,dc=fr Fija 2009/5/28 M. Fija > Thank you for the patch, but unfortunately the result is the same: > > $ sudo -l > LDAP Config Summary > =================== > uri ldaps://myldapserver > ldap_version 3 > sudoers_base ou=sudoers,dc=example,dc=fr > binddn cn=host1,ou=systems,dc=example,dc=fr > bindpw host1pwd > ssl on > tls_checkpeer (yes) > tls_certfile /var/ldap/cert8.db > =================== > sudo: ldapssl_client_init(/var/ldap/cert8.db) > sudo: unable to initialize SSL client: security library: bad database. > sudo: unable to initialize LDAP: Unknown error > Password: > > Fija > > > 2009/5/28 Todd C. Miller > > In message >> so spake "M. Fija" (fija00): >> >> > It looks like the message "sudo: unable to initialize SSL cert and key >> db: >> > security library: bad" indicates that "tls_cert" and "tls_key" are >> mandatory >> > to use SSL with sudo. >> >> They should not be. The LDAP API is supposed to deal with them not >> being specified. Please try the diff below to see if it helps. >> >> > It seems that "tls_cacertfile" parameter is ignored. >> >> There is no way to specify a separate CA cert with the Sun LDAP API. >> >> - todd >> >> Index: ldap.c >> =================================================================== >> RCS file: /home/cvs/courtesan/sudo/ldap.c,v >> retrieving revision 1.107 >> diff -u -p -u -r1.107 ldap.c >> --- ldap.c 25 May 2009 12:02:41 -0000 1.107 >> +++ ldap.c 28 May 2009 13:45:51 -0000 >> @@ -381,15 +381,26 @@ sudo_ldap_init(ldp, host, port) >> >> #ifdef HAVE_LDAPSSL_INIT >> if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { >> - DPRINTF(("ldapssl_clientauth_init(%s, %s)", >> - ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", >> - ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2); >> - rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, >> - ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); >> - if (rc != LDAP_SUCCESS) { >> - warningx("unable to initialize SSL cert and key db: %s", >> - ldapssl_err2string(rc)); >> - goto done; >> + if (ldap_conf.tls_keyfile) { >> + DPRINTF(("ldapssl_clientauth_init(%s, %s)", >> + ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", >> + ldap_conf.tls_keyfile), 2); >> + rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, >> + 1, ldap_conf.tls_keyfile, NULL); >> + if (rc != LDAP_SUCCESS) { >> + warningx("unable to initialize SSL cert and key db: %s", >> + ldapssl_err2string(rc)); >> + goto done; >> + } >> + } else { >> + DPRINTF(("ldapssl_client_init(%s)", >> + ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL"), >> 2); >> + rc = ldapssl_client_init(ldap_conf.tls_certfile, NULL); >> + if (rc != LDAP_SUCCESS) { >> + warningx("unable to initialize SSL client: %s", >> + ldapssl_err2string(rc)); >> + goto done; >> + } >> } >> >> DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2); >> > > From jespasac at minibofh.org Fri May 29 04:41:27 2009 From: jespasac at minibofh.org (Jordi Espasa Clofent) Date: Fri, 29 May 2009 10:41:27 +0200 Subject: [sudo-users] sudo + openldap + freebsd 7 In-Reply-To: <88A1FB305B58DA419D0F2CFDBB95B2D812AF0FC95E@sylvaner.netis.priv> References: <88A1FB305B58DA419D0F2CFDBB95B2D812AF0FC95E@sylvaner.netis.priv> Message-ID: <4A1F9FB7.5090205@minibofh.org> I have a similiar environment and works like a charm. I suspect a PAM error. Can you show a simple 'cat /etc/pam.d/sudo' output? -- Thanks, Jordi Espasa Clofent From paul.macleod at eds.com Fri May 29 04:21:31 2009 From: paul.macleod at eds.com (Macleod, Paul) Date: Fri, 29 May 2009 10:21:31 +0200 Subject: [sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help In-Reply-To: References: Message-ID: <94CE8D1127DE7C4A9AD4D618DFE26AF701D480AD@defrm205.emea.corp.eds.com> Hi, I would just like to add - I have similar, if not the same issue. To add information to the mix, I've had a build of Sudo (sudo-1.6.9p10 ) that had some LDAP support iterated through on 19th Dec '07, which was built.. worked perfectly on Solaris 9 environment. That environment later upgraded to Solaris 10u4, and the LDAP SSL fails to work now. With newer Sudo 1.7, but also re-tested with the same 1.6.9p10 source; rebuilt etc. So could confirm it wasn't a 1.7 thing; as the 1.6.9p10 - worked on Solaris 9. I've also tried, with making cert7.db and cert8.db; with utter futility; always the same errors. Cheers, -Paul. -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of M. Fija Sent: 27 May 2009 18:15 To: sudo-users at sudo.ws Subject: [sudo-users] sudo 