From TFALKEN at de.ibm.com Tue Feb 2 06:36:16 2010 From: TFALKEN at de.ibm.com (Thomas Falkenberg) Date: Tue, 2 Feb 2010 12:36:16 +0100 Subject: [sudo-users] file ulimit not set correctly Message-ID: Hello, I have a problem with the file ulimit setting after switching to another user using sudo. If a user has a defined file limit, it will be reset to zero after using sudo to open a shell as another user. Here two examples: Switching from general user to root user: [3]:falkenbe at itc-netv1:/home/falkenbe $ ulimit -a time(seconds) unlimited file(blocks) 209715200 data(kbytes) 131072 stack(kbytes) 32768 memory(kbytes) 32768 coredump(blocks) 2097151 nofiles(descriptors) unlimited [3]:falkenbe at itc-netv1:/home/falkenbe $ sudo sh [3]:falkenbe at itc-netv1:/home/falkenbe $ ulimit -a sh: A file cannot be larger than the value set by ulimit. time(seconds) unlimited file(blocks) 0 data(kbytes) 131072 stack(kbytes) 32768 memory(kbytes) 32768 coredump(blocks) 2097151 nofiles(descriptors) unlimited Switching from root user to another user: [5:root at itc-netv1:]/home/root # ulimit -a time(seconds) unlimited file(blocks) 209715200 data(kbytes) 131072 stack(kbytes) 32768 memory(kbytes) 32768 coredump(blocks) 2097151 nofiles(descriptors) unlimited [5:root at itc-netv1:]/home/root # sudo -u falkenbe sh [5:root at itc-netv1:] # ulimit -a sh: A file cannot be larger than the value set by ulimit. time(seconds) unlimited file(blocks) 0 data(kbytes) 131072 stack(kbytes) 32768 memory(kbytes) 32768 coredump(blocks) 2097151 nofiles(descriptors) unlimited The file /etc/security/limits has a unique setting for all users and only one entry for the default user: default: fsize = 209715200 core = 2097151 cpu = -1 data = 262144 rss = 65536 stack = 65536 nofiles = -1 I use the sudo version 1.7.2p2 on AIX 5.3: [4]:falkenbe at itc-netv1:/home/falkenbe $ oslevel -s 5300-10-01-0921 [4]:falkenbe at itc-netv1:/home/falkenbe $ rpm -qi sudo Name : sudo Relocations: (not relocateable) Version : 1.7.2p2 Vendor: (none) Release : 1 Build Date: Tue Dec 8 11:19:20 MEZ 2009 Install date: Tue Feb 2 11:18:16 MEZ 2010 Build Host: aix51.perzl.org Group : Applications/System Source RPM: sudo-1.7.2p2-1.src.rpm Size : 746434 License: BSD URL : http://www.courtesan.com/sudo/ Summary : Allows restricted root access for specified users Description : Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. Kind regards Thomas Falkenberg E-Mail: tfalken at de.ibm.com From GMenini at ose.com.uy Wed Feb 3 12:33:05 2010 From: GMenini at ose.com.uy (Gabriel Menini) Date: Wed, 3 Feb 2010 15:33:05 -0200 Subject: [sudo-users] Command with argument not working as expected Message-ID: Hello, list. Since I want users to chmod files only under certain directory, I have the following in my /etc/sudoers file: # User alias specification User_Alias ADMINS = myname,yourname # Cmnd alias specification Cmnd_Alias CHMOD = /usr/bin/chmod /dir/where/chmod/is/allowed/* # Runas alias specification # User privilege specification root ALL=(ALL) ALL ADMINS myhostname=(root) CHMOD,sudoedit /dir/where/chmod/is/allowed/* [..file continues here; omitted for simplicity...] The sudoers file listed above doesn't allow to chmod on that dir. My target is: ADMINS are able to create scripts in ` /dir/where/chmod/is/allowed/' and then make them executables. However, until now I've just been able to set ADMINS to issue chmod on a system wide basis but this behaviour is not as expected --not to mention it's an enormous security flaw! Sudo version 1.7.0 OS: IBM Unix AIX 6.1.0.0 Regards, -- Gabriel Menini From Todd.Miller at courtesan.com Wed Feb 3 14:46:11 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 03 Feb 2010 14:46:11 -0500 Subject: [sudo-users] file ulimit not set correctly In-Reply-To: Your message of "Tue, 02 Feb 2010 12:36:16 +0100." References: Message-ID: <201002031946.o13JkBJp004439@core.courtesan.com> In message so spake Thomas Falkenberg (TFALKEN): > I have a problem with the file ulimit setting after switching to another > user using sudo. > If a user has a defined file limit, it will be reset to zero after using > sudo to open a shell as another user. The problem is that the value for fsize in /etc/security/limits is specified in blocks whereas the resource limit is specified in bytes. When converting from blocks to bytes, 209715200 * 512 this overflows the 32bit value in struct rlimit. The fix is for sudo to use setrlimit64() instead of setrlimit() if available. I don't have access to an AIX machine these days but the following (untested) diff should fix it. Alternately, you could just set fsize to a smaller value or -1 (unlimited) in /etc/security/limits. - todd Index: aix.c =================================================================== RCS file: /home/cvs/courtesan/sudo/aix.c,v retrieving revision 1.7 diff -u -r1.7 aix.c --- aix.c 6 Nov 2008 00:42:37 -0000 1.7 +++ aix.c 3 Feb 2010 19:45:27 -0000 @@ -39,7 +39,7 @@ #ifdef HAVE_GETUSERATTR #ifndef RLIM_SAVED_MAX -# define RLIM_SAVED_MAX RLIM_INFINITY +# define RLIM_SAVED_MAX RLIM64_INFINITY #endif struct aix_limit { @@ -74,12 +74,12 @@ aix_setlimits(user) char *user; { - struct rlimit rlim; + struct rlimit64 rlim; int i, n; /* * For each resource limit, get the soft/hard values for the user - * and set those values via setrlimit(). Must be run as euid 0. + * and set those values via setrlimit64(). Must be run as euid 0. */ for (n = 0; n < sizeof(aix_limits) / sizeof(aix_limits[0]); n++) { /* @@ -87,15 +87,15 @@ * hard limit has been defined. */ if (aix_getlimit(user, aix_limits[n].hard, &i) == 0) { - rlim.rlim_max = i == -1 ? RLIM_INFINITY : i * aix_limits[n].factor; + rlim.rlim_max = i == -1 ? RLIM64_INFINITY : (rlim64_t)i * aix_limits[n].factor; if (aix_getlimit(user, aix_limits[n].soft, &i) == 0) - rlim.rlim_cur = i == -1 ? RLIM_INFINITY : i * aix_limits[n].factor; + rlim.rlim_cur = i == -1 ? RLIM64_INFINITY : (rlim64_t)i * aix_limits[n].factor; else rlim.rlim_cur = rlim.rlim_max; /* soft not specd, use hard */ } else { /* No hard limit set, try soft limit. */ if (aix_getlimit(user, aix_limits[n].soft, &i) == 0) - rlim.rlim_cur = i == -1 ? RLIM_INFINITY : i * aix_limits[n].factor; + rlim.rlim_cur = i == -1 ? RLIM64_INFINITY : (rlim64_t)i * aix_limits[n].factor; /* Set hard limit per AIX /etc/security/limits documentation. */ switch (aix_limits[n].resource) { @@ -107,11 +107,11 @@ rlim.rlim_max = RLIM_SAVED_MAX; break; default: - rlim.rlim_max = RLIM_INFINITY; + rlim.rlim_max = RLIM64_INFINITY; break; } } - (void)setrlimit(aix_limits[n].resource, &rlim); + (void)setrlimit64(aix_limits[n].resource, &rlim); } } From Todd.Miller at courtesan.com Sat Feb 6 19:01:53 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sat, 06 Feb 2010 19:01:53 -0500 Subject: [sudo-users] file ulimit not set correctly In-Reply-To: Your message of "Wed, 03 Feb 2010 14:46:11 EST." <201002031946.o13JkBJp004439@core.courtesan.com> References: <201002031946.o13JkBJp004439@core.courtesan.com> Message-ID: <201002070001.o1701rLS009958@core.courtesan.com> Can you try this version of sudo and verify it does the right thing for you? ftp://ftp.sudo.ws/pub/millert/sudo/sudo-1.7.2p3.tar.gz - todd From aaron.lewis1989 at gmail.com Wed Feb 10 08:14:35 2010 From: aaron.lewis1989 at gmail.com (Aaron Lewis) Date: Wed, 10 Feb 2010 21:14:35 +0800 Subject: [sudo-users] sudo problems with internal shell command Message-ID: <4B72B13B.5070206@gmail.com> Well , i got some problems with such command: sudo echo disable > /proc/acpi/ibm/bluetooth Permission is denied. I think it's because 'echo' is run in shell , as normal user , then it fails to run. This works fine: sudo su - -c 'echo disable > /proc/acpi/ibm/bluetooth' Anyway to solve it ? -- Best Regards, Aaron Lewis RedHat Certificated Engineer SUPINFO UNIV. From jeff at sdsc.edu Wed Feb 10 16:05:11 2010 From: jeff at sdsc.edu (Jeff Makey) Date: Wed, 10 Feb 2010 13:05:11 -0800 Subject: [sudo-users] sudo problems with internal shell command In-Reply-To: <4B72B13B.5070206@gmail.com> (message from Aaron Lewis on Wed, 10 Feb 2010 21:14:35 +0800) Message-ID: <201002102105.o1AL5BuY002892@darwin.sdsc.edu> Aaron Lewis wrote: >sudo echo disable > /proc/acpi/ibm/bluetooth > >Permission is denied. >I think it's because 'echo' is run in shell , as normal user , then it >fails to run. No, it is the ">" redirection that runs without the privileges gained via sudo. >This works fine: >sudo su - -c 'echo disable > /proc/acpi/ibm/bluetooth' > >Anyway to solve it ? That *is* the solution. :: Jeff Makey jeff at sdsc.edu From justinpryzby at users.sourceforge.net Wed Feb 10 16:15:47 2010 From: justinpryzby at users.sourceforge.net (Justin T Pryzby) Date: Wed, 10 Feb 2010 14:15:47 -0700 Subject: [sudo-users] sudo problems with internal shell command In-Reply-To: <201002102105.o1AL5BuY002892@darwin.sdsc.edu> References: <4B72B13B.5070206@gmail.com> <201002102105.o1AL5BuY002892@darwin.sdsc.edu> Message-ID: <20100210211547.GA10544@norchemlab.com> On Wed, Feb 10, 2010 at 01:05:11PM -0800, Jeff Makey wrote: > >This works fine: > >sudo su - -c 'echo disable > /proc/acpi/ibm/bluetooth' > > > >Anyway to solve it ? > > That *is* the solution. Preferably with only one suid executable: sudo sh -c 'echo disable >/proc/acpi/ibm/bluetooth' Justin From Matthew.Stier at us.fujitsu.com Wed Feb 10 16:31:20 2010 From: Matthew.Stier at us.fujitsu.com (Stier, Matthew) Date: Wed, 10 Feb 2010 15:31:20 -0600 Subject: [sudo-users] sudo problems with internal shell command In-Reply-To: <201002102105.o1AL5BuY002892@darwin.sdsc.edu> References: <4B72B13B.5070206@gmail.com> (message from Aaron Lewis on Wed, 10Feb 2010 21:14:35 +0800) <201002102105.o1AL5BuY002892@darwin.sdsc.edu> Message-ID: <63F73C973E3E4547979026ECC295EF5C01AA4B05@rchemxp01.fnc.net.local> If you read the manpage, you can save invoking 'su' unnecessarily. % sudo -s 'echo disable > /proc/acpi/ibm/bluetooth' If this is being invoked within a script, you may wish to add the '-n' option. -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Jeff Makey Sent: Wednesday, February 10, 2010 4:05 PM To: sudo-users at sudo.ws Subject: Re: [sudo-users] sudo problems with internal shell command Aaron Lewis wrote: >sudo echo disable > /proc/acpi/ibm/bluetooth > >Permission is denied. >I think it's because 'echo' is run in shell , as normal user , then it >fails to run. No, it is the ">" redirection that runs without the privileges gained via sudo. >This works fine: >sudo su - -c 'echo disable > /proc/acpi/ibm/bluetooth' > >Anyway to solve it ? That *is* the solution. :: Jeff Makey jeff at sdsc.edu ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From Robin.Battersby-Cornmell at uisl.unisys.com Thu Feb 11 04:53:44 2010 From: Robin.Battersby-Cornmell at uisl.unisys.com (Battersby-Cornmell, Robin Alasdair) Date: Thu, 11 Feb 2010 09:53:44 +0000 Subject: [sudo-users] sudo problems with internal shell command In-Reply-To: <4B72B13B.5070206@gmail.com> References: <4B72B13B.5070206@gmail.com> Message-ID: You will find that the first statement run the echo as super user, but it is the normal user that is catching the output and re-directing to a file. In the second example, this is all contained by the super user process and therefore the write to file would work. You could script it and sudo call the script. Robin, Unisys, Liverpool -----Original Message----- From: Aaron Lewis [mailto:aaron.lewis1989 at gmail.com] Sent: 10 February 2010 13:15 To: sudo-users at sudo.ws Subject: [sudo-users] sudo problems with internal shell command Well , i got some problems with such command: sudo echo disable > /proc/acpi/ibm/bluetooth Permission is denied. I think it's because 'echo' is run in shell , as normal user , then it fails to run. This works fine: sudo su - -c 'echo disable > /proc/acpi/ibm/bluetooth' Anyway to solve it ? -- Best Regards, Aaron Lewis RedHat Certificated Engineer SUPINFO UNIV. *********************************** This email is sent in confidence for the addressee only. Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by returning the original email to us without reading it, taking a copy or disclosing it to anyone else. Please also destroy and delete the email from your computer. We have taken reasonable precautions to ensure that no viruses are transmitted to any third party. Unisys Insurance Services Limited does not accept any responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Unisys Insurance Services Limited is authorised and regulated by the Financial Services Authority, is a member of the UNISYS group of companies and provides outsourcing services to the Financial Services Industry Unisys Insurance Services Limited Registered in England No. 4087012 Registered Office: Bakers Court, Bakers Road, Uxbridge, UB8 1RG From aaron.lewis1989 at gmail.com Thu Feb 11 05:28:23 2010 From: aaron.lewis1989 at gmail.com (Aaron Lewis) Date: Thu, 11 Feb 2010 18:28:23 +0800 Subject: [sudo-users] [SOLVED] sudo problems with internal shell command Message-ID: <4B73DBC7.4080907@gmail.com> Ah, it's sorry i didn't notice that you all send mail directly to me. So didn't copy it to mail list. Thanks all you guys : ) After collect all the messages i got , i finally understand why my command fails .. %> sudo echo disable > /proc/acpi/ibm/bluetooth As Jeff , Robin and Wesley mentioned , this is because shell redirecting is done by normal use , which has no privileges. Thus , if it runs totally inside a program and has root privileges , it works fine. Well , i think tee gives out the best solution : ) %> echo "disable" | sudo tee /proc/acpi/ibm/bluetooth Really Good Ah. -- Best Regards, Aaron Lewis RedHat Certificated Engineer SUPINFO UNIV. From wesley.schwengle at is.online.nl Thu Feb 11 05:14:35 2010 From: wesley.schwengle at is.online.nl (Wesley Schwengle) Date: Thu, 11 Feb 2010 11:14:35 +0100 (CET) Subject: [sudo-users] sudo problems with internal shell command In-Reply-To: <4B72B13B.5070206@gmail.com> References: <4B72B13B.5070206@gmail.com> Message-ID: On 10.02.10 14:14 Aaron Lewis wrote: > Well , i got some problems with such command: > > sudo echo disable > /proc/acpi/ibm/bluetooth > > Permission is denied. > I think it's because 'echo' is run in shell , as normal user , then it > fails to run. > > This works fine: > sudo su - -c 'echo disable > /proc/acpi/ibm/bluetooth' > > Anyway to solve it ? You can also do it like this: echo "blaat" | sudo tee /tmp/blaat or to append to a file: echo "blaat-append" | sudo tee -a /tmp/blaat Hope this helps. Cheers, Wesley -- Online Broadband BV, http://www.online.nl, http://www.euronet.nl Wesley Schwengle, System Administrator, IT Operations (Database/Application Management) Muiderstraat 1, PO BOX 10241, 1001 EE Amsterdam, T: +31 20 5355555, F: +31 20 5355749 From GMenini at ose.com.uy Thu Feb 11 10:04:45 2010 From: GMenini at ose.com.uy (Gabriel Menini) Date: Thu, 11 Feb 2010 13:04:45 -0200 Subject: [sudo-users] [SOLVED] Re: Command with argument not working as expected In-Reply-To: Message-ID: sudo-users-bounces at courtesan.com escribi? el 2010-02-03 15:33:05: > Hello, list. > > Since I want users to chmod files only under certain directory, I have the > following in my /etc/sudoers file: > > # User alias specification > User_Alias ADMINS = myname,yourname > > # Cmnd alias specification > Cmnd_Alias CHMOD = /usr/bin/chmod /dir/where/chmod/is/allowed/* Hi, Finally, my peer found the way to set the correct syntax: Cmnd_Alias CHMOD = /usr/bin/chmod u+x /dir/where/chmod/is/allowed/* I was missing the chmod options u+x. Sure, this line only sets executable-by-owner bit but, it's enough for me so far. > > > # Runas alias specification > > # User privilege specification > root ALL=(ALL) ALL > > > ADMINS myhostname=(root) CHMOD,sudoedit /dir/where/chmod/is/allowed/* > > [..file continues here; omitted for simplicity...] > > The sudoers file listed above doesn't allow to chmod on that dir. > > My target is: ADMINS are able to create scripts in ` > /dir/where/chmod/is/allowed/' and then make them executables. > > However, until now I've just been able to set ADMINS to issue chmod on a > system wide basis but this behaviour is not as expected --not to mention > it's an enormous security flaw! > > > Sudo version 1.7.0 > OS: IBM Unix AIX 6.1.0.0 Thank you Patrick for sharing your Perl wrappers for chmod and chown. I am still studying them :-) Regards, -- Gabriel Menini From leigh at solinno.co.uk Thu Feb 11 14:02:07 2010 From: leigh at solinno.co.uk (Leigh Brown) Date: Thu, 11 Feb 2010 19:02:07 -0000 (GMT) Subject: [sudo-users] [SOLVED] Re: Command with argument not working as expected In-Reply-To: References: Message-ID: <46136.81.109.131.221.1265914927.squirrel@www.solinno.co.uk> On Thu, February 11, 2010 3:04 pm, Gabriel Menini wrote: > sudo-users-bounces at courtesan.com escribi? el 2010-02-03 15:33:05: > >> Hello, list. >> >> Since I want users to chmod files only under certain directory, I have >> the following in my /etc/sudoers file: >> >> # User alias specification >> User_Alias ADMINS = myname,yourname >> >> # Cmnd alias specification >> Cmnd_Alias CHMOD = /usr/bin/chmod /dir/where/chmod/is/allowed/* > > Hi, > > Finally, my peer found the way to set the correct syntax: > > Cmnd_Alias CHMOD = /usr/bin/chmod u+x /dir/where/chmod/is/allowed/* > > I was missing the chmod options u+x. Sure, this line only sets > executable-by-owner bit but, it's enough for me so far. I would recommend extreme caution when using an asterisk anywhere in any sudo rule. The above rule also allows :- sudo chmod u+x /dir/where/chmod/is/allowed/../../../somewhere/bad and not to mention it matches spaces :- sudo chmod u+x /dir/where/chmod/is/allowed/zzz /somewhere/bad Its possible to get around this by adding the these sort of rules after the main one, but its still a worry. Cmnd_Alias CHMOD = /usr/bin/chmod /dir/where/chmod/is/allowed/*, \ !/usr/bin/chmod u+x *[ ]*, \ !