From rjh405 at gmail.com Wed Oct 7 11:47:47 2009 From: rjh405 at gmail.com (Robert Hall) Date: Wed, 7 Oct 2009 08:47:47 -0700 Subject: [sudo-users] Redirect permissions Message-ID: Please pardon me if this is an ignorant question. Presumably if you execute a fully-quoted command string in sudo and that string contains a redirect, then the output will be able to overwrite a file that only allows root edit perms. E.g.: $ sudo 'cat /tmp/myfile.txt > /etc/passwd' Is there a configuration option to prevent a user with sudo permissions from doing this? I haven't been able to locate one. Thank you. -- Bob From Todd.Miller at courtesan.com Wed Oct 7 12:38:50 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 07 Oct 2009 12:38:50 -0400 Subject: [sudo-users] Redirect permissions In-Reply-To: Your message of "Wed, 07 Oct 2009 08:47:47 PDT." References: Message-ID: <200910071638.n97Gco9n021593@core.courtesan.com> In message so spake Robert Hall (rjh405): > Please pardon me if this is an ignorant question. Presumably if you execute > a fully-quoted command string in sudo and that string contains a redirect, > then the output will be able to overwrite a file that only allows root edit > perms. > > E.g.: $ sudo 'cat /tmp/myfile.txt > /etc/passwd' > > Is there a configuration option to prevent a user with sudo permissions from > doing this? I haven't been able to locate one. Redirection like this is handled by the shell before sudo is even executed. If you wrap the command in a shell it will work, e.g. $ sudo sh -c 'cat /tmp/myfile.txt > /etc/passwd' But then of course the user must have access to run /bin/sh. - todd From molnarb81 at hotmail.com Thu Oct 8 05:46:18 2009 From: molnarb81 at hotmail.com (=?Windows-1252?B?QmFs4XpzIE1vbG7hcg==?=) Date: Thu, 8 Oct 2009 11:46:18 +0200 Subject: [sudo-users] sudo -b Message-ID: Hello Is it possible to paste the sudo -b command in-front of all commands ? (without typing it) eg. Can I use my .profile file for this? Regards,Balazs Moln?r _________________________________________________________________ Windows Live: Make it easier for your friends to see what you?re up to on Facebook. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009 From somo at webon.net Mon Oct 19 06:27:33 2009 From: somo at webon.net (somo) Date: Mon, 19 Oct 2009 17:27:33 +0700 Subject: [sudo-users] error while saving file Message-ID: <4ADC3F15.1000706@webon.net> Hello there, I have a problem of saving visudo file, I got some errors visudo: option `lecture' does not take a value on line 58 visudo: unknown defaults entry `lecture_file' referenced near line 59 line 58 : Defaults:SLACERS lecture=always line 59 : Defaults:SLACERS lecture_file=/etc/mylecturefile By the way I have already created mylecturefile Linux version 2.6.24 (gcc version 3.3.2 (Mandrake Linux 10.0 3.3.2-6mdk)) Sudo version 1.6.7p5 Regards, Panarat From Todd.Miller at courtesan.com Mon Oct 19 09:42:14 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 19 Oct 2009 09:42:14 -0400 Subject: [sudo-users] error while saving file In-Reply-To: Your message of "Mon, 19 Oct 2009 17:27:33 +0700." <4ADC3F15.1000706@webon.net> References: <4ADC3F15.1000706@webon.net> Message-ID: <200910191342.n9JDgE64006614@core.courtesan.com> In message <4ADC3F15.1000706 at webon.net> so spake somo (somo): > I have a problem of saving visudo file, I got some errors > > visudo: option `lecture' does not take a value on line 58 > visudo: unknown defaults entry `lecture_file' referenced near line 59 > > line 58 : Defaults:SLACERS lecture=always > line 59 : Defaults:SLACERS lecture_file=/etc/mylecturefile > > By the way I have already created mylecturefile > Linux version 2.6.24 (gcc version 3.3.2 (Mandrake Linux 10.0 3.3.2-6mdk)) > Sudo version 1.6.7p5 That is because Sudo version 1.6.7p5 doesn't support those options. You need to be running at leats sudo 1.6.8 to use that feature. - todd From tonysk8 at gmx.net Mon Oct 19 21:23:11 2009 From: tonysk8 at gmx.net (Tony G.) Date: Mon, 19 Oct 2009 18:23:11 -0700 Subject: [sudo-users] sudo on LDAP running commands as multiple-users Message-ID: <60ad930b0910191823s6b910b26gb298bf3189dfcd8c@mail.gmail.com> Hi, I have sudo running on openldap and found that some sudo rules more elaborated are probably not working as expected, wondering if any of you have been able to solve this. This is the rule I want to implement %www ALL = (www) ALL, (root) /bin/su www On LDAP the entry is: dn: cn=%www,ou=sudoers,dc=example,dc=com cn: www cn: %www sudoHost: ALL sudoUser: %www objectClass: sudoRole objectClass: top sudoCommand: (root) /bin/su www sudoCommand: (www) ALL This rule does not work, but I'm able to mimic some functionality: 1st Option, The (www) ALL sudoCommand: ALL sudoRunAs: www *But you are not able to switch to www user. 2nd Option, The (root) /bin/su www sudoCommand: /bin/su www sudoRunAs: root *But you are not able to run sudo as www user. I see that the (runas) COMMAND format is not working as I set: sudoCommand: (root) /bin/su www sudoRunAs: And I'm not able to run /bin/su www Thanks for your Help in Advance. -- Tony From techchavez at gmail.com Tue Oct 20 10:31:11 2009 From: techchavez at gmail.com (Techie) Date: Tue, 20 Oct 2009 07:31:11 -0700 Subject: [sudo-users] Force sudo to source environment file before running a command. Message-ID: Hello, Is it possible to force sudo to source a users environment file or any environment file with "env_file" while running a command. I have set a User_alias, Runas_Alias, Cmnd_Alias, and user privilege for a user as follows. User_Alias TSTU = techie Runas_Alias TSTA = operator Cmnd_Alias TSTCMD = TSTU ALL = (root) TSTCMD, (TSTA) So all the commands defined in the TSTCMD Cmnd_Alias will be run as root.. However for the commands run by the TSTA Runas_Alias AKA the operator user...I need to source an environment file. This file is a bash style environment file with statements like. export FAVCOLOR=red export DOG=boxer Can I use the env_file parameter to accomplish this? If so please provide a syntax example. From the manpage it says it is possible but no example. Thank you much. From edlinuxguru at gmail.com Tue Oct 20 11:09:27 2009 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Tue, 20 Oct 2009 11:09:27 -0400 Subject: [sudo-users] sudo on LDAP running commands as multiple-users In-Reply-To: <60ad930b0910191823s6b910b26gb298bf3189dfcd8c@mail.gmail.com> References: <60ad930b0910191823s6b910b26gb298bf3189dfcd8c@mail.gmail.com> Message-ID: On Mon, Oct 19, 2009 at 9:23 PM, Tony G. wrote: > Hi, I have sudo running on openldap and found that some sudo rules more > elaborated are probably not working as expected, wondering if any of you > have been able to solve this. > > This is the rule I want to implement > %www ALL = (www) ALL, (root) /bin/su www > > On LDAP the entry is: > dn: cn=%www,ou=sudoers,dc=example,dc=com > cn: www > cn: %www > sudoHost: ALL > sudoUser: %www > objectClass: sudoRole > objectClass: top > sudoCommand: (root) /bin/su www > sudoCommand: (www) ALL > > This rule does not work, but I'm able to mimic some functionality: > 1st Option, The (www) ALL > sudoCommand: ALL > sudoRunAs: www > *But you are not able to switch to www user. > > 2nd Option, The (root) /bin/su www > sudoCommand: /bin/su www > sudoRunAs: root > *But you are not able to run sudo as www user. > > I see that the (runas) COMMAND format is not working as I set: > sudoCommand: (root) /bin/su www > sudoRunAs: > > And I'm not able to run /bin/su www > > Thanks for your Help in Advance. > > -- > Tony > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > Tony, Your problem is you are not specifying the LDAP objects correctly. You are going to need two objects in the end. First is www a user or is www a group? if user sudoUser: www if group sudoUser: %www Secondly your sudoCommand is wrong sudoCommand: (root) /bin/su www Should be sudoCommand: /bin/su www sudoRunAs: root sudoRunAs: root is the default What you might want is this: This lets www run all commands with sudo. dn: cn=www,ou=sudoers,dc=example,dc=com cn: www sudoHost: ALL sudoUser: www objectClass: sudoRole objectClass: top sudoCommand: ALL Usually root has all sudo. dn: cn=root,ou=sudoers,dc=example,dc=com cn: root sudoHost: ALL sudoUser: root objectClass: sudoRole objectClass: top sudoCommand: ALL Good luck! From Todd.Miller at courtesan.com Tue Oct 20 12:10:42 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 20 Oct 2009 12:10:42 -0400 Subject: [sudo-users] Force sudo to source environment file before running a command. In-Reply-To: Your message of "Tue, 20 Oct 2009 07:31:11 PDT." References: Message-ID: <200910201610.n9KGAgKG015426@core.courtesan.com> In message so spake Techie (techchavez): > Is it possible to force sudo to source a users environment file or any > environment file with "env_file" while running a command. > I have set a User_alias, Runas_Alias, Cmnd_Alias, and user privilege > for a user as follows. > > User_Alias TSTU = techie > Runas_Alias TSTA = operator > Cmnd_Alias TSTCMD = > > TSTU ALL = (root) TSTCMD, (TSTA) > > So all the commands defined in the TSTCMD Cmnd_Alias will be run as > root.. However for the commands run by the TSTA Runas_Alias AKA the > operator user...I need to source an environment file. This file is a > bash style environment file with statements like. > > export FAVCOLOR=red > export DOG=boxer > > Can I use the env_file parameter to accomplish this? If so please > provide a syntax example. From the manpage it says it is possible but > no example. If what you want is to have env_file apply to any command run as TSTA, then this should do it: Defaults>TSTA env_file=/path/to/env/file TSTU ALL = (root) TSTCMD, (TSTA) If you want to apply env_file to the commands themselves, regardless of who they are running as: Cmnd_Alias TSTACMD = Defaults!TSTACMD env_file=/path/to/env/file TSTU ALL = (root) TSTCMD, (TSTA) TSTACMD In all cases you need to be running sudo 1.7.2 to support bash-style environment files. - todd From tonysk8 at gmx.net Tue Oct 20 14:12:07 2009 From: tonysk8 at gmx.net (Tony G.) Date: Tue, 20 Oct 2009 11:12:07 -0700 Subject: [sudo-users] sudo on LDAP running commands as multiple-users In-Reply-To: References: <60ad930b0910191823s6b910b26gb298bf3189dfcd8c@mail.gmail.com> Message-ID: <60ad930b0910201112u322bbe09uc01a14f195f78cfe@mail.gmail.com> On Tue, Oct 20, 2009 at 8:09 AM, Edward Capriolo wrote: > On Mon, Oct 19, 2009 at 9:23 PM, Tony G. wrote: > > Hi, I have sudo running on openldap and found that some sudo rules more > > elaborated are probably not working as expected, wondering if any of you > > have been able to solve this. > > > > This is the rule I want to implement > > %www ALL = (www) ALL, (root) /bin/su www > > > > On LDAP the entry is: > > dn: cn=%www,ou=sudoers,dc=example,dc=com > > cn: www > > cn: %www > > sudoHost: ALL > > sudoUser: %www > > objectClass: sudoRole > > objectClass: top > > sudoCommand: (root) /bin/su www > > sudoCommand: (www) ALL > > > > This rule does not work, but I'm able to mimic some functionality: > > 1st Option, The (www) ALL > > sudoCommand: ALL > > sudoRunAs: www > > *But you are not able to switch to www user. > > > > 2nd