From msuehowicz at rubiconproject.com Sun Nov 1 23:18:25 2009 From: msuehowicz at rubiconproject.com (Martin Suehowicz) Date: Sun, 1 Nov 2009 23:18:25 -0500 Subject: [sudo-users] LDAP Default's user override In-Reply-To: <636FDC536AC4E741AFCA2FB75C9D3D2401A75B22@be41.exg3.exghost.com> References: <636FDC536AC4E741AFCA2FB75C9D3D2401A75B22@be41.exg3.exghost.com> Message-ID: I am trying to setup ldap/sudo. I am not sure how to override defaults for a user. How do I add the following line to ldap. Defaults:nagios !requiretty This did not work. I think ":" violates ldap naming rules. dn: cn=defaults_nagios,ou=SUDOers,dc=foobar,dc=com objectClass: top objectClass: sudoRole cn: defaults:nagios description: Default sudoOption's go here sudoOption: !requiretty From jeff at sdsc.edu Mon Nov 2 23:29:29 2009 From: jeff at sdsc.edu (Jeff Makey) Date: Mon, 2 Nov 2009 20:29:29 -0800 Subject: [sudo-users] Debugging a sudo segmentation fault In-Reply-To: <200910311331.n9VDVrbZ018517@core.courtesan.com> Message-ID: <200911030429.nA34TTwG002945@darwin.sdsc.edu> Yes, calling krb5_get_init_creds_opt_init() from krb5_get_init_creds_opt_alloc() fixes the problem with the older version (1.3.4) of MIT Kerberos that is shipped with Red Hat Enterprise Linux 4. Thank you! By the way, the scope of my original bug report was too narrow. This problem occurred on both 32-bit and 64-bit RHEL 4 systems, and also on RHEL 3 systems. Unfortunately, the above fix does not make a difference with RHEL 3's MIT Kerberos 1.2.7 (even with its many backported security fixes). The workaround to this problem is to type the password correctly at the first prompt, which I can live with. :: Jeff Makey jeff at sdsc.edu From jeff at sdsc.edu Mon Nov 2 23:31:55 2009 From: jeff at sdsc.edu (Jeff Makey) Date: Mon, 2 Nov 2009 20:31:55 -0800 Subject: [sudo-users] Patch for configure script Message-ID: <200911030431.nA34Vt2R002964@darwin.sdsc.edu> The patch below removes a spurious comma from the configure script. :: Jeff Makey jeff at sdsc.edu ----------------------------------------------------------------- --- sudo-1.7.2p1/configure.~1~ 2009-07-20 06:34:39 -0700 +++ sudo-1.7.2p1/configure 2009-08-14 18:47:47 -0700 @@ -21523,7 +21523,7 @@ { echo "$as_me:$LINENO: result: $ac_cv_lib_krb5support_main" >&5 echo "${ECHO_T}$ac_cv_lib_krb5support_main" >&6; } if test $ac_cv_lib_krb5support_main = yes; then - SUDO_LIBS="${SUDO_LIBS} -lkrb5support," + SUDO_LIBS="${SUDO_LIBS} -lkrb5support" fi From Todd.Miller at courtesan.com Tue Nov 3 09:55:45 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 03 Nov 2009 09:55:45 -0500 Subject: [sudo-users] Debugging a sudo segmentation fault In-Reply-To: Your message of "Mon, 02 Nov 2009 20:29:29 PST." <200911030429.nA34TTwG002945@darwin.sdsc.edu> References: <200911030429.nA34TTwG002945@darwin.sdsc.edu> Message-ID: <200911031455.nA3Etj8Y002300@core.courtesan.com> In message <200911030429.nA34TTwG002945 at darwin.sdsc.edu> so spake Jeff Makey (jeff): > Unfortunately, the above fix does not make a difference with RHEL 3's > MIT Kerberos 1.2.7 (even with its many backported security fixes). > The workaround to this problem is to type the password correctly at > the first prompt, which I can live with. You might try adding: zero_bytes(*opts, sizeof(krb5_get_init_creds_opt)); before the call to krb5_get_init_creds_opt_init(). I seem to recall that some older versions of krb5_get_init_creds_opt_init() didn't clear the full opts structure. - todd From Todd.Miller at courtesan.com Tue Nov 3 09:58:31 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 03 Nov 2009 09:58:31 -0500 Subject: [sudo-users] Patch for configure script In-Reply-To: Your message of "Mon, 02 Nov 2009 20:31:55 PST." <200911030431.nA34Vt2R002964@darwin.sdsc.edu> References: <200911030431.nA34Vt2R002964@darwin.sdsc.edu> Message-ID: <200911031458.nA3EwVWi015875@core.courtesan.com> In message <200911030431.nA34Vt2R002964 at darwin.sdsc.edu> so spake Jeff Makey (jeff): > The patch below removes a spurious comma from the configure script. Thanks, I've fixed that in the cvs tree. - todd From jeff at sdsc.edu Tue Nov 3 22:11:27 2009 From: jeff at sdsc.edu (Jeff Makey) Date: Tue, 3 Nov 2009 19:11:27 -0800 Subject: [sudo-users] Debugging a sudo segmentation fault In-Reply-To: <200911031455.nA3Etj8Y002300@core.courtesan.com> Message-ID: <200911040311.nA43BRdQ023189@darwin.sdsc.edu> If I had paid closer attention while testing I may have seen that my Red Hat Enterprise Linux 3 systems were failing in a different way from the RHEL 4 systems. The remaining problem on RHEL 3 systems (with MIT Kerberos 1.2.7) is that krb5.h does not declare krb5_get_init_creds_opt_free() at all. This allows the relevant AC_TRY_COMPILE() in configure.in to succeed and conclude that krb5_get_init_creds_opt_free() takes two arguments, when in fact the one defined and used in auth/kerb5.c takes only one. When it is called with two arguments it frees the wrong one and produces a segmentation fault. Having sudo_cv_krb5_get_init_creds_opt_free_two_args=no in the environment while running configure works around this problem (and it turns out I was already doing that on RHEL 4). One way to get configure to make the right choice is to use AC_CHECK_LIB() to see if it is in the krb5 library, then test the number of arguments it takes only if it is found. With the above configure workaround and Todd's change to krb5_get_init_creds_opt_alloc() in kerb5.c I now have sudo-1.7.2p1 running with Kerberos 5 authentication on the following platforms: Solaris 7, 9, & 10 sparc Solaris 10 x86 Red Hat Enterprise Linux 3 32-bit Red Hat Enterprise Linux 4 32-bit & 64-bit Red Hat Enterprise Linux 5 32-bit Thanks for the help. The patch below fixes a couple of noncritical typos I found during my investigation. :: Jeff Makey jeff at sdsc.edu ----------------------------------------------------------------- --- configure.in.~1~ 2009-07-20 06:34:37 -0700 +++ configure.in 2009-11-03 16:17:11 -0800 @@ -2240,7 +2240,7 @@ _LIBS="$LIBS" LIBS="${LIBS} ${SUDO_LIBS}" AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context krb5_get_init_creds_opt_alloc) - AC_CACHE_CHECK(whether krb5_get_init_creds_opt_free takes a two argument2, + AC_CACHE_CHECK(whether krb5_get_init_creds_opt_free takes two arguments, sudo_cv_krb5_get_init_creds_opt_free_two_args, [ AC_TRY_COMPILE([#include ], [ @@ -2663,7 +2663,7 @@ AH_TEMPLATE(HAVE_KERB4, [Define to 1 if you use Kerberos IV.]) AH_TEMPLATE(HAVE_KERB5, [Define to 1 if you use Kerberos V.]) AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC, [Define to 1 if you have the `krb5_get_init_creds_opt_alloc' function.]) -AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS, [Define to 1 if your `krb5_get_init_creds_opt_alloc' function takes two arguments.]) +AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS, [Define to 1 if your `krb5_get_init_creds_opt_free' function takes two arguments.]) AH_TEMPLATE(HAVE_KRB5_INIT_SECURE_CONTEXT, [Define to 1 if you have the `krb5_init_secure_context' function.]) AH_TEMPLATE(HAVE_KRB5_VERIFY_USER, [Define to 1 if you have the `krb5_verify_user' function.]) AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if your LDAP needs . (OpenLDAP does not)]) From Todd.Miller at courtesan.com Wed Nov 4 09:44:16 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 04 Nov 2009 09:44:16 -0500 Subject: [sudo-users] Debugging a sudo segmentation fault In-Reply-To: Your message of "Tue, 03 Nov 2009 19:11:27 PST." <200911040311.nA43BRdQ023189@darwin.sdsc.edu> References: <200911040311.nA43BRdQ023189@darwin.sdsc.edu> Message-ID: <200911041444.nA4EiGid013793@core.courtesan.com> Thanks, I've fixes those typos and adjusted configure to only