1.7.1 with pam,ldap and SSL on solaris 10: need help Hello, I've compiled sudo-1.7.1 on Solaris 10 with PAM and (solaris native) LDAP support. And sudo was built without errors and works as expected when using ldap but fails with ldaps: > sudo -l LDAP Config Summary =================== uri ldap://myldapserver ldap_version 3 sudoers_base ou=sudoers,dc=example,dc=fr binddn cn=host1,ou=systems,dc=example,dc=fr bindpw host1pwd ssl on tls_checkpeer (yes) tls_certfile /var/ldap/cert8.db =================== sudo: ldapssl_clientauth_init(/var/ldap/cert8.db, NULL) sudo: unable to initialize SSL cert and key db: security library: bad database. sudo: unable to initialize LDAP: Unknown error Password: Sudo was build with the following command: CC="gcc -static-libgcc" ./configure \ --prefix=/usr \ --exec-prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --datarootdir=/usr/share \ --with-logging=syslog --with-logfac=authpriv \ --with-editor=/usr/bin/vi --with-env-editor \ --with-ignore-dot --with-tty-tickets \ --with-pam --with-nsswitch \ --with-ldap \ --with-ldap-conf-file=/etc/ldap.conf \ --with-ldap-secret-file=/etc/ldap.secret Here is my /etc/ldap.conf: uri ldap://myldapserver base dc=example,dc=fr sudoers_base ou=sudoers,dc=example,dc=fr binddn cn=host1,ou=systems,dc=example,dc=fr bindpw host1pwd tls_checkpeer yes ssl on #tls_cacertfile /var/ldap/cert8.db tls_cert /var/ldap/cert8.db #tls_key /var/ldap/key3.db sudoers_debug 2 The file /var/ldap/cert8.db was created for the solaris ldap client with /usr/sfw/bin/certutil command. On the LDAP server side (openldap 2.3/Redhat ES3), TLS parameters are: TLSCACertificateFile /etc/ssl/certs/CAcerts.pem TLSCertificateFile /etc/ssl/private/myldapserver.crt TLSCertificateKeyFile /etc/ssl/private/myldapserver.key TLSVerifyClient never TLSCipherSuite SSLv3 It seems there are no problem with PAM as i can see connexion and search operations honored successfully by the ldap server. Thanks for any help. Fija ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From Todd.Miller at courtesan.com Fri May 29 07:48:31 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 29 May 2009 07:48:31 -0400 Subject: [sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help [SOLVED] In-Reply-To: Your message of "Fri, 29 May 2009 09:57:14 +0200." References: Message-ID: <200905291148.n4TBmVGV024403@core.courtesan.com> Glad to hear it is not sudo's fault. It looks like other people are having the same issue on other systems that use netscape/mozilla dreived LDAP libs. I'll add a note in the docs about this. - todd From paul.macleod at eds.com Fri May 29 08:04:24 2009 From: paul.macleod at eds.com (Macleod, Paul) Date: Fri, 29 May 2009 14:04:24 +0200 Subject: [sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help [SOLVED] In-Reply-To: <200905291148.n4TBmVGV024403@core.courtesan.com> References: <200905291148.n4TBmVGV024403@core.courtesan.com> Message-ID: <94CE8D1127DE7C4A9AD4D618DFE26AF701D48219@defrm205.emea.corp.eds.com> Fija / Todd Can confirm, amending the ldap.conf, has cleared it up for me as well. Used:- tls_cert /var/ldap/ instead of:- tls_cert /var/ldap/cert8.db I'm currently replacing the directory service now; with a Sun DS 6, instead of 5.2. To make a full evaluation of it all working on Solaris 10. Thanks for the time you both have taken in progressing and clearing my stumble block. Cheers, -Paul. -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Todd C. Miller Sent: 29 May 2009 12:49 To: M. Fija Cc: sudo-users at sudo.ws Subject: Re: [sudo-users] sudo 1.7.1 with pam,ldap and SSL on solaris 10: need help [SOLVED] Glad to hear it is not sudo's fault. It looks like other people are having the same issue on other systems that use netscape/mozilla dreived LDAP libs. I'll add a note in the docs about this. - todd ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From Francois.Mehault at netplus.fr Fri May 29 09:09:11 2009 From: Francois.Mehault at netplus.fr (=?iso-8859-1?Q?Fran=E7ois_Mehault?