Option, The (root) /bin/su www > > sudoCommand: /bin/su www > > sudoRunAs: root > > *But you are not able to run sudo as www user. > > > > I see that the (runas) COMMAND format is not working as I set: > > sudoCommand: (root) /bin/su www > > sudoRunAs: > > > > And I'm not able to run /bin/su www > > > > Thanks for your Help in Advance. > > > > -- > > Tony > > ____________________________________________________________ > > sudo-users mailing list > > For list information, options, or to unsubscribe, visit: > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > Tony, > > Your problem is you are not specifying the LDAP objects correctly. You > are going to need two objects in the end. > > First is www a user or is www a group? > > if user > sudoUser: www > > if group > sudoUser: %www > > Secondly your sudoCommand is wrong > > sudoCommand: (root) /bin/su www > > Should be > sudoCommand: /bin/su www > sudoRunAs: root > > sudoRunAs: root is the default > > What you might want is this: > > This lets www run all commands with sudo. > > dn: cn=www,ou=sudoers,dc=example,dc=com > cn: www > sudoHost: ALL > sudoUser: www > objectClass: sudoRole > objectClass: top > sudoCommand: ALL > > > > Usually root has all sudo. > > dn: cn=root,ou=sudoers,dc=example,dc=com > cn: root > sudoHost: ALL > sudoUser: root > objectClass: sudoRole > objectClass: top > sudoCommand: ALL > > Good luck! > Thanks for the responses.. I should define the contents of the rule %www ALL = (www) ALL, (root) /bin/su www www is a local user in the target host %www is an ldap group dn: cn=www,ou=group,dc=example,dc=com objectClass: posixGroup gidNumber: 1001 cn: www memberUid: foo memberUid: bar So this is what I did to solve this, needed to add two objects as you suggested: 1st object, Solves the (www) ALL and is applied to the www group dn: cn=www,ou=sudoers,dc=example, dc=com cn: www sudoHost: ALL sudoUser: %www objectClass: sudoRole objectClass: top sudoCommand: ALL 2nd object, Solves (root) /bin/su www dn: cn=su_www,ou=sudoers,dc=example, dc=com cn: su_www sudoHost: ALL sudoUser: %www objectClass: sudoRole objectClass: top sudoCommand: /bin/su - www Bottom line, I can see the format "(RunAs) COMMAND" does not work in the same way as local sudoers, as seems that LDAP constructs it from two objects: "(sudoRunAs) sudoCommand". What a more elaborated rule in local sudoers can be done in one line it takes two objects on sudo-LDAP. Thanks All for your help. -- Tony From techchavez at gmail.com Tue Oct 20 14:51:03 2009 From: techchavez at gmail.com (Techie) Date: Tue, 20 Oct 2009 11:51:03 -0700 Subject: [sudo-users] Force sudo to source environment file before running a command. In-Reply-To: <200910201610.n9KGAgKG015426@core.courtesan.com> References: <200910201610.n9KGAgKG015426@core.courtesan.com> Message-ID: Thanks for the information. When you say bash style environment files I assume yo uare referencing my prefixing variable statements with "export". If that is the case will Bourne shell style statements work inside environment files such as.. FAVCOLOR=red DOG=boxer I am using RHEL and the latest RPM is for 1.69..and currently I am on 1.68 So if I can use environment files with 1.68 and bourne style that is acceptable. Thanks again On Tue, Oct 20, 2009 at 9:10 AM, Todd C. Miller wrote: > In message > ? ? ? ?so spake Techie (techchavez): > >> Is it possible to force sudo to source a users environment file or any >> environment file with "env_file" while running a command. >> I have set a User_alias, Runas_Alias, Cmnd_Alias, and user privilege >> for a user as follows. >> >> User_Alias TSTU = techie >> Runas_Alias TSTA = operator >> Cmnd_Alias TSTCMD = >> >> TSTU ALL = (root) TSTCMD, (TSTA) >> >> So all the commands defined in the TSTCMD Cmnd_Alias will be run as >> root.. However for the commands run by the TSTA Runas_Alias AKA the >> operator user...I need to source an environment file. This file is a >> bash style environment file with statements like. >> >> export FAVCOLOR=red >> export DOG=boxer >> >> Can I use the env_file parameter to accomplish this? ?If so please >> provide a syntax example. From the manpage it says it is possible but >> no example. > > If what you want is to have env_file apply to any command run as > TSTA, then this should do it: > > Defaults>TSTA env_file=/path/to/env/file > TSTU ALL = (root) TSTCMD, (TSTA) > > If you want to apply env_file to the commands themselves, > regardless of who they are running as: > > Cmnd_Alias TSTACMD = > Defaults!TSTACMD env_file=/path/to/env/file > > TSTU ALL = (root) TSTCMD, (TSTA) TSTACMD > > In all cases you need to be running sudo 1.7.2 to support bash-style > environment files. > > ?- todd > From jhamilton at simulexinc.com Tue Oct 20 14:17:07 2009 From: jhamilton at simulexinc.com (Jason Hamilton) Date: Tue, 20 Oct 2009 14:17:07 -0400 Subject: [sudo-users] cannot sudo after short time - ldap/nis configuration Message-ID: <4ADDFEA3.3070103@simulexinc.com> Hi all, I've not been very successful finding a fix for this on google, so any help is appreciated. Running centos 5, with sudo "sudo-1.6.9p17-3.el5_3.1". The system is configured with ldap/nis and sudoers_base is also configured through LDAP. Everything works great upon initial login, I can 'sudo' whatever and it works - then a little while later - maybe 5 minutes, I get: me at foo:[12:03:36 PM]~$ sudo ls sudo: uid 1000 does not exist in the passwd file! me at foo:[12:04:25 PM]~$ now, if I run "getent passwd me" the system looks at ldap, and gives me the user data and then sudo works again. I'm running nscd on the system