From aheinlein at gmx.com Mon Apr 26 10:35:19 2010 From: aheinlein at gmx.com (Andreas Heinlein) Date: Mon, 26 Apr 2010 16:35:19 +0200 Subject: [sudo-users] sudo-ldap and precedence Message-ID: <4BD5A4A7.4030209@gmx.com> Hello, I have a problem configuring sudo-ldap under Ubuntu 9.10/10.04. We have a) the usual setup ($admin ALL=(ALL) ALL), where admins can execute any command, but have to enter their password b) some commands that everyone in the users group can execute *without* a password. At the moment, this works for "normal" users but not for users which are also in the admin group, these stille have to enter their passwordv (%users ALL NOPASSWD:/usr/bin/...). As I understand, order of entries should not matter since there is no guarantee that LDAP entries are returned in any particular order. But in this case it seems to matter because the first entry for the admin group seems to be the effective one, instead of the second one (the closer match). Is this intended behaviour? Is there any way to change this? Thanks, Andreas From Rick_Steele at oxy.com Mon Apr 26 11:22:10 2010 From: Rick_Steele at oxy.com (Rick_Steele at oxy.com) Date: Mon, 26 Apr 2010 10:22:10 -0500 Subject: [sudo-users] Question: pathing Message-ID: <1D42773F32FF414394833CC3D48F154B38E998F57D@EMAIL-HOU.naoxy.com> Has anybody run into a case where after one switch users (su - xxxx), pathing no longer works? oholert2:codadm 1> sudo lsof | wc -l 7812 oholert2:codadm 2> su - steeler Password: [steeler at oholert2 ~]$ sudo lsof | wc -l Password: sudo: lsof: command not found 0 [steeler at oholert2 ~]$ [steeler at oholert2 ~]$ sudo lsof | wc -l 7863 [steeler at oholert2 ~]$ su - codadm Password: oholert2:codadm 1> sudo lsof | wc -l sudo: lsof: command not found 0 oholert2:codadm 2> [root at oholert2 ~]# sudo -V Sudo version 1.6.7p5 Authentication methods: 'pam' Syslog facility if syslog is being used for logging: authpriv Syslog priority to use when user authenticates successfully: notice Syslog priority to use when user authenticates unsuccessfully: alert Ignore '.' in $PATH Send mail if the user is not in sudoers Use a separate timestamp for each user/tty combo Lecture user the first time they run sudo Require users to authenticate by default Root may run sudo Allow some information gathering to give useful error messages Visudo will honor the EDITOR environment variable Set the LOGNAME and USER environment variables Length at which to wrap log file lines (0 for no wrap): 80 Authentication timestamp timeout: 5 minutes Password prompt timeout: 5 minutes Number of tries to enter a password: 3 Umask to use or 0777 to use user's: 022 Path to mail program: /usr/sbin/sendmail Flags for mail program: -t Address to send mail to: root Subject line for mail messages: *** SECURITY information for %h *** Incorrect password message: Sorry, try again. Path to authentication timestamp dir: /var/run/sudo Default password prompt: Password: Default user to run commands as: root Path to the editor for use by visudo: /bin/vi Environment variables to check for sanity: LANGUAGE LANG LC_* Environment variables to remove: PERL5OPT PERL5LIB PERLLIB JAVA_TOOL_OPTIONS SHELLOPTS PS4 BASH_ENV ENV TERMCAP TERMPATH TERMINFO_DIRS TERMINFO _RLD* LD_* PATH_LOCALE NLSPATH HOSTALIASES RES_OPTIONS LOCALDOMAIN CDPATH IFS When to require a password for 'list' pseudocommand: any When to require a password for 'verify' pseudocommand: all Local IP address and netmask pairs: "MAN SUDO" does say that "...Note, however, that the actual PATH environment variable is not modified and is passed unchanged to the program that sudo executes." I'm stumped..... Rick From Todd.Miller at courtesan.com Mon Apr 26 12:26:14 