/usr/bin/chmod u+x *../* It would be nice if sudo supported regular expression matching. Until then I would recommend wrapper scripts in place of any rule that includes an asterisk. Regards, Leigh. From aaron.lewis1989 at gmail.com Fri Feb 12 02:23:31 2010 From: aaron.lewis1989 at gmail.com (Aaron Lewis) Date: Fri, 12 Feb 2010 15:23:31 +0800 Subject: [sudo-users] sudo Problem with Session Management Message-ID: <4B7501F3.30000@gmail.com> For my old sudo ( installed with package manager ) , it takes every virtual terminal , x-terminal as different session. So previous authentication will not effect other sessions. e.g. when u make a successful authentication in tty1 , you turn to tty2 but need to type your password again ( not same session , so not authenticated ) But the official source code does provide this feature , once u type in your passwd , in a few minutes , you are authenticated everywhere , it's a security problem . Do i need to look for a patch ? Or it's problem with PAM Module ? Default installition has these library linked : -lpam -ldl -lcrypt -- Best Regards, Aaron Lewis RedHat Certificated Engineer SUPINFO UNIV. From TFALKEN at de.ibm.com Fri Feb 12 07:08:06 2010 From: TFALKEN at de.ibm.com (Thomas Falkenberg) Date: Fri, 12 Feb 2010 13:08:06 +0100 Subject: [sudo-users] file ulimit not set correctly In-Reply-To: <201002070001.o1701rLS009958@core.courtesan.com> References: <201002031946.o13JkBJp004439@core.courtesan.com> <201002070001.o1701rLS009958@core.courtesan.com> Message-ID: Hello Todd, I have tested this new version of sudo. The problem with the wrong user ulimit seems to fe fixed. I couldn't detect any error with this version. Many thanks. Mit freundlichen Gr??en / Kind regards Thomas Falkenberg IT Center Mainz ECuRep AIX / IT Spezialist ------------------------------------------------------------------------------ IBM Deutschland Hechtsheimer Str. 2 55131 Mainz Phone: +49-6131-84-2348 Mobile: +49-175-2913561 E-Mail: tfalken at de.ibm.com ------------------------------------------------------------------------------ IBM Deutschland Infrastructure Technology Services GmbH / Gesch?ftsf?hrung: Ulrike Hetzel Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 727973 "Todd C. Miller" Sent by: sudo-users-bounces at courtesan.com 07.02.2010 01:01 To Thomas Falkenberg/Germany/IBM at IBMDE, sudo-users at sudo.ws cc Subject Re: [sudo-users] file ulimit not set correctly Can you try this version of sudo and verify it does the right thing for you? ftp://ftp.sudo.ws/pub/millert/sudo/sudo-1.7.2p3.tar.gz - todd ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From aaron.lewis1989 at gmail.com Fri Feb 12 10:53:15 2010 From: aaron.lewis1989 at gmail.com (Aaron Lewis) Date: Fri, 12 Feb 2010 23:53:15 +0800 Subject: [sudo-users] [SOLVED] sudo Problem with Session Management In-Reply-To: <531e3e4c1002120009p53ca6f74u9ee53137c8e9bd11@mail.gmail.com> References: <4B7501F3.30000@gmail.com> <531e3e4c1002120009p53ca6f74u9ee53137c8e9bd11@mail.gmail.com> Message-ID: <4B75796B.3040402@gmail.com> Yeah , i'm writing a automatically compiling system. Often i look for --enable options , but this use --with instead. Looks like i need to improve my program. after i enable --with-tty-tickets , it works fine for me. Thanks Mark : ) Mark Janssen wrote: > On Fri, Feb 12, 2010 at 8:23 AM, Aaron Lewis wrote: > >> For my old sudo ( installed with package manager ) , >> it takes every virtual terminal , x-terminal as different session. >> So previous authentication will not effect other sessions. >> >> But the official source code does provide this feature , >> once u type in your passwd , in a few minutes , you are authenticated >> everywhere , it's a security problem . >> > > That's a configuration option.... > look for > > tty_tickets If set, users must authenticate on a per-tty basis. > Normally, sudo uses a directory in the ticket dir with > the same name as the user running it. With this flag > enabled, sudo will use a file named for the tty the > user is logged in on in that directory. This flag is > off by default. > > Your distro-package probably turned this on by default, now it's off > > -- Best Regards, Aaron Lewis RedHat Certificated Engineer SUPINFO UNIV. From chuck.carson at gmail.com Wed Feb 17 11:11:28 2010 From: chuck.carson at gmail.com (Chuck) Date: Wed, 17 Feb 2010 10:11:28 -0600 Subject: [sudo-users] Changing sudo default syslog facility Message-ID: <3be30bc51002170811w1813e56eud98de011ed679c46@mail.gmail.com> Hey All, Is there a way to change the default syslog facility that sudo uses? (running version 1.6.9p16) From what I gathered it uses local2.notice... Thx, CC From Todd.Miller at courtesan.com Wed Feb 17 11:36:14 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 17 Feb 2010 11:36:14 -0500 Subject: [sudo-users] Changing sudo default syslog facility In-Reply-To: Your message of "Wed, 17 Feb 2010 10:11:28 CST." <3be30bc51002170811w1813e56eud98de011ed679c46@mail.gmail.com> References: <3be30bc51002170811w1813e56eud98de011ed679c46@mail.gmail.com> Message-ID: <201002171636.o1HGaE26002127@core.courtesan.com> In message <3be30bc51002170811w1813e56eud98de011ed679c46 at mail.gmail.com> so spake Chuck (chuck.carson): > Is there a way to change the default syslog facility that sudo uses? > (running version 1.6.9p16) From what I gathered it uses local2.notice... Sure. A line like the following in sudoers: Defaults syslog=local2, syslog_badpri=alert, syslog_goodpri=notice correctsponds to the default values. Here are the relevant bits from the sudoers man page: syslog Syslog facility if syslog is being used for logging (negate to disable syslog logging). Defaults to local2. syslog_badpri Syslog priority to use when user authenticates unsuccessfully. Defaults to alert. syslog_goodpri Syslog priority to use when user authenticates successfully. Defaults to notice. When logging via syslog(3), sudo accepts the following values for the syslog facility (the value of the syslog Parameter): authpriv (if your OS supports it), auth, daemon, user, local0, local1, local2, local3, local4, local5, local6, and local7. The following syslog priorities are supported: alert, crit, debug, emerg, err, info, notice, and warning. - todd From aaron.lewis1989 at gmail.com Thu Feb 18 05:02:15 2010 From: aaron.lewis1989 at gmail.com (aaron lewis) Date: Thu, 18 Feb 2010 18:02:15 +0800 Subject: [sudo-users] howto change sudo behavior: user should type root password ? Message-ID: <922d8fe51002180202l15294d68y7825ff0b7f49e0eb@mail.gmail.com> Hi, How can i let user type in root's password rather than their own's ? -- Best Regards, Aaron Lewis - PGP: 0xA476D2E9 RedHat Certificated Engineer , SUPINF0 UNIV. irc: A4r0n on freenode From martin at oneiros.de Thu Feb 18 07:34:25 2010 From: martin at oneiros.de (=?ISO-8859-1?Q?Martin_Schr=F6der?