and it appears to be working properly. Is there something that I'm missing? I don't really want to run 'getent' in a cron or some other hinky workaround. Thanks for any tips. From Todd.Miller at courtesan.com Tue Oct 20 15:32:40 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 20 Oct 2009 15:32:40 -0400 Subject: [sudo-users] Force sudo to source environment file before running a command. In-Reply-To: Your message of "Tue, 20 Oct 2009 11:51:03 PDT." References: <200910201610.n9KGAgKG015426@core.courtesan.com> Message-ID: <200910201932.n9KJWeBE013267@core.courtesan.com> In message so spake Techie (techchavez): > Thanks for the information. When you say bash style environment files > I assume yo uare referencing my prefixing variable statements with > "export". Yes. > If that is the case will Bourne shell style statements work inside > environment files such as.. > > FAVCOLOR=red > DOG=boxer > > I am using RHEL and the latest RPM is for 1.69..and currently I am on 1.68 > So if I can use environment files with 1.68 and bourne style that is > acceptable. Unfortunately, env_file was introduced in sudo 1.7.0 so 1.6.9 is still too old. - todd From Todd.Miller at courtesan.com Tue Oct 20 15:42:31 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 20 Oct 2009 15:42:31 -0400 Subject: [sudo-users] cannot sudo after short time - ldap/nis configuration In-Reply-To: Your message of "Tue, 20 Oct 2009 14:17:07 EDT." <4ADDFEA3.3070103@simulexinc.com> References: <4ADDFEA3.3070103@simulexinc.com> Message-ID: <200910201942.n9KJgVtA002537@core.courtesan.com> Does this still happen if you kill the nscd process? - todd From jhamilton at simulexinc.com Tue Oct 20 15:43:11 2009 From: jhamilton at simulexinc.com (Jason Hamilton) Date: Tue, 20 Oct 2009 15:43:11 -0400 Subject: [sudo-users] cannot sudo after short time - ldap/nis configuration In-Reply-To: <200910201942.n9KJgVtA002537@core.courtesan.com> References: <4ADDFEA3.3070103@simulexinc.com> <200910201942.n9KJgVtA002537@core.courtesan.com> Message-ID: <4ADE12CF.9010601@simulexinc.com> If I kill nscd then I can't even ssh into the box :-) -Jason Todd C. Miller wrote: > Does this still happen if you kill the nscd process? > > - todd > From Todd.Miller at courtesan.com Tue Oct 20 18:20:31 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 20 Oct 2009 18:20:31 -0400 Subject: [sudo-users] cannot sudo after short time - ldap/nis configuration In-Reply-To: Your message of "Tue, 20 Oct 2009 15:43:11 EDT." <4ADE12CF.9010601@simulexinc.com> References: <4ADDFEA3.3070103@simulexinc.com> <200910201942.n9KJgVtA002537@core.courtesan.com> <4ADE12CF.9010601@simulexinc.com> Message-ID: <200910202220.n9KMKVXY032510@core.courtesan.com> In message <4ADE12CF.9010601 at simulexinc.com> so spake Jason Hamilton (jhamilton): > If I kill nscd then I can't even ssh into the box :-) Doh. I wouldn't have expected that; things should work OK w/o the caching. - todd From edlinuxguru at gmail.com Tue Oct 20 18:27:52 2009 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Tue, 20 Oct 2009 18:27:52 -0400 Subject: [sudo-users] cannot sudo after short time - ldap/nis configuration In-Reply-To: <200910202220.n9KMKVXY032510@core.courtesan.com> References: <4ADDFEA3.3070103@simulexinc.com> <200910201942.n9KJgVtA002537@core.courtesan.com> <4ADE12CF.9010601@simulexinc.com> <200910202220.n9KMKVXY032510@core.courtesan.com> Message-ID: On Tue, Oct 20, 2009 at 6:20 PM, Todd C. Miller wrote: > In message <4ADE12CF.9010601 at simulexinc.com> > ? ? ? ?so spake Jason Hamilton (jhamilton): > >> If I kill nscd then I can't even ssh into the box :-) > > Doh. ?I wouldn't have expected that; things should work OK w/o the > caching. > > ?- todd > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > Actually not having NSCD can be a huge problem. Once you go the LDAP route several systems calls in libc rely on it. If you have nscd off, each time a file owned by an LDAP users is 'stat'ed the system will do LDAP lookups. (this is implementation dependent). Worse case scenario, say a file in your web directory gets owned by an LDAP user. Each hit to that file ends up doing a 'stat' each stat does a lookup. = Big Trouble. From jason at meanasspenguin.org Tue Oct 20 12:07:15 2009 From: jason at meanasspenguin.org (Jason Hamilton) Date: Tue, 20 Oct 2009 12:07:15 -0400 Subject: [sudo-users] cannot sudo after short time - ldap/nis configuration Message-ID: <4ADDE033.7030200@meanasspenguin.org> Hi all, I've not been very successful finding a fix for this on google, so any help is appreciated. Running centos 5, with sudo "sudo-1.6.9p17-3.el5_3.1". The system is configured with ldap/nis and sudoers_base is also configured through LDAP. Everything works great upon initial login, I can 'sudo' whatever and it works - then a little while later - maybe 5 minutes, I get: me at foo:[12:03:36 PM]~$ sudo ls sudo: uid 1000 does not exist in the passwd file! me at foo:[12:04:25 PM]~$ now, if I run "getent passwd me" the system looks at ldap, and gives me the user data and then sudo works again. I'm running nscd on the system and it appears to be working properly. Is there something that I'm missing? I don't really want to run 'getent' in a cron or some other hinky workaround. Thanks for any tips. -- -Jason From Todd.Miller at courtesan.com Wed Oct 21 09:36:12 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 21 Oct 2009 09:36:12 -0400 Subject: [sudo-users] cannot sudo after short time - ldap/nis configuration In-Reply-To: Your message of "Tue, 20 Oct 2009 15:43:11 EDT." <4ADE12CF.9010601@simulexinc.com> References: <4ADDFEA3.3070103@simulexinc.com> <200910201942.n9KJgVtA002537@core.courtesan.com> <4ADE12CF.9010601@simulexinc.com> Message-ID: <200910211336.n9LDaCaw032660@core.courtesan.com> I still suspect nscd is involved here, simply because sudo doesn't do anything fancy with passwd lookups. In this case is it doing getpwuid(getuid()). You could try configuring nscd.conf to log debug information and see if it is caching a negative response for the user in question. - todd From edlinuxguru at gmail.com Wed Oct 21 09:48:58 2009 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Wed, 21 Oct 2009 09:48:58 -0400 Subject: [sudo-users] cannot sudo after short time - ldap/nis configuration In-Reply-To: <200910211336.n9LDaCaw032660@core.courtesan.com> References: <4ADDFEA3.3070103@simulexinc.com> <200910201942.n9KJgVtA002537@core.courtesan.com> <4ADE12CF.9010601@simulexinc.com> <200910211336.n9LDaCaw032660@core.courtesan.com> Message-ID: I would suggest including your /etc/ldap.conf, /etc/nsswitch.conf, relevant pam.conf as well as any others you have configured. Your subject is ldap/nis. are you using both LDAP & NIS? That would be strange and could be causing your NSCD problems since conflicts can confuse the cache. On Wed, Oct 21, 2009 at 9:36 AM, Todd C. Miller wrote: > I still suspect nscd is involved here, simply because sudo doesn't > do anything fancy with passwd lookups. ?In this case is it doing > getpwuid(getuid()). > > You could try configuring nscd.conf to log debug information and > see if it is caching a negative response for the user in question. > > ?- todd > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > From tonysk8 at gmx.net Wed Oct 21 12:19:10 2009 From: tonysk8 at gmx.net (Tony G.) Date: Wed, 21 Oct 2009 09:19:10 -0700 Subject: [sudo-users] cannot sudo after short time - ldap/nis configuration In-Reply-To: <4ADDE033.7030200@meanasspenguin.org> References: <4ADDE033.7030200@meanasspenguin.org> Message-ID: <60ad930b0910210919u12f04d57m6d5308cf0d36a692@mail.gmail.com> Have you tried to login and run sudo with nscd turned off? nscd can be a nightmare or can be really helpful, try to verify it working without ncsd first. Do you have sudoers in nsswitch.conf? On Tue, Oct 20, 2009 at 9:07 AM, Jason Hamilton wrote: > Hi all, > > I've not been very successful finding a fix for this on google, so any > help is appreciated. > > Running centos 5, with sudo "sudo-1.6.9p17-3.el5_3.1". The system is > configured with ldap/nis and sudoers_base is also configured through > LDAP. Everything works great upon initial login, I can 'sudo' whatever > and it works - then a little while later - maybe 5 minutes, I get: > > me at foo:[12:03:36 PM]~$ sudo ls > sudo: uid 1000 does not exist in the passwd file! > me at foo:[12:04:25 PM]~$ > > now, if I run "getent passwd me" > the system looks at ldap, and gives me the user data and then sudo works > again. > > I'm running nscd on the system and it appears to be working properly. Is > there something that I'm missing? I don't really want to run 'getent' in > a cron or some other hinky workaround. > > Thanks for any tips. > > -- > > -Jason > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > -- Tony From radesh_singh at ml.com Wed Oct 21 12:34:09 2009 From: radesh_singh at ml.com (Singh, Radesh (GTS)) Date: Wed, 21 Oct 2009 12:34:09 -0400 Subject: [sudo-users] cannot sudo after short time - ldap/nis configuration In-Reply-To: <60ad930b0910210919u12f04d57m6d5308cf0d36a692@mail.gmail.com> References: <4ADDE033.7030200@meanasspenguin.org> <60ad930b0910210919u12f04d57m6d5308cf0d36a692@mail.gmail.com> Message-ID: <1F083E3510811D4B82611186F74DB1C103FA91C0@MLNYA20MB010.amrs.win.ml.com> Jason, In the instances where I've seen this type of thing occur was with AD users on systems using winbind. We had to run getent to refresh the cache and keep things working fine. In those cases, we upgraded winbind and saw the issue go away. It's been many moons, so I don't remember the version of winbind or samba, but just a thought... Shawn "...it is a gross language, one in which all sorts of sacrilege are committed" - Shawn Singh commenting on vbscript -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Tony G. Sent: Wednesday, October 21, 2009 12:19 PM To: Jason Hamilton Cc: sudo-users at sudo.ws Subject: Re: [sudo-users] cannot sudo after short time - ldap/nis configuration Have you tried to login and run sudo with nscd turned off? nscd can be a nightmare or can be really helpful, try to verify it working without ncsd first. Do you have sudoers in nsswitch.conf? On Tue, Oct 20, 2009 at 9:07 AM, Jason Hamilton wrote: > Hi all, > > I've not been very successful finding a fix for this on google, so any > help is appreciated. > > Running centos 5, with sudo "sudo-1.6.9p17-3.el5_3.1". The system is > configured with ldap/nis and sudoers_base is also configured through > LDAP. Everything works great upon initial login, I can 'sudo' whatever > and it works - then a little while later - maybe 5 minutes, I get: > > me at foo:[12:03:36 PM]~$ sudo ls > sudo: uid 1000 does not exist in the passwd file! > me at foo:[12:04:25 PM]~$ > > now, if I run "getent passwd me" > the system looks at ldap, and gives me the user data and then sudo works > again. > > I'm running nscd on the system and it appears to be working properly. Is > there something that I'm missing? I don't really want to run 'getent' in > a cron or some other hinky workaround. > > Thanks for any tips. > > -- > > -Jason > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > -- Tony ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users -------------------------------------------------------------------------- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. The information contained in this e-mail was obtained from sources believed to be reliable; however, the accuracy or completeness of this information is not guaranteed. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaran teed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Past performance is no guarantee of future results. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. -------------------------------------------------------------------------- From niall.downie at aspectcapital.com Thu Oct 29 07:12:56 2009 From: niall.downie at aspectcapital.com (Niall Downie) Date: Thu, 29 Oct 2009 11:12:56 -0000 Subject: [sudo-users] #includedir gives parse error Message-ID: <49CFB29F32482C4D858FC49E63BC52B21620D9@p-wig-hw05.aspectcapital.com> Hi Ive just built 1.7.2p1 on CentOS5.1 with no issues. I gave no extra configure options, accepting all defaults. I have done this so I can use the #includedir config. However, I can't get it working. Here is my config: # sudo -V|head Sudo version 1.7.2p1 # find /etc/sudoers* -ls 1090745 12 -r--r----- 1 root root 5691 Oct 28 15:29 /etc/sudoers 1474644 8 drwxr-xr-x 2 root root 4096 Oct 28 15:29 /etc/sudoers.d 1474621 8 -r--r----- 1 root root 57 Oct 28 15:24 /etc/sudoers.d/repo.conf /etc/sudoers, includes: #includedir /etc/sudoers.d # sudo -l sudo: parse error in /etc/sudoers near line 10 sudo: no valid sudoers sources found, quitting This all works just fine when I change the #includedir to just #include the second file: /etc/sudoers, includes: #include /etc/sudoers.d/repo.conf Cant find any similar problems, no bugs, no config options to switch includedir on. Any ideas ? Thanks Niall Downie This email and any attachments contain CONFIDENTIAL information which may be legally privileged. If this communication constitutes a financial promotion, it is directed only at persons who are professional clients or eligible counterparties (as defined under the FSA rules). The information, which is provided on a non-reliance basis, may be subject to verification or amendment. No representation or warranty is made as to its accuracy or completeness. Unless expressly stated otherwise, this email is neither an offer to sell nor a solicitation of any offer to buy an interest in any fund or other investment vehicle sponsored or managed by Aspect Capital Limited (Aspect Funds). Any such offer or solicitation would be made only by way of the final offering documents of such Aspect Fund (which should be considered carefully before any investment decision is made) and only in such jurisdictions where, and to such persons to whom, it would be lawful to do so. Past performance is not necessarily indicative of future returns. Email transmission cannot be guaranteed to be secure or error free. Subject to applicable law, Aspect (or its service providers) may intercept, monitor, review and retain e-communications travelling through its networks/systems. By messaging with Aspect you consent to the foregoing. Aspect Capital Limited is authorised and regulated by the Financial Services Authority and is registered in England and Wales (No. 3491169) with registered office at Nations House, 103 Wigmore Street, London W1U 1QS. For more information, go to www.aspectcapital.com. From Todd.Miller at courtesan.com Thu Oct 29 10:20:10 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 29 Oct 2009 10:20:10 -0400 Subject: [sudo-users] #includedir gives parse error In-Reply-To: Your message of "Thu, 29 Oct 2009 11:12:56 -0000." <49CFB29F32482C4D858FC49E63BC52B21620D9@p-wig-hw05.aspectcapital.com> References: <49CFB29F32482C4D858FC49E63BC52B21620D9@p-wig-hw05.aspectcapital.com> Message-ID: <200910291420.n9TEKAxG020263@core.courtesan.com> Looks like a bug. For a workaround try: #include "/etc/sudoers.d/repo.conf" - todd From Todd.Miller at courtesan.com Thu Oct 29 10:28:34 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 29 Oct 2009 10:28:34 -0400 Subject: [sudo-users] #includedir gives parse error In-Reply-To: Your message of "Thu, 29 Oct 2009 10:20:10 EDT." References: <49CFB29F32482C4D858FC49E63BC52B21620D9@p-wig-hw05.aspectcapital.com> Message-ID: <200910291428.n9TESY7H015842@core.courtesan.com> > Looks like a bug. For a workaround try: > > #include "/etc/sudoers.d/repo.conf" Sorry, that will just cause the line to be treated as a comment. - todd From niall.downie at aspectcapital.com Thu Oct 29 10:34:34 2009 From: niall.downie at aspectcapital.com (Niall Downie) Date: Thu, 29 Oct 2009 14:34:34 -0000 Subject: [sudo-users] #includedir gives parse error In-Reply-To: <200910291428.n9TESY7H015842@core.courtesan.com> References: <49CFB29F32482C4D858FC49E63BC52B21620D9@p-wig-hw05.aspectcapital.com> <200910291428.n9TESY7H015842@core.courtesan.com> Message-ID: <49CFB29F32482C4D858FC49E63BC52B21620DE@p-wig-hw05.aspectcapital.com> http://www.sudo.ws/sudo/man/sudoers.html#including_other_files_from_with in_sudoers " It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. " -----Original Message----- From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] Sent: 29 October 2009 14:29 To: Niall Downie; sudo-users at sudo.ws Subject: Re: [sudo-users] #includedir gives parse error > Looks like a bug. For a workaround try: > > #include "/etc/sudoers.d/repo.conf" Sorry, that will just cause the line to be treated as a comment. - todd This email and any attachments contain CONFIDENTIAL information which may be legally privileged. If this communication constitutes