From Todd.Miller at courtesan.com Tue Sep 1 09:56:05 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 01 Sep 2009 09:56:05 -0400 Subject: [sudo-users] sudo + AIX + LDAP In-Reply-To: Your message of "Mon, 31 Aug 2009 12:16:59 +0200." <790b63e00908310316y6a75a411td26cd2dab172277b@mail.gmail.com> References: <790b63e00908310316y6a75a411td26cd2dab172277b@mail.gmail.com> Message-ID: <200909011356.n81Du5Ih024640@core.courtesan.com> In message <790b63e00908310316y6a75a411td26cd2dab172277b at mail.gmail.com> so spake Philippe Caseiro (caseiro.philippe): > I'm trying to use sudo with ldap configuration on my AIX 5.3 and 5.2 > servers. > > I have read the ldap readme file, I have created the /etc/ldap.conf with > the correct configuration of my "linux servers". But it doesn't work. > > Somebody have an howto or any Idea about configuring sudo to check rules > from LDAP server on an AIX host. Have you tried adding: sudoers_debug 2 to /etc/ldap.conf? Also, which version of sudo are you using? - todd From caseiro.philippe at gmail.com Tue Sep 1 10:13:30 2009 From: caseiro.philippe at gmail.com (Philippe Caseiro) Date: Tue, 1 Sep 2009 16:13:30 +0200 Subject: [sudo-users] sudo + AIX + LDAP In-Reply-To: <200909011356.n81Du5Ih024640@core.courtesan.com> References: <790b63e00908310316y6a75a411td26cd2dab172277b@mail.gmail.com> <200909011356.n81Du5Ih024640@core.courtesan.com> Message-ID: <790b63e00909010713j65e9b115qcc6d12349d24a60c@mail.gmail.com> Hello 2009/9/1 Todd C. Miller > In message <790b63e00908310316y6a75a411td26cd2dab172277b at mail.gmail.com> > so spake Philippe Caseiro (caseiro.philippe): > > > I'm trying to use sudo with ldap configuration on my AIX 5.3 and 5.2 > > servers. > > > > I have read the ldap readme file, I have created the /etc/ldap.conf > with > > the correct configuration of my "linux servers". But it doesn't work. > > > > Somebody have an howto or any Idea about configuring sudo to check > rules > > from LDAP server on an AIX host. > > Have you tried adding: > > sudoers_debug 2 > > to /etc/ldap.conf? > Yes doesn't produce anything > > Also, which version of sudo are you using? > Sudo version 1.6.7p5 from Aix Toolbox > > - todd > -- Philippe Caseiro From Todd.Miller at courtesan.com Tue Sep 1 10:31:47 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 01 Sep 2009 10:31:47 -0400 Subject: [sudo-users] sudo + AIX + LDAP In-Reply-To: Your message of "Tue, 01 Sep 2009 16:13:30 +0200." <790b63e00909010713j65e9b115qcc6d12349d24a60c@mail.gmail.com> References: <790b63e00908310316y6a75a411td26cd2dab172277b@mail.gmail.com> <200909011356.n81Du5Ih024640@core.courtesan.com> <790b63e00909010713j65e9b115qcc6d12349d24a60c@mail.gmail.com> Message-ID: <200909011431.n81EVmWB012259@core.courtesan.com> In message <790b63e00909010713j65e9b115qcc6d12349d24a60c at mail.gmail.com> so spake Philippe Caseiro (caseiro.philippe): > Sudo version 1.6.7p5 from Aix Toolbox That version of sudo doesn't support using LDAP for sudoers. LDAP support was introduced in sudo 1.6.8, and wasn't compiled in by default. The latest version of sudo is 1.7.2p1. If you have a C compiler you can simply build it yourself. - todd From Todd.Miller at courtesan.com Tue Sep 1 10:36:08 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 01 Sep 2009 10:36:08 -0400 Subject: [sudo-users] sudo + AIX + LDAP In-Reply-To: Your message of "Tue, 01 Sep 2009 10:31:47 EDT." <200909011431.n81EVmWB012259@core.courtesan.com> References: <790b63e00908310316y6a75a411td26cd2dab172277b@mail.gmail.com> <200909011356.n81Du5Ih024640@core.courtesan.com> <790b63e00909010713j65e9b115qcc6d12349d24a60c@mail.gmail.com> <200909011431.n81EVmWB012259@core.courtesan.com> Message-ID: <200909011436.n81Ea8Pp028593@core.courtesan.com> In message <200909011431.n81EVmWB012259 at core.courtesan.com> so spake "Todd C. Miller" (Todd.Miller): > That version of sudo doesn't support using LDAP for sudoers. LDAP > support was introduced in sudo 1.6.8, and wasn't compiled in by > default. It looks like the AIX Toolbox has sudo 1.6.9p15 built with LDAP support: ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/sudo-1.6.9p15-2.aix5.2.ppc.rpm From caseiro.philippe at gmail.com Wed Sep 2 04:14:35 2009 From: caseiro.philippe at gmail.com (Philippe Caseiro) Date: Wed, 2 Sep 2009 10:14:35 +0200 Subject: [sudo-users] sudo + AIX + LDAP In-Reply-To: <200909011436.n81Ea8Pp028593@core.courtesan.com> References: <790b63e00908310316y6a75a411td26cd2dab172277b@mail.gmail.com> <200909011356.n81Du5Ih024640@core.courtesan.com> <790b63e00909010713j65e9b115qcc6d12349d24a60c@mail.gmail.com> <200909011431.n81EVmWB012259@core.courtesan.com> <200909011436.n81Ea8Pp028593@core.courtesan.com> Message-ID: <790b63e00909020114n2801b7a5x4e0e8a332dc49c15@mail.gmail.com> Hello I have installed sudo-1.6.9p15-2.aix5.2.ppc.rpm . When I run it produce an error >>> sudoers file: syntax error, line 1 <<< sudo: parse error in /etc/sudoers near line 1 My line 1 is : Defaults ignore_local_sudoers This line works fine on my linux hosts Thanks for your help 2009/9/1 Todd C. Miller > In message <200909011431.n81EVmWB012259 at core.courtesan.com> > so spake "Todd C. Miller" (Todd.Miller): > > > That version of sudo doesn't support using LDAP for sudoers. LDAP > > support was introduced in sudo 1.6.8, and wasn't compiled in by > > default. > > It looks like the AIX Toolbox has sudo 1.6.9p15 built with LDAP > support: > > > ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/sudo-1.6.9p15-2.aix5.2.ppc.rpm > -- Philippe Caseiro From Todd.Miller at courtesan.com Wed Sep 2 11:05:03 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 02 Sep 2009 11:05:03 -0400 Subject: [sudo-users] sudo + AIX + LDAP In-Reply-To: Your message of "Wed, 02 Sep 2009 10:14:35 +0200." <790b63e00909020114n2801b7a5x4e0e8a332dc49c15@mail.gmail.com> References: <790b63e00908310316y6a75a411td26cd2dab172277b@mail.gmail.com> <200909011356.n81Du5Ih024640@core.courtesan.com> <790b63e00909010713j65e9b115qcc6d12349d24a60c@mail.gmail.com> <200909011431.n81EVmWB012259@core.courtesan.com> <200909011436.n81Ea8Pp028593@core.courtesan.com> <790b63e00909020114n2801b7a5x4e0e8a332dc49c15@mail.gmail.com> Message-ID: <200909021505.n82F53AO020830@core.courtesan.com> The actual syntax error could be on the line below that. Did you edit the sudoers file using visudo? - todd From caseiro.philippe at gmail.com Wed Sep 2 11:12:39 2009 From: caseiro.philippe at gmail.com (Philippe Caseiro) Date: Wed, 2 Sep 2009 17:12:39 +0200 Subject: [sudo-users] sudo + AIX + LDAP In-Reply-To: <200909021505.n82F53AO020830@core.courtesan.com> References: <790b63e00908310316y6a75a411td26cd2dab172277b@mail.gmail.com> <200909011356.n81Du5Ih024640@core.courtesan.com> <790b63e00909010713j65e9b115qcc6d12349d24a60c@mail.gmail.com> <200909011431.n81EVmWB012259@core.courtesan.com> <200909011436.n81Ea8Pp028593@core.courtesan.com> <790b63e00909020114n2801b7a5x4e0e8a332dc49c15@mail.gmail.com> <200909021505.n82F53AO020830@core.courtesan.com> Message-ID: <790b63e00909020812s1fc600dg5fd6cd625ffaefa5@mail.gmail.com> Bonjour 2009/9/2 Todd C. Miller > The actual syntax error could be on the line below that. > It's the first and last line of file > Did you edit the sudoers file using visudo? > Yes > > - todd > -- Philippe Caseiro From btb at bitrate.net Mon Sep 7 15:54:47 2009 From: btb at bitrate.net (ben thielsen) Date: Mon, 7 Sep 2009 15:54:47 -0400 Subject: [sudo-users] sudo su fails with sudo: setreuid(ROOT_UID, user_uid): Operation not permitted Message-ID: hi- i'm using sudo 1.7.2, courtesy of debian testing, and am having difficulty troubleshooting the above error. things had been working well prior to upgrade a few packages, but now all users experience the above error. this server has one local user (/etc/passwd) and the remainder and in ldap. i also had sudo's config in ldap, but have reverted to a traditional setup (/etc/sudoers) in the process of trying to troubleshoot). >cat /etc/sudoers # /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL # Allow members of group sudo to not need a password # (Note that later entries override this, so you might need