=) Date: Thu, 18 Feb 2010 13:34:25 +0100 Subject: [sudo-users] howto change sudo behavior: user should type root password ? In-Reply-To: <922d8fe51002180202l15294d68y7825ff0b7f49e0eb@mail.gmail.com> References: <922d8fe51002180202l15294d68y7825ff0b7f49e0eb@mail.gmail.com> Message-ID: <68c491a61002180434n29554ad9k9473b6aa5cd2e037@mail.gmail.com> 2010/2/18 aaron lewis : > ? How can i let user type in root's password rather than their own's ? man sudoers search for rootpw. But think again, why you want this - the purpose of sudo is NOT to hand out the root password. Best Martin From aaron.lewis1989 at gmail.com Thu Feb 18 07:50:12 2010 From: aaron.lewis1989 at gmail.com (Aaron Lewis) Date: Thu, 18 Feb 2010 20:50:12 +0800 Subject: [sudo-users] [SOLVED] howto change sudo behavior: user should type root password ? In-Reply-To: <68c491a61002180434n29554ad9k9473b6aa5cd2e037@mail.gmail.com> References: <922d8fe51002180202l15294d68y7825ff0b7f49e0eb@mail.gmail.com> <68c491a61002180434n29554ad9k9473b6aa5cd2e037@mail.gmail.com> Message-ID: <4B7D3784.5020608@gmail.com> Yeah , it's very interesting that openSUSE requires root's pw by default. Looks like sth. called Default Security. A friend asked me howto change this behavior , i've totally no idea. And finally he found these entries: Defaults targetpw ALL ALL = (ALL) ALL After comment them out , it works fine. Thanks martin. Martin Schr?der wrote: > 2010/2/18 aaron lewis : > >> How can i let user type in root's password rather than their own's ? >> > > man sudoers > search for rootpw. But think again, why you want this - the purpose of > sudo is NOT to hand out the root password. > > Best > Martin > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > From Hullen at t-online.de Thu Feb 18 08:32:00 2010 From: Hullen at t-online.de (Helmut Hullen) Date: 18 Feb 2010 14:32:00 +0100 Subject: [sudo-users] [SOLVED] howto change sudo behavior: user should type root password ? In-Reply-To: <4B7D3784.5020608@gmail.com> Message-ID: Hallo, Aaron, Du meintest am 18.02.10: > Yeah , it's very interesting that openSUSE requires root's pw by > default. That's the old fashioned way for working as "root", since many years. Ubuntu has chosen another way. And I don't prefer giving many people the root password or root privileges. Viele Gruesse! Helmut From aaron.lewis1989 at gmail.com Thu Feb 18 10:27:19 2010 From: aaron.lewis1989 at gmail.com (aaron lewis) Date: Thu, 18 Feb 2010 23:27:19 +0800 Subject: [sudo-users] [SOLVED] howto change sudo behavior: user should type root password ? In-Reply-To: References: <4B7D3784.5020608@gmail.com> Message-ID: <922d8fe51002180727y17d46516x4e81ba982aebf136@mail.gmail.com> Ah , maybe sth. is really out dated. , actually i never work that way. I'm just .. curious. Anyway , don't care for it : ) -- Best Regards, Aaron Lewis From vahid.moghaddasi at gmail.com Fri Feb 19 11:57:22 2010 From: vahid.moghaddasi at gmail.com (Vahid Moghaddasi) Date: Fri, 19 Feb 2010 11:57:22 -0500 Subject: [sudo-users] sudo log format Message-ID: Hi all, How can I have sudo log entry be in one line instead of wrapping around to next line for each incident? The log file currently looks like this: Jan 26 15:28:48 2010 : vahid : HOST=solaris11 : TTY=pts/11 ; PWD=/u/vahid ; USER=root ; COMMAND=/bin/su - There ate two lines in the above entry. Also, is there a reason that two different delimiters (: and ;) are used in each line? Is it possible to modify that to have just one kind of delimiter e.g. ; only? Thanks, From tonysk8 at gmx.net Fri Feb 19 12:52:26 2010 From: tonysk8 at gmx.net (Tony G.) Date: Fri, 19 Feb 2010 09:52:26 -0800 Subject: [sudo-users] sudo log format In-Reply-To: References: Message-ID: <60ad930b1002190952k2f18528dpae0bf06547abc0eb@mail.gmail.com> Don't think there is a two lines, seems like your output is being cut and pasted in that way so you can see the full line. To verify do: sudo grep "sudo grep /var/log/secure" /var/log/secure |wc -l On Fri, Feb 19, 2010 at 8:57 AM, Vahid Moghaddasi < vahid.moghaddasi at gmail.com> wrote: > Hi all, > How can I have sudo log entry be in one line instead of wrapping around to > next line for each incident? > The log file currently looks like this: > > Jan 26 15:28:48 2010 : vahid : HOST=solaris11 : TTY=pts/11 ; PWD=/u/vahid > ; USER=root ; COMMAND=/bin/su - > There ate two lines in the above entry. > Also, is there a reason that two different delimiters (: and ;) are used in > each line? Is it possible to modify that to have just one kind of delimiter > e.g. ; only? > Thanks, > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > -- Tony From Eric.Ladner at chevron.com Fri Feb 19 12:07:28 2010 From: Eric.Ladner at chevron.com (Ladner, Eric (Eric.Ladner)) Date: Fri, 19 Feb 2010 09:07:28 -0800 Subject: [sudo-users] sudo log format In-Reply-To: References: Message-ID: <68BDC782617D7B4B8DAC9030A7EDDC6A01241768@CHVPKNTXC4M.chvpk.chevrontexaco.net> You sure that's not wrapping because the editor's or viewer's screen is just narrow? My log entries do not wrap (but do have the multiple delimiters like you pointed out). I can't paste in an example because the mail client wraps it.. Eric Ladner Systems Analyst eric.ladner at chevron.com -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Vahid Moghaddasi Sent: Friday, February 19, 2010 10:57 AM To: sudo-users at sudo.ws Subject: [sudo-users] sudo log format Hi all, How can I have sudo log entry be in one line instead of wrapping around to next line for each incident? The log file currently looks like this: Jan 26 15:28:48 2010 : vahid : HOST=solaris11 : TTY=pts/11 ; PWD=/u/vahid ; USER=root ; COMMAND=/bin/su - There ate two lines in the above entry. Also, is there a reason that two different delimiters (: and ;) are used in each line? Is it possible to modify that to have just one kind of delimiter e.g. ; only? Thanks, ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From vahid.moghaddasi at gmail.com Fri Feb 19 15:30:22 