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 26 Apr 2010 12:26:14 -0400 Subject: [sudo-users] Question: pathing In-Reply-To: Your message of "Mon, 26 Apr 2010 10:22:10 CDT." <1D42773F32FF414394833CC3D48F154B38E998F57D@EMAIL-HOU.naoxy.com> References: <1D42773F32FF414394833CC3D48F154B38E998F57D@EMAIL-HOU.naoxy.com> Message-ID: <201004261626.o3QGQEuC005824@core.courtesan.com> It sounds like lsof is no in root's path. When you run "su -", su gives you a brand new environment, including the PATH variable. It is su, not sudo, that is changing the PATH. - todd From aliep.gonzalez at rbc.com Mon Apr 26 17:54:38 2010 From: aliep.gonzalez at rbc.com (Gonzalez, Aliep) Date: Mon, 26 Apr 2010 17:54:38 -0400 Subject: [sudo-users] Question on SUDO syntax Message-ID: What is the correct syntax in /etc/sudoers for running "sudo -i -u userB /path_to_scriptB" as userA without providing a password ? I can get this to work but I am always prompted for userB's password, which is kind of inconvenient. I would like to avoid using "sudo su - userB -c /path_to_scriptB" if possible. Env: sudo 1.7.2p1 on solaris 9 Thanks, -Al _______________________________________________________________________ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courriel peut contenir des renseignements prot?g?s et confidentiels. L?exp?diteur ne renonce pas aux droits et obligations qui s?y rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu?il contient par une personne autre que le destinataire d?sign? est interdite. Si vous recevez ce courriel par erreur, veuillez m?en aviser imm?diatement, par retour de courriel ou par un autre moyen. From Todd.Miller at courtesan.com Mon Apr 26 22:15:49 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 26 Apr 2010 22:15:49 -0400 Subject: [sudo-users] Question on SUDO syntax In-Reply-To: Your message of "Mon, 26 Apr 2010 17:54:38 EDT." References: Message-ID: <201004270215.o3R2FnRu009882@core.courtesan.com> In message so spake "Gonzalez, Aliep" (aliep.gonzalez): > What is the correct syntax in /etc/sudoers for running "sudo -i -u userB > /path_to_scriptB" as userA without providing a password ? > > I can get this to work but I am always prompted for userB's password, > which is kind of inconvenient. > > I would like to avoid using "sudo su - userB -c /path_to_scriptB" if > possible. The actual command will depend on what shell userB has in the password database. Assuming that is /bin/ksh, then the following should work. userA ALL = (userB) NOPASSWD: /bin/ksh -c /path_to_scriptB Or if there are command line arguments: userA ALL = (userB) NOPASSWD: /bin/ksh -c \"/path_to_scriptB arg1 ...\" - todd From aheinlein at gmx.com Tue Apr 27 02:48:29 2010 From: aheinlein at gmx.com (Andreas Heinlein) Date: Tue, 27 Apr 2010 08:48:29 +0200 Subject: [sudo-users] sudo-ldap and precedence In-Reply-To: References: <4BD5A4A7.4030209@gmx.com> Message-ID: <4BD688BD.20708@gmx.com> Am 26.04.2010 17:49, schrieb Mark Janssen: > On Mon, Apr 26, 2010 at 4:35 PM, Andreas Heinlein wrote: > >> Hello, >> >> I have a problem configuring sudo-ldap under Ubuntu 9.10/10.04. >> >> We have >> a) the usual setup ($admin ALL=(ALL) ALL), where admins can execute any >> command, but have to enter their password >> b) some commands that everyone in the users group can execute *without* >> a password. At the moment, this works for "normal" users but not for >> users which are also in the admin group, these stille have to enter >> their passwordv (%users ALL NOPASSWD:/usr/bin/...). >> >> As I understand, order of entries should not matter since there is no >> guarantee that LDAP entries are returned in any particular order. But in >> this case it seems to matter because the first entry for the admin group >> seems to be the effective one, instead of the second one (the closer >> match). Is this intended behaviour? Is there any way to change this? >> > Can you post an LDIF of these rules. > Do you have an 'sudoOption: !authenticate' on your NOPASSWD rule > What do your 'defaults' say > > Hello, see attached LDIF. As you can see, I have !authenticate on said rule. It works fine for users *not* in the admin group. Bye, Andreas From maniac.nl at gmail.com Mon Apr 26 11:49:47 2010 From: maniac.nl at gmail.com (Mark Janssen) Date: Mon, 26 Apr 2010 17:49:47 +0200 Subject: [sudo-users] sudo-ldap and precedence In-Reply-To: <4BD5A4A7.4030209@gmx.com> References: <4BD5A4A7.4030209@gmx.com> Message-ID: On Mon, Apr 26, 2010 at 4:35 PM, Andreas Heinlein wrote: > Hello, > > I have a problem configuring sudo-ldap under Ubuntu 9.10/10.04. > > We have > a) the usual setup ($admin ALL=(ALL) ALL), where admins can execute any > command, but have to enter their password > b) some commands that everyone in the users group can execute *without* > a password. At the moment, this works for "normal" users but not for > users which are also in the admin group, these stille have to enter > their passwordv (%users ALL NOPASSWD:/usr/bin/...). > > As I understand, order of entries should not matter since there is no > guarantee that LDAP entries are returned in any particular order. But in > this case it seems to matter because the first entry for the admin group > seems to be the effective one, instead of the second one (the closer > match). Is this intended behaviour? Is there any way to change this? Can you post an LDIF of these rules. Do you have an 'sudoOption: !authenticate' on your NOPASSWD rule What do your 'defaults' say -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | From maniac.nl at gmail.com Mon Apr 26 11:53:19 2010 From: maniac.nl at gmail.com (Mark Janssen) Date: Mon, 26 Apr 2010 17:53:19 +0200 Subject: [sudo-users] Question: pathing In-Reply-To: <1D42773F32FF414394833CC3D48F154B38E998F57D@EMAIL-HOU.naoxy.com> References: <1D42773F32FF414394833CC3D48F154B38E998F57D@EMAIL-HOU.naoxy.com> Message-ID: On Mon, Apr 26, 2010 at 5:22 PM, wrote: > Has anybody run into a case where after one switch users (su - xxxx), pathing no longer works? > > oholert2:codadm 1> sudo lsof | wc -l > 7812 > oholert2:codadm 2> su - steeler > Password: > [steeler at oholert2 ~]$ sudo lsof | wc -l > Password: > sudo: lsof: command not found > 0 "su - uses the profile/path etc from the user you are su-ing to. Try a 'su ' to keep your own environment. Sudo doesn't have any influence here -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | From aheinlein at gmx.com Wed Apr 28 03:28:32 2010 From: aheinlein at gmx.com (Andreas Heinlein) Date: Wed, 28 Apr 2010 09:28:32 +0200 Subject: [sudo-users] sudo-ldap and precedence In-Reply-To: References: <4BD5A4A7.4030209@gmx.com> <4BD688BD.20708@gmx.com> Message-ID: <4BD7E3A0.3030703@gmx.com> Am 28.04.2010 00:33, schrieb Mark Janssen: > On Tue, Apr 27, 2010 at 8:48 AM, Andreas Heinlein wrote: > >> Am 26.04.2010 17:49, schrieb Mark Janssen: >> >>> On Mon, Apr 26, 2010 at 4:35 PM, Andreas Heinlein wrote: >>> >>> >>>> We have >>>> a) the usual setup ($admin ALL=(ALL) ALL), where admins can execute any >>>> command, but have to enter their password >>>> b) some commands that everyone in the users group can execute *without* >>>> a password. At the moment, this works for "normal" users but not for >>>> users which are also in the admin group, these stille have to enter >>>> their passwordv (%users ALL NOPASSWD:/usr/bin/...). >>>> > Assuming the users in the %admin group are also included in the %users > group... you could try explicitly including %admin, or