to move # it further down) %sudo ALL=(ALL) ALL localadmin ALL=(ALL) ALL localadmin is the local user in /etc/passwd: >whoami localadmin >sudo su sudo: setreuid(ROOT_UID, user_uid): Operation not permitted i've read the man page for setreuid(2), so i have a basic understanding of what it does, and i see that there's a configure option regarding use of this, but i don't understand it well enough to know whether or not it should work and something else is broken, or if perhaps the package should have been compiled using the --disable- setreuid but wasn't. any guidance is much appreciated. thanks -ben From btb at bitrate.net Mon Sep 7 16:47:22 2009 From: btb at bitrate.net (ben thielsen) Date: Mon, 7 Sep 2009 16:47:22 -0400 Subject: [sudo-users] sudo su fails with sudo: setreuid(ROOT_UID, user_uid): Operation not permitted In-Reply-To: References: Message-ID: <1FD76466-B229-4701-82CF-E794B4E4D5C1@bitrate.net> >> sudo su > sudo: setreuid(ROOT_UID, user_uid): Operation not permitted some additional information: for the sake of testing, i've tried a few different variations of compiling sudo from source, with the following results: ./configure (with no options): sudo: setresuid(user_uid, user_uid, ROOT_UID): Operation not permitted ./configure --disable-setresuid: sudo: setreuid(ROOT_UID, user_uid): Operation not permitted ./configure --disable-setresuid --disable-setreuid sudo: seteuid(ROOT_UID): Operation not permitted also: >uname -r 2.6.30-1-686 -ben From akaroumi at yahoo.com Wed Sep 9 09:41:46 2009 From: akaroumi at yahoo.com (Ahmed Karoumi) Date: Wed, 9 Sep 2009 13:41:46 +0000 (GMT) Subject: [sudo-users] Howto prohibit /usr/bin/su command ? Message-ID: <535640.76403.qm@web25107.mail.ukl.yahoo.com> Hello, Is it possible to create a rule which is allow to run ALL unix commands but without to switch to any users ? I would prohibit the command /usr/bin/su and allow all other. Thanks for you help. -- Regards, Ahmed Karoumi From caseiro.philippe at gmail.com Thu Sep 10 08:23:45 2009 From: caseiro.philippe at gmail.com (Philippe Caseiro) Date: Thu, 10 Sep 2009 14:23:45 +0200 Subject: [sudo-users] Howto prohibit /usr/bin/su command ? In-Reply-To: <535640.76403.qm@web25107.mail.ukl.yahoo.com> References: <535640.76403.qm@web25107.mail.ukl.yahoo.com> Message-ID: <790b63e00909100523n10b72955id1febe97589cbaf5@mail.gmail.com> Hello like "!/usr/bin/su" It works on my LDAP stored configuration. Regards -- Philippe Caseiro 2009/9/9 Ahmed Karoumi > Hello, > > Is it possible to create a rule which is allow to run ALL unix commands but > without to switch to any users ? > > I would prohibit the command /usr/bin/su and allow all other. > Thanks for you help. > > > -- > Regards, > Ahmed Karoumi > > > > > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > -- Philippe Caseiro From Todd.Miller at courtesan.com Thu Sep 10 08:59:00 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 10 Sep 2009 08:59:00 -0400 Subject: [sudo-users] Howto prohibit /usr/bin/su command ? In-Reply-To: Your message of "Wed, 09 Sep 2009 13:41:46 -0000." <535640.76403.qm@web25107.mail.ukl.yahoo.com> References: <535640.76403.qm@web25107.mail.ukl.yahoo.com> Message-ID: <200909101259.n8ACx0aX008945@core.courtesan.com> In message <535640.76403.qm at web25107.mail.ukl.yahoo.com> so spake Ahmed Karoumi (akaroumi): > Is it possible to create a rule which is allow to run ALL unix commands but w > ithout to switch to any users ? > > I would prohibit the command /usr/bin/su and allow all other. There is no reliable way to do this. Any time you give someone sudo ALL, you make it possible for them to run whatever they like, regardless of any negations such as !