check for krb5_get_init_creds_opt_free() if it first finds krb5_get_init_creds_opt_alloc(). That matches the logic for defining our own krb5_get_init_creds_opt_free() in kerb5.c - todd From Morris.Marshael at mccg.org Tue Nov 10 09:24:33 2009 From: Morris.Marshael at mccg.org (Morris.Marshael) Date: Tue, 10 Nov 2009 09:24:33 -0500 Subject: [sudo-users] Sudo version 1.7.2p1 Message-ID: <4165013F0980164EA599EC60745A7EC516AB8123@exchng1.cghsnt.mccg.org> When using sudo to create a mksysb on AIX I receive the following error: sudo smitty mkdvd Initializing mkcd log: /var/adm/ras/mkcd.log... Verifying command parameters... Creating image.data file... 0512-306 mkcd: 32 megabytes of memory is required to create a mksysb on a CD or DVD device. Current memory size is: 0 bytes. Everything else that I have tried seam to work. Is there a parameter that I need to change within sudo to be able to do this or is there another problem that I have? Thanks for your help, Marshael Morris mccg.org email firewall made the following annotation ************************************************************ CONFIDENTIALITY NOTICE: The information transmitted in this e-mail message, including any attachments, is for the sole use of the intended recipient(s) or entity to which it is addressed and may contain confidential, privileged and/or proprietary information. Any unauthorized review, retransmission, use, disclosure, dissemination or other use of,or taking any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately by reply e-mail, or by calling (478) 633-7272, and destroy the original message, attachments and all copies thereof on all computers and in any other form. Thank you. The Medical Center Of Central Georgia. http://www.mccg.org/ ************************************************************ 11/10/09, 09:24:36 From ntngawali at gmail.com Thu Nov 12 03:01:27 2009 From: ntngawali at gmail.com (NITIN GAWALI) Date: Thu, 12 Nov 2009 13:31:27 +0530 Subject: [sudo-users] Where is the sudo file in HP unix Message-ID: <4fd555ba0911120001s257ab9aamc7c56851f9f2ccd4@mail.gmail.com> Suppose 2 users are there in non root abc and xyz. If we want to write a script for switching non root users without asking password then how to locate sudo files inside the root. Plz help From m0kili at gmail.com Thu Nov 12 08:58:05 2009 From: m0kili at gmail.com (M Kili) Date: Thu, 12 Nov 2009 14:58:05 +0100 Subject: [sudo-users] sudo keeps asking for password with NOPASSWD given Message-ID: <29a617af0911120558n4ca7f9aagae7a17e1c17a79c9@mail.gmail.com> Hi, I have the regular requirement of updating test site when a change is commited to svn. SVN is under apach webdav, user nobody, svn update has to be run as user user1. CentOS release 5.4, sudoers is standard distribution, requiretty removed, so except for aliases I have: Defaults env_reset Defaults env_keep = " ... list ... " root ALL=(ALL) ALL nobody ALL = (user1) NOPASSWD: /usr/bin/svn update /path/to/www/ Testing this setup: # sudo -H -u nobody bash $ sudo -H -u user1 svn update /path/to/www/ Password: Same result from post-commit hook. Any help? -- Marek From Todd.Miller at courtesan.com Thu Nov 12 10:51:15 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 12 Nov 2009 10:51:15 -0500 Subject: [sudo-users] Microsoft "sudo" patent Message-ID: <200911121551.nACFpFVb029052@core.courtesan.com> I've already received a number of questions about US patent 7,617,530 that some people seem to believe might cover sudo. I don't think that is the case. My reading of the patent indicates that it is geared towards GUI-based environments where the user may need to perform some action (such as setting the clock in a control panel) that requires increased privileges. The actual "invention" appears to be that the user is able to perform an action as a different user without having to type in the name