2010 From: vahid.moghaddasi at gmail.com (Vahid Moghaddasi) Date: Fri, 19 Feb 2010 15:30:22 -0500 Subject: [sudo-users] sudo log format In-Reply-To: References: Message-ID: On Fri, Feb 19, 2010 at 11:57 AM, Vahid Moghaddasi < vahid.moghaddasi at gmail.com> wrote: > Hi all, > How can I have sudo log entry be in one line instead of wrapping around to > next line for each incident? > The log file currently looks like this: > > Jan 26 15:28:48 2010 : vahid : HOST=solaris11 : TTY=pts/11 ; PWD=/u/vahid > ; USER=root ; COMMAND=/bin/su - > There ate two lines in the above entry. > Also, is there a reason that two different delimiters (: and ;) are used in > each line? Is it possible to modify that to have just one kind of delimiter > e.g. ; only? > Thanks, > > I found the tag in the sudoers file that does this: Defaults loglinelen=0 That's it. Thank you all. -- This e-mail address is not monitored so please do not send me anything important here. Thanks. From jhamilton at simulexinc.com Fri Feb 19 16:51:06 2010 From: jhamilton at simulexinc.com (Jason Hamilton) Date: Fri, 19 Feb 2010 16:51:06 -0500 Subject: [sudo-users] LDAP Sudoers sudo -l without password Message-ID: <4B7F07CA.6020306@simulexinc.com> I'm not sure if this is possible, but is there a way to allow a group of users to run "sudo -l" without authenticating, but also not permitting them to run all commands without authenticating? I tried something like this: dn: cn=viewmyinfo,ou=SUDOers,dc=sample,dc=com objectClass: sudoRole objectClass: top cn: viewmyinfo sudoCommand: sudo -l sudoHost: ALL sudoOption: !authenticate sudoRunAs: ALL sudoUser: %users Maybe it's a Friday thing, and I just can't think. -- ---- Jason Hamilton IT Manager * jhamilton at simulexinc.com ( OFFICE: 765.463.2690 x7015 ( CELL: 765.237.9515 Simulex, Inc. | Synthetic Environments for Analysis and Simulation 3842 McClure Ave, Ste. 120 West Lafayette, IN 47906 http://www.simulexinc.com From tonysk8 at gmx.net Fri Feb 19 20:01:20 2010 From: tonysk8 at gmx.net (Tony G.) Date: Fri, 19 Feb 2010 17:01:20 -0800 Subject: [sudo-users] LDAP Sudoers sudo -l without password In-Reply-To: <4B7F07CA.6020306@simulexinc.com> References: <4B7F07CA.6020306@simulexinc.com> Message-ID: <60ad930b1002191701x38fa131ds50059719fef8e153@mail.gmail.com> Yes you can with: # Entry 1: cn=sudo_l,ou=SUDOers,dc=example,dc=com dn: cn=sudo_l,ou=SUDOers,dc=example,dc=com cn: sudo_l sudoCommand: /usr/bin/sudo -l sudoHost: ALL sudoOption: !authenticate sudoUser: %users objectClass: sudoRole objectClass: top this is the output: $ sudo -l User foo may run the following commands on this host: LDAP Role: sudo_l Commands: /usr/bin/sudo -l On Fri, Feb 19, 2010 at 1:51 PM, Jason Hamilton wrote: > I'm not sure if this is possible, but is there a way to allow a group of > users to run "sudo -l" without authenticating, but also not permitting > them to run all commands without authenticating? I tried something like > this: > > dn: cn=viewmyinfo,ou=SUDOers,dc=sample,dc=com > objectClass: sudoRole > objectClass: top > cn: viewmyinfo > sudoCommand: sudo -l > sudoHost: ALL > sudoOption: !authenticate > sudoRunAs: ALL > sudoUser: %users > > Maybe it's a Friday thing, and I just can't think. > > -- > > ---- > Jason Hamilton > IT Manager > * jhamilton at simulexinc.com > ( OFFICE: 765.463.2690 x7015 > ( CELL: 765.237.9515 > > Simulex, Inc. | Synthetic Environments for Analysis and Simulation > 3842 McClure Ave, Ste. 120 > West Lafayette, IN 47906 > http://www.simulexinc.com > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > -- Tony From jhamilton at simulexinc.com Sat Feb 20 10:16:49 2010 From: jhamilton at simulexinc.com (Jason Hamilton) Date: Sat, 20 Feb 2010 10:16:49 -0500 Subject: [sudo-users] LDAP Sudoers sudo -l without password In-Reply-To: <60ad930b1002191701x38fa131ds50059719fef8e153@mail.gmail.com> References: <4B7F07CA.6020306@simulexinc.com> <60ad930b1002191701x38fa131ds50059719fef8e153@mail.gmail.com> Message-ID: <4B7FFCE1.2080903@simulexinc.com> Tony, Thanks for following up, but that doesn't seem to work. Even for administrator users who have !authenticate for all commands (which works just fine); the "sudo -l" always prompts for their password. We are running 1.6.9p17 on centos 5.4. Any thoughts on this? -Jason On 02/19/2010 08:01 PM, Tony G. wrote: > /usr/bin/sudo -l From spinler.patrick at mayo.edu Sat Feb 20 20:35:45 2010 From: spinler.patrick at mayo.edu (Patrick Spinler) Date: Sat, 20 Feb 2010 19:35:45 -0600 Subject: [sudo-users] LDAP Sudoers sudo -l without password In-Reply-To: <4B7FFCE1.2080903@simulexinc.com> References: <4B7F07CA.6020306@simulexinc.com> <60ad930b1002191701x38fa131ds50059719fef8e153@mail.gmail.com> <4B7FFCE1.2080903@simulexinc.com> Message-ID: <4B808DF1.4080704@mayo.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason Hamilton wrote: > Tony, > > Thanks for following up, but that doesn't seem to work. Even for > administrator users who have !authenticate for all commands (which works > just fine); the "sudo -l" always prompts for their password. > > We are running 1.6.9p17 on centos 5.4. Any thoughts on this? > > -Jason > Jason: I think this may be the same issue I ran into back in this thread, running the sudo packaged with RHEL 5.x: http://www.sudo.ws/mailman/htdig/sudo-users/2008-June/003611.html The answer turned out to be to upgrade to sudo 1.7.x, which fixed this. - -- Pat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuAjfEACgkQNObCqA8uBsz2RgCgo2SgtNyZ2hx7xIdYgw/JDu6Z 1/YAoJb63B21C8oqGrO2A3WC+HjHiTtX =p4Ej -----END PGP SIGNATURE----- From jhamilton at simulexinc.com Sun Feb 21 10:41:36 2010 From: jhamilton at simulexinc.com (Jason Hamilton) Date: Sun, 21 Feb 2010 10:41:36 -0500 Subject: [sudo-users] LDAP Sudoers sudo -l without password In-Reply-To: <4B808DF1.4080704@mayo.edu> References: <4B7F07CA.6020306@simulexinc.com> <60ad930b1002191701x38fa131ds50059719fef8e153@mail.gmail.com> <4B7FFCE1.2080903@simulexinc.com> <4B808DF1.4080704@mayo.edu> Message-ID: <4B815430.6040602@simulexinc.com> Thanks Patrick, I can give that a try on a test machine....you didn't happen to already build rpms for rhel 