/usr/bin/su. All the user has to do is make a copy of the proscribed command and run that, or write a script that invokes it, etc. If you are concerned about what users can run, only give them access to what they need. - todd From akaroumi at yahoo.com Fri Sep 11 05:38:06 2009 From: akaroumi at yahoo.com (Ahmed Karoumi) Date: Fri, 11 Sep 2009 09:38:06 +0000 (GMT) Subject: [sudo-users] Re : Howto prohibit /usr/bin/su command ? In-Reply-To: <200909101259.n8ACx0aX008945@core.courtesan.com> References: <535640.76403.qm@web25107.mail.ukl.yahoo.com> <200909101259.n8ACx0aX008945@core.courtesan.com> Message-ID: <207200.19836.qm@web25103.mail.ukl.yahoo.com> Hello Todd, It's true you are right. but difficult to get for many teams the list of commands that they really need. It's a big challenge ! Thanks for your help. -- Cordialement, Ahmed Karoumi ________________________________________ Couriel: akaroumi at yahoo.com GPG 0x06F109D9 / PGP 0x479AF9BE06F109D9 _________________________________________ ----- Message d'origine ---- > De : Todd C. Miller > ? : Ahmed Karoumi > Cc : sudo-users at sudo.ws > Envoy? le : Jeudi, 10 Septembre 2009, 14h59mn 00s > Objet : Re: [sudo-users] Howto prohibit /usr/bin/su command ? > > In message <535640.76403.qm at web25107.mail.ukl.yahoo.com> > so spake Ahmed Karoumi (akaroumi): > > > Is it possible to create a rule which is allow to run ALL unix commands but w > > ithout to switch to any users ? > > > > I would prohibit the command /usr/bin/su and allow all other. > > There is no reliable way to do this. Any time you give someone > sudo ALL, you make it possible for them to run whatever they like, > regardless of any negations such as !/usr/bin/su. > > All the user has to do is make a copy of the proscribed command and > run that, or write a script that invokes it, etc. If you are > concerned about what users can run, only give them access to what > they need. > > - todd From akaroumi at yahoo.com Fri Sep 11 05:33:15 2009 From: akaroumi at yahoo.com (Ahmed Karoumi) Date: Fri, 11 Sep 2009 09:33:15 +0000 (GMT) Subject: [sudo-users] Re : Howto prohibit /usr/bin/su command ? In-Reply-To: <790b63e00909100523n10b72955id1febe97589cbaf5@mail.gmail.com> References: <535640.76403.qm@web25107.mail.ukl.yahoo.com> <790b63e00909100523n10b72955id1febe97589cbaf5@mail.gmail.com> Message-ID: <777547.85740.qm@web25108.mail.ukl.yahoo.com> Hello Philippe, Yes you are right it's working too in my environment. But the main issue that I have is if I implement this rules: 1. sudocommand=!/usr/bin/su here the command is prohibited 2. sudocommand=ALL all others are authorized but every system administrator with good skill can bypass this by: a) make a copy of the command /usr/bin/su in other path b) using a combination of sudo code as this: sudoA sudoB su - root c) using other weakness of the sudo code the right method rules should be: 1. sudocommand=!ALL I start before by all unix commands are prohibited 2. sudocommand=/usr/sbin/bootinfo then this command is authorized 3. sudocommand=.... then this also... but there are more then 1000 commands in unix system there for many lines :-( Thanks.-- Cordialement, Ahmed Karoumi ________________________________________ Couriel: akaroumi at yahoo.com GPG 0x06F109D9 / PGP 0x479AF9BE06F109D9 _________________________________________ > >De : Philippe Caseiro >? : Ahmed Karoumi >Cc : sudo-users at sudo.ws >Envoy? le : Jeudi, 10 Septembre 2009, 14h23mn 45s >Objet : Re: [sudo-users] Howto prohibit /usr/bin/su command ? > >Hello > > like "!/usr/bin/su" It works on my LDAP stored configuration. > >Regards >-- >Philippe Caseiro > > >2009/9/9 Ahmed Karoumi > >Hello, >> >>>>Is it possible to create a rule which is allow to run ALL unix commands but without to switch to any users ? >> >>>>I would prohibit the command /usr/bin/su and allow all other. >>>>Thanks for you help. >> >> >>>>-- >>>>Regards, >>>>Ahmed Karoumi >> >> >> >> >> >>>>____________________________________________________________ >>>>sudo-users mailing list >>>>For list information, options, or to unsubscribe, visit: >>http://www.sudo.ws/mailman/listinfo/sudo-users >> > > >-- >Philippe Caseiro > > From d.asselin at cgi.com Fri Sep 11 08:43:08 2009 From: d.asselin at cgi.com (Asselin, Daniel) Date: Fri, 11 Sep 2009 08:43:08 -0400 Subject: [sudo-users] sudo ssh issue Message-ID: <55A9D3FCA96FD84C815F109C4F8CC88E1436774F02@CGISREEXCMSG1.lacaisse.com> Hi every one This is my problem I need to run sudo commands has root from a Remote server. In order to accomplish this I'm using a set of scripts >From Erdal mutlu. I made a small modification to It which consist of forcing the user and not root The problem is when I try to run sudo command Whith root privileges I get the famous reply That this sessions is not a tty and the command Fails Dose any one know of a work around for this Issue. 