of that other user when authenticating. One example given in that patent is the ability to click on a name in a list of privileged users as opposed to having to type in a user name. Sudo simply doesn't work this way. When a command is run via sudo the user is actively running the command as a different user. What is described in the patent is a mechanism whereby an application or the operating system detects that an action needs to be run with increased privileges and automatically prompts the user with a list of potential users that have the appropriate privilege level to perform the task. - todd From panlinux at gmail.com Fri Nov 13 13:36:33 2009 From: panlinux at gmail.com (Andreas Hasenack) Date: Fri, 13 Nov 2009 12:36:33 -0600 Subject: [sudo-users] sudo keeps asking for password with NOPASSWD given In-Reply-To: <29a617af0911120558n4ca7f9aagae7a17e1c17a79c9@mail.gmail.com> References: <29a617af0911120558n4ca7f9aagae7a17e1c17a79c9@mail.gmail.com> Message-ID: <8e4dbfa80911131036j40b244fdr24b55f88b829cfe6@mail.gmail.com> On Thu, Nov 12, 2009 at 07:58, M Kili wrote: > Hi, > > I have the regular requirement of updating test site when a change is > commited to svn. SVN is under apach webdav, user nobody, svn update > has to be run as user user1. > > CentOS release 5.4, sudoers is standard distribution, requiretty > removed, so except for aliases I have: > > Defaults ? ?env_reset > Defaults ? ?env_keep = " ... list ... " > root ?ALL=(ALL) ? ALL > nobody ?ALL = (user1) NOPASSWD: /usr/bin/svn update /path/to/www/ > > > Testing this setup: > # sudo -H -u nobody bash > $ sudo -H -u user1 svn update /path/to/www/ > Password: Try sudo -H -u user1 /usr/bin/svn update /path/to/www/ From Edward.Schernau at CITIZENSBANK.com Thu Nov 12 19:03:14 2009 From: Edward.Schernau at CITIZENSBANK.com (Schernau, Ed D) Date: Thu, 12 Nov 2009 19:03:14 -0500 Subject: [sudo-users] Microsoft "sudo" patent In-Reply-To: <200911121551.nACFpFVb029052@core.courtesan.com> References: <200911121551.nACFpFVb029052@core.courtesan.com> Message-ID: "prior art" probably also covers sudo. -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Todd C. Miller Sent: Thursday, November 12, 2009 10:51 AM To: sudo-users at core.courtesan.com Subject: [sudo-users] Microsoft "sudo" patent I've already received a number of questions about US patent 7,617,530 that some people seem to believe might cover sudo. I don't think that is the case. My reading of the patent indicates that it is geared towards GUI-based environments where the user may need to perform some action (such as setting the clock in a control panel) that requires increased privileges. The actual "invention" appears to be that the user is able to perform an action as a different user without having to type in the name of that other user when authenticating. One example given in that patent is the ability to click on a name in a list of privileged users as opposed to having to type in a user name. Sudo simply doesn't work this way. When a command is run via sudo the user is actively running the command as a different user. What is described in the patent is a mechanism whereby an application or the operating system detects that an action needs to be run with increased privileges and automatically prompts the user with a list of potential users that have the appropriate privilege level to perform the task. - todd ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users ----------------------------------------- Use of email is inherently insecure. Confidential information, including account information, and personally identifiable information, should not be transmitted via email, or email attachment. In no event shall Citizens or any of its affiliates accept any responsibility for the loss, use or misuse of any information including confidential information, which is sent to