a financial promotion, it is directed only at persons who are professional clients or eligible counterparties (as defined under the FSA rules). The information, which is provided on a non-reliance basis, may be subject to verification or amendment. No representation or warranty is made as to its accuracy or completeness. Unless expressly stated otherwise, this email is neither an offer to sell nor a solicitation of any offer to buy an interest in any fund or other investment vehicle sponsored or managed by Aspect Capital Limited (Aspect Funds). Any such offer or solicitation would be made only by way of the final offering documents of such Aspect Fund (which should be considered carefully before any investment decision is made) and only in such jurisdictions where, and to such persons to whom, it would be lawful to do so. Past performance is not necessarily indicative of future returns. Email transmission cannot be guaranteed to be secure or error free. Subject to applicable law, Aspect (or its service providers) may intercept, monitor, review and retain e-communications travelling through its networks/systems. By messaging with Aspect you consent to the foregoing. Aspect Capital Limited is authorised and regulated by the Financial Services Authority and is registered in England and Wales (No. 3491169) with registered office at Nations House, 103 Wigmore Street, London W1U 1QS. For more information, go to www.aspectcapital.com. From Todd.Miller at courtesan.com Thu Oct 29 10:41:22 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 29 Oct 2009 10:41:22 -0400 Subject: [sudo-users] #includedir gives parse error In-Reply-To: Your message of "Thu, 29 Oct 2009 11:12:56 -0000." <49CFB29F32482C4D858FC49E63BC52B21620D9@p-wig-hw05.aspectcapital.com> References: <49CFB29F32482C4D858FC49E63BC52B21620D9@p-wig-hw05.aspectcapital.com> Message-ID: <200910291441.n9TEfMmm016438@core.courtesan.com> Do you get anything useful from either: # visudo -c -f /etc/sudoers # visudo -c -f /etc/sudoers.d/repo.conf Sudo will fail to parse an empty includedir, which is a bug but doesn't seem to be what you are hitting. I don't see a problem here as long as the dir exists and has at least one file in it. - todd From niall.downie at aspectcapital.com Thu Oct 29 11:10:45 2009 From: niall.downie at aspectcapital.com (Niall Downie) Date: Thu, 29 Oct 2009 15:10:45 -0000 Subject: [sudo-users] #includedir gives parse error In-Reply-To: <200910291420.n9TEKAxG020263@core.courtesan.com> References: <49CFB29F32482C4D858FC49E63BC52B21620D9@p-wig-hw05.aspectcapital.com> <200910291420.n9TEKAxG020263@core.courtesan.com> Message-ID: <49CFB29F32482C4D858FC49E63BC52B21620E0@p-wig-hw05.aspectcapital.com> Todd Thanks for the help here. Its the #includedir Im having a problem with, not #include. These are my recent results: 1. #include /etc/sudoers.d/niall.conf ## #includedir /etc/sudoers.d Syntax parsed OK Sudo works 2. # include /etc/sudoers.d/niall.conf #includedir /etc/sudoers.d # visudo -c -f /etc/sudoers parse error in /etc/sudoers near line 10 (includedir is line 11) 3. # include /etc/sudoers.d/niall.conf #includedir "/etc/sudoers.d" Syntax parsed OK Sudo FAILS to read niall.conf Ta Niall -----Original Message----- From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] Sent: 29 October 2009 14:20 To: Niall Downie Cc: sudo-users at sudo.ws Subject: Re: [sudo-users] #includedir gives parse error Looks like a bug. For a workaround try: #include "/etc/sudoers.d/repo.conf" - todd This email and any attachments contain CONFIDENTIAL information which may be legally privileged. If this communication constitutes a financial promotion, it is directed only at persons who are professional clients or eligible counterparties (as defined under the FSA rules). The information, which is provided on a non-reliance basis, may be subject to verification or amendment. No representation or warranty is made as to its accuracy or completeness. Unless expressly stated otherwise, this email is neither an offer to sell nor a solicitation of any offer to buy an interest in any fund or other investment vehicle sponsored or managed by Aspect Capital Limited (Aspect Funds). Any such offer or solicitation would be made only by way of the final offering documents of such Aspect Fund (which should be considered carefully before any investment decision is made) and only in such jurisdictions where, and to such persons to whom, it would be lawful to do so. Past performance is not necessarily indicative of future returns. Email transmission cannot be guaranteed to be secure or error free. Subject to applicable law, Aspect (or its service providers) may intercept, monitor, review and retain e-communications travelling through its networks/systems. By messaging with Aspect you consent to the foregoing. Aspect Capital Limited is authorised and regulated by the Financial Services Authority and is registered in England and Wales (No. 3491169) with registered office at Nations House, 103 Wigmore Street, London W1U 1QS. For more information, go to www.aspectcapital.com. From ron2 at cin.ufpe.br Thu Oct 29 13:23:20 2009 From: ron2 at cin.ufpe.br (Rilson Nascimento) Date: Thu, 29 Oct 2009 14:23:20 -0300 Subject: [sudo-users] non-root user needs to clear OS cache Message-ID: <73b6930910291023o63d88809u2de2b63113382848@mail.gmail.com> Hi there, the non-root user needs to run something like "echo 1 > /proc/sys/vm/drop_caches" to clear the OS cache. What would be the minimal permissions in sudoers to able the non-root user to do that? Thanks, -Ron2 From Todd.Miller at courtesan.com