1 on the remote server all sudo command work 2 only true ssh do the command fail Dan Daniel Asselin SysAdmin \ UNIX Solaris CGI Canada (Caisse De D?pot) 1000 Place Jean-Riopelle Montreal QC H2Z 2B3 Tel: (514) 847-7950 Poste: 7926 Cell: (514) 346-1951 d.asselin at cgi.com daniel.asselin at lacaisse.com Aut Viam Inveniam Aut Faciam! ou/or Quando ami flunkus morti ________________________________ Avis de confidentialit? : Ce courriel et les pi?ces qui y sont jointes contiennent de l'information confidentielle et peuvent ?tre prot?g?s par le secret professionnel ou constituer de l'information privil?gi?e. Ils sont destin?s ? l'usage exclusif de la (des) personne(s) ? qui ils sont adress?s. Si vous n'?tes pas le destinataire vis? ou la personne charg?e de transmettre ce document ? son destinataire, vous ?tes avis? par la pr?sente que toute divulgation, reproduction, copie, distribution ou autre utilisation de cette information est strictement interdite. Si vous avez re?u ce courriel par erreur, veuillez en aviser imm?diatement l'exp?diteur par t?l?phone ainsi que d?truire et effacer l'information que vous avez re?ue de tout disque dur ou autre m?dia sur lequel elle peut ?tre enregistr?e et ne pas en conserver de copie. Merci de votre collaboration. Notice of Confidentiality: This electronic mail message, including any attachments, is confidential and may be privileged and protected by professional secrecy. They are intended for the exclusive use of the addressee. If you are not the intended addressee or the person responsible for delivering this document to the intended addressee, you are hereby advised that any disclosure, reproduction, copy, distribution or other use of this information is strictly forbidden. If you have received this document by mistake, please immediately inform the sender by telephone, destroy and delete the information received from any hard disk or any media on which it may have been registered and do not keep any copy. Thank you for your cooperation. From Todd.Miller at courtesan.com Fri Sep 11 09:34:01 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 11 Sep 2009 09:34:01 -0400 Subject: [sudo-users] sudo ssh issue In-Reply-To: Your message of "Fri, 11 Sep 2009 08:43:08 EDT." <55A9D3FCA96FD84C815F109C4F8CC88E1436774F02@CGISREEXCMSG1.lacaisse.com> References: <55A9D3FCA96FD84C815F109C4F8CC88E1436774F02@CGISREEXCMSG1.lacaisse.com> Message-ID: <200909111334.n8BDY1U0016280@core.courtesan.com> You need to give ssh the "-t" flag to force it to allocate a tty for you. - todd From chy.causer at gmail.com Wed Sep 16 04:27:03 2009 From: chy.causer at gmail.com (Chris Causer) Date: Wed, 16 Sep 2009 09:27:03 +0100 Subject: [sudo-users] (Probably) basic problem with sudo and kerberos tickets In-Reply-To: <3f3109d40906120342h7230053ci343d2b9d2343bb5@mail.gmail.com> References: <3f3109d40906120342h7230053ci343d2b9d2343bb5@mail.gmail.com> Message-ID: <3f3109d40909160127i121280b1qd55de2288bf8c150@mail.gmail.com> The problem still exists but I can perhaps provide more information: 1) I was wrong: the ticket is only deleted if you have to enter your password. If you use a timeout terminal (ie no password) then the ticket is preserved. 