Citizens or its affiliates via email, or email attachment. Citizens does not guarantee the accuracy of any email or email attachment, that an email will be received by Citizens or that Citizens will respond to any email. This email message is confidential and/or privileged. It is to be used by the intended recipient only. Use of the information contained in this email by anyone other than the intended recipient is strictly prohibited. If you have received this message in error, please notify the sender immediately and promptly destroy any record of this email. From david.ledger at ivdcs.co.uk Sun Nov 15 07:14:19 2009 From: david.ledger at ivdcs.co.uk (David Ledger) Date: Sun, 15 Nov 2009 12:14:19 +0000 Subject: [sudo-users] Microsoft "sudo" patent In-Reply-To: References: <200911121551.nACFpFVb029052@core.courtesan.com> Message-ID: Mac OSX has been doing this with a GUI since its first release, last century. David At 19:03 -0500 12/11/09, Schernau, Ed D wrote: >"prior art" probably also covers sudo. > > > >-----Original Message----- >From: sudo-users-bounces at courtesan.com >[mailto:sudo-users-bounces at courtesan.com] On Behalf Of Todd C. Miller >Sent: Thursday, November 12, 2009 10:51 AM >To: sudo-users at core.courtesan.com >Subject: [sudo-users] Microsoft "sudo" patent > >I've already received a number of questions about US patent 7,617,530 >that some people seem to believe might cover sudo. I don't think >that is the case. > >My reading of the patent indicates that it is geared towards GUI-based >environments where the user may need to perform some action (such >as setting the clock in a control panel) that requires increased >privileges. The actual "invention" appears to be that the user is >able to perform an action as a different user without having to >type in the name of that other user when authenticating. One example >given in that patent is the ability to click on a name in a list >of privileged users as opposed to having to type in a user name. > >Sudo simply doesn't work this way. When a command is run via sudo >the user is actively running the command as a different user. What >is described in the patent is a mechanism whereby an application >or the operating system detects that an action needs to be run with >increased privileges and automatically prompts the user with a list >of potential users that have the appropriate privilege level to >perform the task. > > - todd >____________________________________________________________ >sudo-users mailing list >For list information, options, or to unsubscribe, visit: >http://www.sudo.ws/mailman/listinfo/sudo-users > > >----------------------------------------- >Use of email is inherently insecure. Confidential information, >including account information, and personally identifiable >information, should not be transmitted via email, or email >attachment. In no event shall Citizens or any of its affiliates >accept any responsibility for the loss, use or misuse of any >information including confidential information, which is sent to >Citizens or its affiliates via email, or email attachment. Citizens >does not guarantee the accuracy of any email or email attachment, >that an email will be received by Citizens or that Citizens will >respond to any email. > >This email message is confidential and/or privileged. It is to be >used by the intended recipient only. Use of the information >contained in this email by anyone other than the intended recipient >is strictly prohibited. If you have received this message in error, >please notify the sender immediately and promptly destroy any >record of this email. > >____________________________________________________________ >sudo-users mailing list >For list information, options, or to unsubscribe, visit: >http://www.sudo.ws/mailman/listinfo/sudo-users -- David Ledger - Freelance Unix Sysadmin