5? ;-) -Jason On 02/20/2010 08:35 PM, Patrick Spinler wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jason Hamilton wrote: > >> Tony, >> >> Thanks for following up, but that doesn't seem to work. Even for ; >> administrator users who have !authenticate for all commands (which works >> just fine); the "sudo -l" always prompts for their password. >> >> We are running 1.6.9p17 on centos 5.4. Any thoughts on this? >> >> -Jason >> >> > Jason: > > I think this may be the same issue I ran into back in this thread, > running the sudo packaged with RHEL 5.x: > http://www.sudo.ws/mailman/htdig/sudo-users/2008-June/003611.html > > The answer turned out to be to upgrade to sudo 1.7.x, which fixed this. > > - -- Pat > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkuAjfEACgkQNObCqA8uBsz2RgCgo2SgtNyZ2hx7xIdYgw/JDu6Z > 1/YAoJb63B21C8oqGrO2A3WC+HjHiTtX > =p4Ej > -----END PGP SIGNATURE----- > From jhamilton at simulexinc.com Mon Feb 22 10:44:24 2010 From: jhamilton at simulexinc.com (Jason Hamilton) Date: Mon, 22 Feb 2010 10:44:24 -0500 Subject: [sudo-users] LDAP Sudoers sudo -l without password In-Reply-To: <4B815430.6040602@simulexinc.com> References: <4B7F07CA.6020306@simulexinc.com> <60ad930b1002191701x38fa131ds50059719fef8e153@mail.gmail.com> <4B7FFCE1.2080903@simulexinc.com> <4B808DF1.4080704@mayo.edu> <4B815430.6040602@simulexinc.com> Message-ID: <4B82A658.5070505@simulexinc.com> Yep, sudo 1.7.2p3 works like a charm with this ldap function. Thanks again! -Jason On 02/21/2010 10:41 AM, Jason Hamilton wrote: > Thanks Patrick, I can give that a try on a test machine....you didn't > happen to already build rpms for rhel 5? ;-) > > -Jason > > On 02/20/2010 08:35 PM, Patrick Spinler wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Jason Hamilton wrote: >> >> >>> Tony, >>> >>> Thanks for following up, but that doesn't seem to work. Even for ; >>> administrator users who have !authenticate for all commands (which works >>> just fine); the "sudo -l" always prompts for their password. >>> >>> We are running 1.6.9p17 on centos 5.4. Any thoughts on this? >>> >>> -Jason >>> >>> >>> >> Jason: >> >> I think this may be the same issue I ran into back in this thread, >> running the sudo packaged with RHEL 5.x: >> http://www.sudo.ws/mailman/htdig/sudo-users/2008-June/003611.html >> >> The answer turned out to be to upgrade to sudo 1.7.x, which fixed this. >> >> - -- Pat >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (Darwin) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iEYEARECAAYFAkuAjfEACgkQNObCqA8uBsz2RgCgo2SgtNyZ2hx7xIdYgw/JDu6Z >> 1/YAoJb63B21C8oqGrO2A3WC+HjHiTtX >> =p4Ej >> -----END PGP SIGNATURE----- >> >> > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > -- ---- Jason Hamilton IT Manager * jhamilton at simulexinc.com ( OFFICE: 765.463.2690 x7015 ( CELL: 765.237.9515 Simulex, Inc. | Synthetic Environments for Analysis and Simulation 3842 McClure Ave, Ste. 120 West Lafayette, IN 47906 http://www.simulexinc.com From IGoldstein at Jefferies.com Wed Feb 24 15:09:46 2010 From: IGoldstein at Jefferies.com (Ian Goldstein) Date: Wed, 24 Feb 2010 15:09:46 -0500 Subject: [sudo-users] Limiting arguments on a command Message-ID: Hello, I am trying to implement sudo so that a user can maintain directories and permission's. I want to limit what can be on the command line to an argument. without necessarily creating a script wrapper Can somebody please help me figure out what I am missing? As an illustration, I have the following in my sudoers: User_Alias TEST_ADMIN=usera,userb Cmnd_Alias TEST_ADMIN_CMDS = \ /bin/mkdir /apps/[[\:alpha\:]]* ,\ /bin/rmdir /apps/[[\:alpha\:]]* ,\ /bin/chown * /apps/[[\:alpha\:]]* ,\ /bin/chmod * /apps/[[\:alpha\:]]* TEST_ADMIN ALL = (root) NOPASSWD:TEST_ADMIN_CMDS What this allows me to do as a user is sudo /bin/mkdir /apps/test1 But it also allows me to run this which is not desirable sudo /bin/mkdir /apps/test1 /etc/foobar ( creates a directory in /etc called foobar.) Thanks Jefferies archives and monitors outgoing and incoming e-mail. The contents of this email, including any attachments, are confidential to the ordinary user of the email address to which it was addressed. If you are not the addressee of this email you may not copy, forward, disclose or otherwise use it or any part of it in any form whatsoever. This email may be produced at the request of regulators or in connection with civil litigation. Jefferies accepts no liability for any errors or omissions arising as a result of transmission. Use by other than intended recipients is prohibited. In the United Kingdom, Jefferies operates as Jefferies International Limited; registered in England: no. 1978621; registered office: Vintners Place, 68 Upper Thames Street, London EC4V 3BJ. Jefferies International Limited is authorised and regulated by the Financial Services Authority. From jw at raven.inka.de Thu Feb 25 16:21:17 2010 From: jw at raven.inka.de (Josef Wolf) Date: Thu, 25 Feb 2010 22:21:17 +0100 Subject: [sudo-users] sudo: no tty present and no askpass program specified Message-ID: <20100225212117.GA17691@raven.wolf.lan> Hello, On ubuntu-9.10 with sudo-1.7.0, I have put the following line into my sudoers file on server.my.domain: naclt ALL = NOPASSWD: /usr/local/bin/naclient to allow execution of this program as root from remote hosts. So from the remote host, I do /usr/bin/ssh -i /home/me/.ssh/naclt-dsa \ -o "ServerAliveInterval 60" \ -o "ServerAliveCountMax 3" \ naclt at server.my.domain \ /usr/bin/sudo /usr/local/bin/naclient version But sudo errors out: sudo: no tty present and no askpass program specified Why is sudo trying to ask a password here? Did it not get the NOPASSWD option? This used to work perfectly fine with sudo-1.6.9.p17 and exactly the same sudoers file on ubuntu-9.04. Any ideas? Any workarounds? From tonysk8 at gmx.net Thu Feb 25 18:50:12 2010 From: tonysk8 at gmx.net (Tony G.) Date: Thu, 25 Feb 2010 15:50:12 -0800 Subject: [sudo-users] Limiting arguments on a command In-Reply-To: References: Message-ID: <60ad930b1002251550i6d811f57m336c767866b8c664@mail.gmail.com> Hi Ian, I don't think that CMD alias will work. The