2) If you move the ticket file to say /tmp/wibble and reset the environment variable $KRB5CCNAME to /tmp/wibble, then the ticket is preserved no matter how you sudo. 3) If you use a local account (ie one that uses passwd/shadow) then the ticket is preserved. AFAIK this only happens to users who authenticate using kerberos. I would be so grateful if anyone could help me. I've been looking over the source and I cannot for the life of me see where anything would delete the ticket file in tmp when you authenticate but not when you use a cached sudo. Cheers Chris From kevan.gray at bigpond.com Mon Sep 21 04:08:56 2009 From: kevan.gray at bigpond.com (kevan) Date: Mon, 21 Sep 2009 16:08:56 +0800 Subject: [sudo-users] sudo problem Message-ID: <1253520536.3850.4.camel@localhost> I have only recently loaded Linux Fedora11 onto my lap top and am having a small problem with sudo I installed it using. echo 'kevan ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers However I recieve the return >>> /etc/sudoers: syntax error near line 93 <<< sudo: parse error in /etc/sudoers near line 93 sudo: no valid sudoers sources found, quitting [ Yum works fine but not sudo Please can someone suggest a remedy Thank you Kevan Gray From Todd.Miller at courtesan.com Mon Sep 21 10:31:41 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 21 Sep 2009 10:31:41 -0400 Subject: [sudo-users] sudo problem In-Reply-To: Your message of "Mon, 21 Sep 2009 16:08:56 +0800." <1253520536.3850.4.camel@localhost> References: <1253520536.3850.4.camel@localhost> Message-ID: <200909211431.n8LEVfp9032166@core.courtesan.com> That sudoers line looks OK but you should really edit sudoers using visudo, which will point out syntax errors for you. What is on lines 92-94 of /etc/sudoers? - todd From Hullen at t-online.de Mon Sep 21 11:26:00 2009 From: Hullen at t-online.de (Helmut Hullen) Date: 21 Sep 2009 17:26:00 +0200 Subject: [sudo-users] sudo problem In-Reply-To: <1253520536.3850.4.camel@localhost> Message-ID: Hallo, kevan, Du meintest am 21.09.09: > I installed it using. > echo 'kevan ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers > However I recieve the return >>>> /etc/sudoers: syntax error near line 93 <<< As Todd said: use "visudo". If you don't like working with "vi": export VISUAL=mcedit visudo (if "mcedit" is your favorite editor) Viele Gruesse! Helmut From mlh at zip.com.au Tue Sep 22 00:11:52 2009 From: mlh at zip.com.au (Matthew Hannigan) Date: Tue, 22 Sep 2009 14:11:52 +1000 Subject: [sudo-users] sudo problem In-Reply-To: <1253520536.3850.4.camel@localhost> References: <1253520536.3850.4.camel@localhost> Message-ID: <20090922041152.GB17260@evofed.localdomain> On Mon, Sep 21, 2009 at 04:08:56PM +0800, kevan wrote: > I have only recently loaded Linux Fedora11 onto my lap top and am having > a small problem with sudo > > I installed it using. > > echo 'kevan ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers Not guaranteed to work as the last line might not have had a trailing newline; in which case the above gets appended to the last line. If you want to do this sort of thing, used 'ed' or some other scriptable editor like this: EDITOR=ed visudo < References: <1253520536.3850.4.camel@localhost> Message-ID: > -----Original Message----- > From: sudo-users-bounces at courtesan.com [mailto:sudo-users- > bounces at courtesan.com] On Behalf Of kevan > Sent: Monday, September 21, 2009 1:09 AM > To: sudo-users at sudo.ws > Subject: [sudo-users] sudo problem [snip] > Please can someone suggest a remedy 1. Use visudo to edit the sudoers file. 2. Post line 93 Stephen Carville Systems Engineer Land America 1.626.667.1450 X1326 ##################################################################### That which does not kill us often hurts us a lot. From megadethpaw at hotmail.co.uk Tue Sep 29 09:51:48 2009 From: megadethpaw at hotmail.co.uk (megadethpaw megadethpaw) Date: Tue, 29 Sep 2009 13:51:48 +0000 Subject: [sudo-users] Using wildcards in sudoers file Message-ID: Hi, I want to be able to give a user permission to use the "/usr/bin/chown" command on solaris using sudo, but only want them to be able to change files or directories under a certain directory, eg "/usr/sap/trans" and any directories underneath. Examples of commands I want to allow to run are:- /usr/bin/chown oracle /usr/sap/trans/file1.txt/usr/bin/chown brian /usr/sap/trans/data/filter.csv In the sudoers file I set up the command to allow to run as this:- /usr/bin/chown [A-z]* /usr/sap/trans/[A-z]* This works for the above two commands I do want to use, but it also allows things like this:- /usr/bin/chown brian /usr/sap/trans/data/filter.csv /etc/passwd Now as you can see this is a major problem as don't want to allow that, I basically want to make sure that the chown starts with "/usr/sap/trans" is there any way I can do this? Is there a way to exclude spaces from [A-z] in the suduers line? Please help as I really need to get this working. Thanks Jeff _________________________________________________________________ Share your photos with Windows Live Photos ? Free. http://clk.atdmt.com/UKM/go/134665338/direct/01/ From Robin.Battersby-Cornmell at uisl.unisys.com Tue Sep 29 12:10:34 2009 From: Robin.Battersby-Cornmell at uisl.unisys.com (Battersby-Cornmell, Robin Alasdair) Date: Tue, 29 Sep 2009 17:10:34 +0100 Subject: [sudo-users] Using wildcards in sudoers file In-Reply-To: References: Message-ID: One potential way would be to script the "sudo chown ......" and validate somehow, e.g. #!/bin/ksh # # Rough and ready chown script # newowner=$1 shift # Drop $1 from parameter list for file in $@ # Loop for all subsequent parameters do if [ ## Work out your file matching criteria here ## ] then chown $newowner $file else echo "Change of ownership on $file not allowed" fi done Then secure the script and grant a specific sudo rule to allow the specific user to run it. Of course, there is no error checking written here really. You should test that the target file does actually exist else the user will get other splattery messages. I hope that this helps. Robin -----Original Message----- From: megadethpaw megadethpaw [mailto:megadethpaw at hotmail.co.uk] Sent: Tuesday, September 29, 2009 2:52 PM To: sudo-users at sudo.ws Subject: [sudo-users] Using wildcards in sudoers file Hi, I want to be able to give a user permission to use the "/usr/bin/chown" command on solaris using sudo, but only want them to be able to change files or directories under a certain directory, eg "/usr/sap/trans" and any directories underneath. Examples of commands I want to allow to run are:- /usr/bin/chown oracle /usr/sap/trans/file1.txt/usr/bin/chown brian /usr/sap/trans/data/filter.csv In the sudoers file I set up the command to allow to run as this:- /usr/bin/chown [A-z]* /usr/sap/trans/[A-z]* This works for the above two commands I do want to use, but it also allows things like this:- /usr/bin/chown brian /usr/sap/trans/data/filter.csv /etc/passwd Now as you can see this is a major problem as don't want to allow that, I basically want to make sure that the chown starts with "/usr/sap/trans" is there any way I can do this? Is there a way to exclude spaces from [A-z] in the suduers line? Please help as I really need to get this working. Thanks Jeff _________________________________________________________________ Share your photos with Windows Live Photos - Free. http://clk.atdmt.com/UKM/go/134665338/direct/01/ *********************************** This email is sent in confidence for the addressee only. Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by returning the original email to us without reading it, taking a copy or disclosing it to anyone else. Please also destroy and delete the email from your computer. We have taken reasonable precautions to ensure that no viruses are transmitted to any third party. Unisys Insurance Services Limited does not accept any responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Unisys Insurance Services Limited is authorised and regulated by the Financial Services Authority, is a member of the UNISYS group of companies and provides outsourcing services to the Financial Services Industry Unisys Insurance Services Limited Registered in England No. 4087012 Registered Office: Bakers Court, Bakers Road, Uxbridge, UB8 1RG From megadethpaw at hotmail.co.uk Tue Sep 29 15:01:03 2009 From: megadethpaw at hotmail.co.uk (megadethpaw megadethpaw) Date: Tue, 29 Sep 2009 19:01:03 +0000 Subject: [sudo-users] Using wildcards in sudoers file In-Reply-To: References: Message-ID: Hi Robin, I did hope that there would be a way that you could end the sudo command string, say as you can do by placing "" after a command to state no parameters are allowed. Maybe an idea would be if the sudoers parser could see "" at the end of a command line and say that if a space appears and then any other text it's invalid, eg /usr/bin/chown root /usr/sap/trans/[A-z]* "" I know it's far from perfect as a filename could in theory have a space in it, but for 99% of cases I would imagine something such as the above would do the trick. Thanks for the suggestion though Robin, all ideas gratefully accepted. Jeff > From: Robin.Battersby-Cornmell at uisl.unisys.com > To: megadethpaw at hotmail.co.uk; sudo-users at sudo.ws > Date: Tue, 29 Sep 2009 17:10:34 +0100 > Subject: RE: [sudo-users] Using wildcards in sudoers file > > > One potential way would be to script the "sudo chown ......" and validate somehow, e.g. > > #!/bin/ksh > # > # Rough and ready chown script > # > > newowner=$1 > shift # Drop $1 from parameter list > for file in $@ # Loop for all subsequent parameters > do > if [ ## Work out your file matching criteria here ## ] > then > chown $newowner $file > else > echo "Change of ownership on $file not allowed" > fi > done > > > Then secure the script and grant a specific sudo rule to allow the specific user to run it. > > Of course, there is no error checking written here really. You should test that the target file does actually exist else the user will get other splattery messages. > > > > > I hope that this helps. > > Robin > > > -----Original Message----- > From: megadethpaw megadethpaw [mailto:megadethpaw at hotmail.co.uk] > Sent: Tuesday, September 29, 2009 2:52 PM > To: sudo-users at sudo.ws > Subject: [sudo-users] Using wildcards in sudoers file > > > Hi, > I want to be able to give a user permission to use the "/usr/bin/chown" command on solaris using sudo, but only want them to be able to change files or directories under a certain directory, eg "/usr/sap/trans" and any directories underneath. > Examples of commands I want to allow to run are:- /usr/bin/chown oracle /usr/sap/trans/file1.txt/usr/bin/chown brian /usr/sap/trans/data/filter.csv In the sudoers file I set up the command to allow to run as this:- /usr/bin/chown [A-z]* /usr/sap/trans/[A-z]* This works for the above two commands I do want to use, but it also allows things like this:- /usr/bin/chown brian /usr/sap/trans/data/filter.csv /etc/passwd Now as you can see this is a major problem as don't want to allow that, I basically want to make sure that the chown starts with "/usr/sap/trans" is there any way I can do this? > Is there a way to exclude spaces from [A-z] in the suduers line? > Please help as I really need to get this working. > Thanks Jeff > _________________________________________________________________ > Share your photos with Windows Live Photos - Free. > http://clk.atdmt.com/UKM/go/134665338/direct/01/ > > *********************************** > > This email is sent in confidence for the addressee only. > > Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by returning the original email to us without reading it, taking a copy or disclosing it to anyone else. Please also destroy and delete the email from your computer. > > We have taken reasonable precautions to ensure that no viruses are transmitted to any third party. Unisys Insurance Services Limited does not accept any responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. > > Unisys Insurance Services Limited is authorised and regulated by the Financial Services Authority, is a member of the UNISYS group of companies and provides outsourcing services to the Financial Services Industry > > Unisys Insurance Services Limited Registered in England No. 4087012 > Registered Office: Bakers Court, Bakers Road, Uxbridge, UB8 1RG _________________________________________________________________ MSN straight to your mobile - news, entertainment, videos and more. http://clk.atdmt.com/UKM/go/147991039/direct/01/