replacing > %users with ALL (if this is what you want) > > That worked (adding %admin explicitly). No idea why, or if this is intended/expected behaviour, but I can live with it for the moment. Thank you! Andreas From maniac.nl at gmail.com Tue Apr 27 18:33:19 2010 From: maniac.nl at gmail.com (Mark Janssen) Date: Wed, 28 Apr 2010 00:33:19 +0200 Subject: [sudo-users] sudo-ldap and precedence In-Reply-To: <4BD688BD.20708@gmx.com> References: <4BD5A4A7.4030209@gmx.com> <4BD688BD.20708@gmx.com> Message-ID: On Tue, Apr 27, 2010 at 8:48 AM, Andreas Heinlein wrote: > Am 26.04.2010 17:49, schrieb Mark Janssen: >> On Mon, Apr 26, 2010 at 4:35 PM, Andreas Heinlein wrote: >> >>> We have >>> a) the usual setup ($admin ALL=(ALL) ALL), where admins can execute any >>> command, but have to enter their password >>> b) some commands that everyone in the users group can execute *without* >>> a password. At the moment, this works for "normal" users but not for >>> users which are also in the admin group, these stille have to enter >>> their passwordv (%users ALL NOPASSWD:/usr/bin/...). Assuming the users in the %admin group are also included in the %users group... you could try explicitly including %admin, or replacing %users with ALL (if this is what you want) -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | From lprikockis at vecna.com Thu Apr 29 23:17:46 2010 From: lprikockis at vecna.com (larry prikockis) Date: Thu, 29 Apr 2010 23:17:46 -0400 Subject: [sudo-users] running a script in a specific directory as root Message-ID: <4BDA4BDA.4010501@vecna.com> I have a need for users to be able to run certain scripts located in subdirectories of /net/common (e.g., /net/common/installation/test/myScript.sh) as root using sudo. by adding a line like: bob ALL=/bin/sh /net/common/installation/* to sudoers Bob can log in, and execute 'sudo sh /net/common/installation/test/myScript.sh' with no problem. However, is there a way to all Bob to simply change to the /net/common/installation/test directory and then execute: 'sudo ./myScript.sh' without specifying the full path? Obviously, I don't want to simply allow users to run e.g., "myScript.sh" from any directory as root since then there would be no way to prevent someone from creating a script called "myScript.sh" that contained commands I *don't* want a user running as root. The idea is that most users have only read access to /net/common/installation/* Any thoughts on how to make it less cumbersome for users (i.e., not requiring them to type the full path when they're already in the same directory as the script) while still retaining control over the location of the script being executed with root privs.? thanks for any help... -- Larry J. Prikockis System Administrator 240-965-4597 (direct) lprikockis at vecna.com www.vecna.com Vecna Technologies, Inc. 6404 Ivy Lane Suite 500 Greenbelt, MD 20770 Phone: 240-965-4500 Fax: 240-547-6133 Better Technology, Better World (TM) The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author. From techchavez at gmail.com Fri Apr 30 14:30:56 2010 From: techchavez at gmail.com (Techie) Date: Fri, 30 Apr 2010 11:30:56 -0700 Subject: [sudo-users] Clarification on PAM Message-ID: Hello Todd and list, I am trying to grab a better understanding on how sudo works with LDAP. I have my sudo configuration in LDAP. In order to utilize this config I was under the impression that the sudo application had to be built with the --with-ldap configure option per client. But it seems that if my client sudo app is configured with --with-pam and my pam sudo file is setup correctly, it can also utilize the LDAP sudo configuration without being configured with --with-ldap. Is this expected behaviour? Thank you