in the UK. HP-UX specialist of hpUG technical user group (www.hpug.org.uk) david.ledger at ivdcs.co.uk www.ivdcs.co.uk From massimo.sgaravatto at pd.infn.it Sun Nov 15 09:55:02 2009 From: massimo.sgaravatto at pd.infn.it (Massimo Sgaravatto - INFN Padova) Date: Sun, 15 Nov 2009 15:55:02 +0100 (CET) Subject: [sudo-users] How to replace default "incorrect password attempts" message Message-ID: Dear all I have the following sudo use case. I would like the following: If user tomcat does a: sudo -u userx cmdx the command should be executed without being asked for a password if userx is part of a set of "allowed users" (let's call it GOOD_ACCOUNTS) *and* if cmdx is part of a set of "allowed commands" (let's call it GOOD_CMDS). If instead userx is not part of GOOD_ACCOUNTS and/or cmdx is not part of GOOD_CMDS the command should fail reporting an "Authorization failure" message without being asked for a password If was able to implement such use case setting in the sudoers: Runas_Alias GOOD_ACCOUNTS = user1, user2, ... , usern Cmnd_Alias GOOD_CMDS = cmd1, cmd2, ..., cmdn tomcat ALL=(GOOD_ACCOUNTS) NOPASSWD: GOOD_CMDS Defaults passwd_tries=0 This works The only (cosmetic) problem is that if I specify in the sudo command a "bad" user and/or a "bad" command, I got as error message: incorrect password attempts while I would prefer something different (e.g. sudo authorization error) I tried to set badpass_message in the sudoers, but it looks like it is only used when you type a wrong password So is there a way to replace that default error message ? Or are there some other (better) options to implement my use case ? Thansk a lot, Massimo \\\|/// \\ ~ ~ // (/ @ @ /) -------oOOo-(_)-oOOo---------------------------------- Massimo Sgaravatto INFN Sezione di Padova Via Marzolo, 8 35131 Padova - Italy Tel: ++39 0498275908 Fax: ++39 0498275952 oooO E-mail: massimo.sgaravatto [at] pd.infn.it ( ) Oooo Home page: http://www.pd.infn.it/~sgaravat --------\ (----( )---------------------------------- \_) ) / (_/ From Trevor.Antczak.ctr at arc.army.mil Tue Nov 17 12:03:31 2009 From: Trevor.Antczak.ctr at arc.army.mil (Antczak, Trevor (Contractor)) Date: Tue, 17 Nov 2009 11:03:31 -0600 Subject: [sudo-users] Problems compiling on Irix Message-ID: <5F3DFB42CA226D4497707C60419C10B8017BDB3B@MAIL.ad.arc.army.mil> Hello, I have a fairly old SGI box with Irix 6.5.25 on it. When I try to compile sudo 1.7.2p1 with either the SGI compilers or GCC, the compile balks at fnmatch.c. GCC version is 3.3. Errors from GCC are as follows: In file included from fnmatch.c:53 emul/charclass.h:28: error: 'isblank' undeclared here (not in a function) emul/charclass.h:28: error: initializer element is not constant emul/charclass.h:28: error: (near initialization for 'cclases[2].isctype') emul/charclass.h:28: error: initializer element is not constant emul/charclass.h:28: error: (near initialization for 'cclases[2]') emul/charclass.h:29: error: initializer element is not constant emul/charclass.h:29: error: (near initialization for 'cclases[3]') emul/charclass.h:30: error: initializer element is not constant emul/charclass.h:30: error: (near initialization for 'cclases[4]') . . . emul/charclass.h:38: error: initializer element is not constant emul/charclass.h:38: error: (near initialization for 'cclases[12]') Error code 1 (bu21) The Irix compilers give a similar error about 'isblank' being undeclared in emul/charclass.h. What research I've done indicated that 'isblank' is normally an OS supplied function, but that sudo includes its own simple version if the OS doesn't provide one. My questions are: 1) Has anyone successfully compiled the most recent sudo on Irix 2) If so, what version of Irix? 3) Is there a workaround on the 'isblank' issue that would avoid me having to do an OS upgrade. (ie, could I just comment the line out and everything will mostly work) Trevor?Antczak?