Fri Oct 30 09:58:38 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 30 Oct 2009 09:58:38 -0400 Subject: [sudo-users] non-root user needs to clear OS cache In-Reply-To: Your message of "Thu, 29 Oct 2009 14:23:20 -0300." <73b6930910291023o63d88809u2de2b63113382848@mail.gmail.com> References: <73b6930910291023o63d88809u2de2b63113382848@mail.gmail.com> Message-ID: <200910301358.n9UDwcgR020522@core.courtesan.com> In message <73b6930910291023o63d88809u2de2b63113382848 at mail.gmail.com> so spake Rilson Nascimento (ron2): > the non-root user needs to run something like "echo 1 > > /proc/sys/vm/drop_caches" to clear the OS cache. > > What would be the minimal permissions in sudoers to able the non-root user > to do that? The easiest thing is to make a simple script that does this and give the user sudo access to that script. - todd From jeff at sdsc.edu Fri Oct 30 18:18:44 2009 From: jeff at sdsc.edu (Jeff Makey) Date: Fri, 30 Oct 2009 15:18:44 -0700 Subject: [sudo-users] Debugging a sudo segmentation fault Message-ID: <200910302218.n9UMIid7011752@darwin.sdsc.edu> With my own compiled version of sudo-1.7.2p1 on a 64-bit Red Hat Enterprise Linux 4 system, I get a segmentation fault following the second attempt to enter my password: % sudo -K % sudo id Password for jeff/sudo at SDSC.EDU: [incorrect password] Sorry, try again. Password for jeff/sudo at SDSC.EDU: [any password] Segmentation fault This does not happen on 32-bit systems, and it always works normally when the password is correct the first time: % sudo -K % sudo id Password for jeff/sudo at SDSC.EDU: [correct password] uid=0(root) gid=0(root) We are using Kerberos 5 authentication with a modification to append "/sudo" to the principal name. This allows users to have a different password for sudo. My question is: how can I use gdb to debug this? I can run gdb as root, but when sudo runs as root (even with SUDO_USER=jeff in the environment) it does not ask for a password. Is there an easy way to hack sudo to make it ask for the user password when run as root? :: Jeff Makey jeff at sdsc.edu From Todd.Miller at courtesan.com Fri Oct 30 18:32:00 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 30 Oct 2009 18:32:00 -0400 Subject: [sudo-users] Debugging a sudo segmentation fault In-Reply-To: Your message of "Fri, 30 Oct 2009 15:18:44 PDT." <200910302218.n9UMIid7011752@darwin.sdsc.edu> References: <200910302218.n9UMIid7011752@darwin.sdsc.edu> Message-ID: <200910302232.n9UMW0ut004284@core.courtesan.com> In message <200910302218.n9UMIid7011752 at darwin.sdsc.edu> so spake Jeff Makey (jeff): > My question is: how can I use gdb to debug this? I can run gdb as > root, but when sudo runs as root (even with SUDO_USER=jeff in the > environment) it does not ask for a password. Is there an easy way to > hack sudo to make it ask for the user password when run as root? In the check_user() function in check.c comment out the following: if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt()) return; then sudo will prompt for the password even if you are root. It is probably sufficient to just remove the "user_uid == 0" bit if you prefer. - todd From jeff at sdsc.edu Fri Oct 30 20:12:53 2009 From: jeff at sdsc.edu (Jeff Makey) Date: Fri, 30 Oct 2009 17:12:53 -0700 Subject: [sudo-users] Debugging a sudo segmentation fault In-Reply-To: <200910302232.n9UMW0ut004284@core.courtesan.com> Message-ID: <200910310012.n9V0CrSv011805@darwin.sdsc.edu> Todd wrote: >In the check_user() function in check.c comment out the following: > > if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt()) > return; That did it, thanks. Just removing "user_uid == 0" wasn't enough, suggesting that the two uid values are the same when run by root. Anyway, the SIGSEGV is in the Kerberos library: #0 0x000000328d540f68 in krb5_get_renewed_creds () from /usr/lib64/libkrb5.so.3 #1 0x000000328d542176 in krb5_get_init_creds () from /usr/lib64/libkrb5.so.3 #2 0x000000328d542ade in krb5_get_init_creds_password () from /usr/lib64/libkrb5.so.3 #3 0x000000000040d60c in kerb5_verify (pw=0x52fe90, pass=0x52a7e0 "y", auth=0x5287e0) at ./auth/kerb5.c:212 #4 0x000000000040d07e in verify_user (pw=0x52fe90, prompt=0x553e30 "Password for jeff/sudo at SDSC.EDU: ") at ./auth/sudo_auth.c:187 #5 0x000000000040db4f in check_user (validated=130, mode=128) at ./check.c:138 #6 0x0000000000415a49 in main (argc=2, argv=0x7fbffffba8, envp=0x7fbffffbc0) at ./sudo.c:432 I'll have to get a debug version of the kerberos libraries to go further. I don't see an obvious cause in the sudo code itself. :: Jeff Makey jeff at sdsc.edu From Todd.Miller at courtesan.com Sat Oct 31 09:31:53 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sat, 31 Oct 2009 09:31:53 -0400 Subject: [sudo-users] Debugging a sudo segmentation fault In-Reply-To: Your message of "Fri, 30 Oct 2009 17:12:53 PDT." <200910310012.n9V0CrSv011805@darwin.sdsc.edu> References: <200910310012.n9V0CrSv011805@darwin.sdsc.edu> Message-ID: <200910311331.n9VDVrbZ018517@core.courtesan.com> Are you using MIT Kerberos of Heimdal? My guess is MIT. See if this makes any difference. - todd Index: auth/kerb5.c =================================================================== RCS file: /home/cvs/courtesan/sudo/auth/kerb5.c,v retrieving revision 1.36 diff -u -p -u -r1.36 kerb5.c --- auth/kerb5.c 9 Nov 2008 14:13:13 -0000 1.36 +++ auth/kerb5.c 31 Oct 2009 13:31:27 -0000 @@ -81,6 +81,7 @@ krb5_get_init_creds_opt_alloc(context, o krb5_get_init_creds_opt **opts; { *opts = emalloc(sizeof(krb5_get_init_creds_opt)); + krb5_get_init_creds_opt_init(*opts); return 0; }