=) Date: Fri, 29 May 2009 15:09:11 +0200 Subject: [sudo-users] sudo + openldap + freebsd 7 In-Reply-To: <4A1F9FB7.5090205@minibofh.org> References: <88A1FB305B58DA419D0F2CFDBB95B2D812AF0FC95E@sylvaner.netis.priv> <4A1F9FB7.5090205@minibofh.org> Message-ID: <88A1FB305B58DA419D0F2CFDBB95B2D812AF0FCA33@sylvaner.netis.priv> Yes I succeeded, the sudo file was missing int /etc/pam.d :) -----Message d'origine----- De : sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] De la part de Jordi Espasa Clofent Envoy? : vendredi 29 mai 2009 10:41 ? : sudo-users at sudo.ws Objet : Re: [sudo-users] sudo + openldap + freebsd 7 I have a similiar environment and works like a charm. I suspect a PAM error. Can you show a simple 'cat /etc/pam.d/sudo' output? -- Thanks, Jordi Espasa Clofent ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From Francois.Mehault at netplus.fr Fri May 29 09:14:24 2009 From: Francois.Mehault at netplus.fr (=?iso-8859-1?Q?Fran=E7ois_Mehault?=) Date: Fri, 29 May 2009 15:14:24 +0200 Subject: [sudo-users] sudo + openldap + freebsd 7 In-Reply-To: <4A1F9FB7.5090205@minibofh.org> References: <88A1FB305B58DA419D0F2CFDBB95B2D812AF0FC95E@sylvaner.netis.priv> <4A1F9FB7.5090205@minibofh.org> Message-ID: <88A1FB305B58DA419D0F2CFDBB95B2D812AF0FCA35@sylvaner.netis.priv> Well I am curious in fact, this my sudo but could you confirm me that it is correct (no unuseful information for example) auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth optional /usr/lib/pam_echo.so test auth sufficient pam_unix.so no_warn try_first_pass auth optional /usr/lib/pam_echo.so openldap alive ??? wrong local passwd ??? auth required /usr/local/lib/pam_ldap.so no_warn try_first_pass #auth sufficient /usr/lib/pam_radius.so no_warn # account account required /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass I think there is lot of lines which are unuseful. -----Message d'origine----- De : sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] De la part de Jordi Espasa Clofent Envoy? : vendredi 29 mai 2009 10:41 ? : sudo-users at sudo.ws Objet : Re: [sudo-users] sudo + openldap + freebsd 7 I have a similiar environment and works like a charm. I suspect a PAM error. Can you show a simple 'cat /etc/pam.d/sudo' output? -- Thanks, Jordi Espasa Clofent ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From luisclemente.totvs at mangels.com.br Fri May 29 14:40:00 2009 From: luisclemente.totvs at mangels.com.br (Luis Eduardo Carosi Clemente) Date: Fri, 29 May 2009 15:40:00 -0300 Subject: [sudo-users] Setting mailfrom in sudoers file with visudo Message-ID: <282DB63D9D993E4E8D1ECF2214078E9006BE35@MANEX03.mangelscorp.int> Hi all, I want set the mailfrom field in my sudoers with the follow line but it's don't work. Defaults mailfrom = "root at server" When I want exit from sudoers edition with the visudo command I receive the follow error: visudo: unknown defaults entry `mailfrom' referenced near line 29 What now? This option it's not more available? Regard's, Luis Eduardo Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados. Se os recebeu por engano, queira por gentileza destrui-los e comunique-nos o fato de imediato. Confidential Note: This e-mail and its attachments are confidential or legally privileged. If you received this message in error or are not the intended recipients, please destroy it and notify us immediately. From Todd.Miller at courtesan.com Fri May 29 17:58:49 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 29 May 2009 17:58:49 -0400 Subject: [sudo-users] Setting mailfrom in sudoers file with visudo In-Reply-To: Your message of "Fri, 29 May 2009 15:40:00 -0300." <282DB63D9D993E4E8D1ECF2214078E9006BE35@MANEX03.mangelscorp.int> References: <282DB63D9D993E4E8D1ECF2214078E9006BE35@MANEX03.mangelscorp.int> Message-ID: <200905292158.n4TLwnDT027037@core.courtesan.com> In message <282DB63D9D993E4E8D1ECF2214078E9006BE35 at MANEX03.mangelscorp.int> so spake "Luis Eduardo Carosi Clemente" (luisclemente.totvs): > I want set the mailfrom field in my sudoers with the follow line > but it's don't work. > > Defaults mailfrom = "root at server" > > visudo: unknown defaults entry `mailfrom' referenced near line 29 That option is only available in sudo 1.7.0 and higher. - todd From robert.schuster at novartis.com Sat May 30 13:05:43 2009 From: robert.schuster at novartis.com (robert.schuster at novartis.com) Date: Sat, 30 May 2009 19:05:43 +0200 Subject: [sudo-users] Robert Schuster/PH/Novartis is out of office Message-ID: I will be out of the office starting 30.05.2009 and will not return until 08.06.2009. Ich bin wieder erreichbar ab 08. Juni 2009. In dringenden F?llen wenden Sie sich bitte an die Hotline unter der Nummer 0911 273 12820 oder mit folgender Emailadresse: nuernberg.hotline at novartis.com I am out of office. I will return on June, 8th 2009. In urgent cases please contact the local help desk: nuernberg.hotline at novartis.com or call phone 0911 / 273 12 820.