(Contractor) MDA Advanced Research Center 256.964.1662 Trevor.Antczak.ctr at arc.army.mil From Todd.Miller at courtesan.com Tue Nov 17 12:20:39 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 17 Nov 2009 12:20:39 -0500 Subject: [sudo-users] Problems compiling on Irix In-Reply-To: Your message of "Tue, 17 Nov 2009 11:03:31 CST." <5F3DFB42CA226D4497707C60419C10B8017BDB3B@MAIL.ad.arc.army.mil> References: <5F3DFB42CA226D4497707C60419C10B8017BDB3B@MAIL.ad.arc.army.mil> Message-ID: <200911171720.nAHHKd03011358@core.courtesan.com> In message <5F3DFB42CA226D4497707C60419C10B8017BDB3B at MAIL.ad.arc.army.mil> so spake "Antczak, Trevor (Contractor)" (Trevor.Antczak.ctr): > 3) Is there a workaround on the 'isblank' issue that would avoid me having to > do an OS upgrade. (ie, could I just comment the line out and everything will > mostly work) Check your config.h file and see if you have a line: #define HAVE_ISBLANK 1 If so, comment that out. It's possible you may need to add #define _ANSI_LIBRARY before ctype.h is included in fnmatch.c - todd From Andy.Cowley at uwe.ac.uk Tue Nov 17 13:47:04 2009 From: Andy.Cowley at uwe.ac.uk (Andy Cowley) Date: Tue, 17 Nov 2009 18:47:04 +0000 Subject: [sudo-users] Can I use the value of an environment variable in a sudoers rule ? Message-ID: <4B02EFA8.20006@uwe.ac.uk> I want to do something like ALL ALL=/bin/mount -o loop -t ext3 $HOME/* $HOME/* to allow users to loopback mount a filesystem image, but only in their own home directory. by doing, for example $ sudo /bin/mount -o loop -t ext3 $HOME/imagefile $HOME/mountpoint That one passes the value of $HOME to sudo and rule doesn't match. Single quoting $HOME to avoid shell interpretation passes $HOME to /bin/mount whichfails to understand. I have set my /etc/sudoers to preserve the value of $HOME. It will work with '/bin/bash' inserted but that seems wide open to abuse. Is there any way to get sudo to use the value of $HOME in a rule? Please reply to mailto:andy.cowley at uwe.ac.uk as I'm not subscribed (yet). best Andy This email was independently scanned for viruses by McAfee anti-virus software and none were found From seph at directionless.org Fri Nov 20 11:34:52 2009 From: seph at directionless.org (seph) Date: Fri, 20 Nov 2009 11:34:52 -0500 Subject: [sudo-users] #includedir gives parse errors Message-ID: I'm running into the same problem as http://www.sudo.ws/pipermail/sudo-users/2009-October/004206.html I'm using ubuntu hardy 8.04, and tested with a clean compile of sudo versions 1.7.2 and 1.7.2p1. I filed it as http://www.gratisoft.us/bugzilla/show_bug.cgi?id=375 and that report has my various test files. (sorry I didn't email sudo-users first) seph From seph at directionless.org Fri Nov 20 13:10:10 2009 From: seph at directionless.org (seph) Date: Fri, 20 Nov 2009 13:10:10 -0500 Subject: [sudo-users] #includedir gives parse errors In-Reply-To: (seph@directionless.org's message of "Fri, 20 Nov 2009 11:34:52 -0500") References: Message-ID: Hrm. I just noticed in the Changelog that includedir ignores files with dots in them. It even looks like it's in the manual. I find that counter intuitive, but there it is... I do, however, notice that if I run "visudo -c -f ..." it leaves behind an empty sudoers file in the included directory, which makes future calls die with parse errors. I suspect that sudo should be a bit more resilient to empty directories and empty files. seph seph writes: > I'm running into the same problem as > http://www.sudo.ws/pipermail/sudo-users/2009-October/004206.html > > I'm using ubuntu hardy 8.04, and tested with a clean compile of sudo > versions 1.7.2 and 1.7.2p1. > > I filed it as http://www.gratisoft.us/bugzilla/show_bug.cgi?id=375 and > that report has my various test files. (sorry I didn't email sudo-users > first) > > seph > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users From seph at directionless.org Fri Nov 20 14:32:16 2009 From: seph at directionless.org (seph) Date: Fri, 20 Nov 2009 14:32:16 -0500 Subject: [sudo-users] #includedir gives parse errors In-Reply-To: (seph@directionless.org's message of "Fri, 20 Nov 2009 13:10:10 -0500") References: Message-ID: And just to followup, I can reproduce this strange visudo behavior in my test files, but not with actual files. I closed the bug I opened as invalid, though I would request more resilience around this. thanks and sorry for the confusion seph seph writes: > I do, however, notice that if I run "visudo -c -f ..." it leaves behind > an empty sudoers file in the included directory, which makes future > calls die with parse errors. > > I suspect that sudo should be a bit more resilient to empty directories > and empty files. From seph at directionless.org Tue Nov 24 11:37:49 2009 From: seph at directionless.org (seph) Date: Tue, 24 Nov 2009 11:37:49 -0500 Subject: [sudo-users] sudo 1.7.2p1 incorrect rule choices Message-ID: I recently upgraded from sudo 1.6.9p10 (as packaged by ubuntu) to my own build of 1.7.2p1, and having done so, I'm now having some trouble. I have multiple rules defined in sudoers, and the new version seems to be picking the wrong rule to act on. In this example, I have 2 classes of users -- sysadmins, and developers. They both have unfettered access to the deployment account, and the sysadmin additionally has full access to the machine. As the deployment stuff is scripted, it's all configured NOPASSWD. The developer: developer at playpen-app1:~$ sudo -k developer at playpen-app1:~$ sudo -l Matching Defaults entries for developer on this host: env_reset, syslog=auth User developer may run the following commands on this host: (deploy) NOPASSWD: ALL (root) NOPASSWD: /usr/sbin/monit developer at playpen-app1:~$ sudo -u deploy hostname playpen-app1 But, when I try the same set: seph at playpen-app1:~$ sudo -k seph at playpen-app1:~$ sudo -l Matching Defaults entries for seph on this host: env_reset, syslog=auth User seph may run the following commands on this host: (deploy) NOPASSWD: ALL (root) NOPASSWD: /usr/sbin/monit (ALL) ALL seph at playpen-app1:~$ sudo -u deploy hostname [sudo] password for seph: playpen-app1 Any idea what's up? seph From Todd.Miller at courtesan.com Tue Nov 24 11:41:32 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 24 Nov 2009 11:41:32 -0500 Subject: [sudo-users] sudo 1.7.2p1 incorrect rule choices In-Reply-To: Your message of "Tue, 24 Nov 2009 11:37:49 EST." References: Message-ID: <200911241641.nAOGfWZi001406@core.courtesan.com> In message so spake seph (seph): > But, when I try the same set: > > seph at playpen-app1:~$ sudo -k > seph at playpen-app1:~$ sudo -l > Matching Defaults entries for seph on this host: > env_reset, syslog=auth > > User seph may run the following commands on this host: > (deploy) NOPASSWD: ALL > (root) NOPASSWD: /usr/sbin/monit > (ALL) ALL > seph at playpen-app1:~$ sudo -u deploy hostname > [sudo] password for seph: > playpen-app1 Sudo takes the last match so the: (ALL) ALL line is what matches. Since that doesn't have NOPASSWD set you get prompted for a password. - todd From seph at directionless.org Tue Nov 24 12:09:58 2009 From: seph at directionless.org (seph) Date: Tue, 24 Nov 2009 12:09:58 -0500 Subject: [sudo-users] sudo 1.7.2p1 incorrect rule choices In-Reply-To: <200911241641.nAOGfWZi001406@core.courtesan.com> (Todd C. Miller's message of "Tue, 24 Nov 2009 11:41:32 -0500") References: <200911241641.nAOGfWZi001406@core.courtesan.com> Message-ID: "Todd C. Miller" writes: > Sudo takes the last match so the: Ah easy enough to work with. I can just change my rule order. It seems a little counterintuitive though. Does it make sense to prefer the NOPASSWD rules over the other ones? seph