rule: /bin/mkdir /apps/[[\:alpha\:]]* matches your example(on the *bold "t"*) sudo /bin/mkdir /apps/*t*est1 /etc/foobar As you are saying the command must start with /bin/mkdir /apps/* * if you try sudo /bin/mkdir /apps/**est1 then it won't match the rule and thus fail. It might work if sudoers supports regex, but I'm not sure it does. Besides relative paths might be injected.. sudo /rmdir * /apps/*t*est1/../../ Is this requried as root? If not you can let the user run any command as that user. keeping that way the ownership. On Wed, Feb 24, 2010 at 12:09 PM, Ian Goldstein wrote: > Hello, > > I am trying to implement sudo so that a user can maintain directories and > permission's. I want to limit what can be on the command line to an > argument. without necessarily creating a script wrapper > > Can somebody please help me figure out what I am missing? > > > As an illustration, I have the following in my sudoers: > > User_Alias TEST_ADMIN=usera,userb > > Cmnd_Alias TEST_ADMIN_CMDS = \ > /bin/mkdir /apps/[[\:alpha\:]]* ,\ > /bin/rmdir /apps/[[\:alpha\:]]* ,\ > /bin/chown * /apps/[[\:alpha\:]]* ,\ > /bin/chmod * /apps/[[\:alpha\:]]* > > > > TEST_ADMIN ALL = (root) NOPASSWD:TEST_ADMIN_CMDS > > What this allows me to do as a user is > > sudo /bin/mkdir /apps/test1 > > But it also allows me to run this which is not desirable > > sudo /bin/mkdir /apps/test1 /etc/foobar ( creates a directory in /etc > called foobar.) > > Thanks > > > > > > > Jefferies archives and monitors outgoing and incoming e-mail. The contents > of this email, including any attachments, are confidential to the ordinary > user of the email address to which it was addressed. If you are not the > addressee of this email you may not copy, forward, disclose or otherwise use > it or any part of it in any form whatsoever. This email may be produced at > the request of regulators or in connection with civil litigation. Jefferies > accepts no liability for any errors or omissions arising as a result of > transmission. Use by other than intended recipients is prohibited. In the > United Kingdom, Jefferies operates as Jefferies International Limited; > registered in England: no. 1978621; registered office: Vintners Place, 68 > Upper Thames Street, London EC4V 3BJ. Jefferies International Limited is > authorised and regulated by the Financial Services Authority. > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > -- Tony From tonysk8 at gmx.net Thu Feb 25 18:54:41 2010 From: tonysk8 at gmx.net (Tony G.) Date: Thu, 25 Feb 2010 15:54:41 -0800 Subject: [sudo-users] sudo: no tty present and no askpass program specified In-Reply-To: <20100225212117.GA17691@raven.wolf.lan> References: <20100225212117.GA17691@raven.wolf.lan> Message-ID: <60ad930b1002251554q1b153860t3adc46dce77d6c01@mail.gmail.com> The errors say it all: sudo: no tty present and no askpass program specified Look at your sudoers probably it has: Defaults requiretty >From the sudoers man *requiretty* If set, *sudo* will only run when the user is logged in to a real tty. When this flag is set, *sudo* can only be run from a login session and not via other means such as *cron(8)* or cgi-bin scripts. This flag is *off* by default. I've never used askpass, man says: *askpass* The *askpass* option specifies the fully qualified path to a helper program used to read the user's password when no terminal is available. This may be the case when *sudo* is executed from a graphical (as opposed to text-based) application. The program specified by *askpass* should display the argument passed to it as the prompt and write the user's password to the standard output. The value of *askpass* may be overridden by the SUDO_ASKPASSenvironment variable. Give it a try commenting out the requiretty. On Thu, Feb 25, 2010 at 1:21 PM, Josef Wolf wrote: > Hello, > > On ubuntu-9.10 with sudo-1.7.0, I have put the following line into my > sudoers > file on server.my.domain: > > naclt ALL = NOPASSWD: /usr/local/bin/naclient > > to allow execution of this program as root from remote hosts. So from the > remote host, I do > > /usr/bin/ssh -i /home/me/.ssh/naclt-dsa \ > -o "ServerAliveInterval 60" \ > -o "ServerAliveCountMax 3" \ > naclt at server.my.domain \ > /usr/bin/sudo /usr/local/bin/naclient version > > But sudo errors out: > > sudo: no tty present and no askpass program specified > > Why is sudo trying to ask a password here? Did it not get the NOPASSWD > option? > > This used to work perfectly fine with sudo-1.6.9.p17 and exactly the same > sudoers file on ubuntu-9.04. > > Any ideas? Any workarounds? > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > -- Tony From Todd.Miller at courtesan.com Thu Feb 25 19:31:59 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 25 Feb 2010 19:31:59 -0500 Subject: [sudo-users] sudo: no tty present and no askpass program specified In-Reply-To: Your message of "Thu, 25 Feb 2010 22:21:17 +0100." <20100225212117.GA17691@raven.wolf.lan> References: <20100225212117.GA17691@raven.wolf.lan> Message-ID: <201002260032.o1Q0VxBW002900@core.courtesan.com> What happens if you pass ssh the "-tt" flag, does it prompt you for a password? What is the output of "sudo -l" on naclt? - todd From jw at raven.inka.de Fri Feb 26 11:37:52 2010 From: jw at raven.inka.de (Josef Wolf) Date: Fri, 26 Feb 2010 17:37:52 +0100 Subject: [sudo-users] sudo: no tty present and no askpass program specified In-Reply-To: <60ad930b1002251554q1b153860t3adc46dce77d6c01@mail.gmail.com> References: <20100225212117.GA17691@raven.wolf.lan> <60ad930b1002251554q1b153860t3adc46dce77d6c01@mail.gmail.com> Message-ID: <20100226163752.GB17691@raven.wolf.lan> On Thu, Feb 25, 2010 at 03:54:41PM -0800, Tony G. wrote: > The errors say it all: sudo: no tty present and no askpass program specified > > Look at your sudoers probably it has: > Defaults requiretty No, it doesn't. The problem disappeared now somehow. I have not changed anything to fix it. I can tell for sure, since my systems are configured automatically, and all the backup files show only "Defaults env_reset" and "Defaults env_keep". No sign of requiretty in any backup files. Strange.. Thanks!