From eric.freeman at tbwachiat.com Thu Jun 3 13:29:17 2010 From: eric.freeman at tbwachiat.com (Eric Freeman) Date: Thu, 3 Jun 2010 13:29:17 -0400 Subject: [sudo-users] Help needed with sudo ssl and HPUX In-Reply-To: <201005282146.o4SLkCRI030190@core.courtesan.com> References: <201005282146.o4SLkCRI030190@core.courtesan.com> Message-ID: Sorry. let me try it again Below is my /etc/ldap.conf file I then did sudo -v as root and it appears to work. Immediately after that I issued the command su - eric_freeman and tried the same sudo -v and it failed. It appears when I am root sudo over SSL works. Yes, our LDAP server supports TLS. dbtest:/ # more /etc/ldap.conf uri ldap://10.20.2.165 ssl start_tls TLS_CHECKPEER off sudoers_base ou=xxx BINDDN cn=xxx BINDPW xxx timelimit 30 bind_timelimit 30 TLS_REQCERT never sudoers_debug 2 dbtest:/ # sudo -v LDAP Config Summary =================== uri ldap://10.20.2.165 ldap_version 3 sudoers_base ou=xxx binddn cn=xxx bindpw xxx bind_timelimit 30000 timelimit 30 ssl start_tls tls_checkpeer (no) =================== sudo: ldap_initialize(ld, ldap://10.20.2.165) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 0 sudo: ldap_set_option: timelimit -> 30 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: found:cn=defaults,ou=xxx sudo: ldap sudoOption: 'logfile=/var/adm/syslog/sudo.ldap.log' sudo: ldap sudoOption: 'log_year' sudo: user_matches=0 sudo: host_matches=0 sudo: sudo_ldap_lookup(53)=0x82 dbtest:/ # su - eric_freeman $ sudo -v LDAP Config Summary =================== uri ldap://10.20.2.165 ldap_version 3 sudoers_base ou=xxx binddn cn=xxx bindpw xxx bind_timelimit 30000 timelimit 30 ssl start_tls tls_checkpeer (no) =================== sudo: ldap_initialize(ld, ldap://10.20.2.165) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 0 sudo: ldap_set_option: timelimit -> 30 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) sudo: ldap_start_tls_s(): Connect error $ On Fri, May 28, 2010 at 5:46 PM, Todd C. Miller wrote: > Hmm, in your working example, ssl=off whereas in the non-working, > ssl=start_tls. Does your ldap server support ldaps (SSL over port > 636)? If so, does that work? > > - todd > > In message > so spake Eric Freeman (eric.freeman): > > > I am running sudo 1.7.2 on HP-UX 11.11. Sudo works when not using SSL but > > when using SSL it fails. The odd thing is it works on another HP-UX > machine > > and the same version of sudo. I have also copied the /etc/ldap.conf file > > from the working machine to the non working machine. > > > > When I am root and type sudo -v it appears to talk SSL but a regular user > > fails. The regular user also fails SSL when issuing a sudo command with > an > > actual command. > > > > > > Thank you. > > Below is the error and one that worked with root: > > > > $ sudo lastb > > LDAP Config Summary > > =================== > > uri ldap://10.20.2.165 > > ldap_version 3 > > sudoers_base ou=xxxxxxx > > binddn cn=xxxxxx > > bindpw xxxxx > > bind_timelimit 30000 > > timelimit 30 > > ssl start_tls > > tls_checkpeer (no) > > =================== > > sudo: ldap_initialize(ld, ldap://10.20.2.165) > > sudo: ldap_set_option: debug -> 0 > > sudo: ldap_set_option: ldap_version -> 3 > > sudo: ldap_set_option: tls_checkpeer -> 0 > > sudo: ldap_set_option: timelimit -> 30 > > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) > > > > sudo: ldap_start_tls_s(): Connect error > > > > > > > > Working with root: > > > > dbtest:/ # sudo -v > > LDAP Config Summary > > =================== > > uri ldap://10.20.2.165 > > ldap_version 3 > > sudoers_base ou=xxxxx > > binddn cn=xxxxx > > bindpw xxxx > > bind_timelimit 30000 > > timelimit 30 > > ssl off > > tls_checkpeer (no) > > =================== > > sudo: ldap_initialize(ld, ldap://10.20.2.165) > > sudo: ldap_set_option: debug -> 0 > > sudo: ldap_set_option: ldap_version -> 3 > > sudo: ldap_set_option: tls_checkpeer -> 0 > > sudo: ldap_set_option: timelimit -> 30 > > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) > > > > sudo: ldap_sasl_bind_s() ok > > sudo: found:cn=defaults,ou=SUDOersDBTEST,ou=SUDOers,ou=Services,o=NAM > > sudo: ldap sudoOption: 'logfile=/var/adm/syslog/sudo.ldap.log' > > sudo: ldap sudoOption: 'log_year' > > sudo: user_matches=0 > > sudo: host_matches=0 > > sudo: sudo_ldap_lookup(53)=0x82 > > > > > > $ more /etc/ldap.conf > > uri ldap://10.20.2.165 > > ssl start_tls > > TLS_CHECKPEER off > > sudoers_base ou=xxxxx > > BINDDN cn=xxxx > > BINDPW xxxx > > timelimit 30 > > bind_timelimit 30 > > TLS_REQCERT never > > sudoers_debug 2 > > > > > > > > This e-mail is intended only for the named person or entity to which > > it is addressed and contains valuable business information that is > > privileged, confidential and/or otherwise protected from disclosure. > > Dissemination, distribution or copying of this e-mail or the > > information herein by anyone other than the intended recipient, or > > an employee or agent responsible for delivering the message to the > > intended recipient, is strictly prohibited. All contents are the > > copyright property of TBWA Worldwide, its agencies or a client of > > such agencies. If you are not the intended recipient, you are > > nevertheless bound to respect the worldwide legal rights of TBWA > > Worldwide, its agencies and its clients. We require that unintended > > recipients delete the e-mail and destroy all electronic copies in > > their system, retaining no copies in any media.If you have received > > this e-mail in error, please immediately notify us via e-mail to > > disclaimer at tbwaworld.com. We appreciate your cooperation. > > > > We make no warranties as to the accuracy or completeness of this > > e-mail and accept no liability for its content or use. Any opinions > > expressed in this e-mail are those of the author and do not > > necessarily reflect the opinions of TBWA Worldwide or any of its > > agencies or affiliates. > > ____________________________________________________________ > > sudo-users mailing list > > For list information, options, or to unsubscribe, visit: > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of TBWA Worldwide, its agencies or a client of such agencies. If you are not the intended recipient, you are nevertheless bound to respect the worldwide legal rights of TBWA Worldwide, its agencies and its clients. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media.If you have received this e-mail in error, please immediately notify us via e-mail to disclaimer at tbwaworld.com. We appreciate your cooperation. We make no warranties as to the accuracy or completeness of this e-mail and accept no liability for its content or use. Any opinions expressed in this e-mail are those of the author and do not necessarily reflect the opinions of TBWA Worldwide or any of its agencies or affiliates. From yaberger at ca.ibm.com Thu Jun 3 10:22:04 2010 From: yaberger at ca.ibm.com (yaberger at ca.ibm.com) Date: Thu, 3 Jun 2010 10:22:04 -0400 Subject: [sudo-users] Sudo's secure path option can be cirumvented Message-ID: Hi, I've just received the following security alert: http://www.sudo.ws/sudo/alerts/secure_path.html I've a few questions concerning this part: Sudo "secure path" feature works by replacing the PATH environment variable with a value specified in the sudoers file, or at compile time if the --with-secure-path configure option is used. Is there any configuration related to that in sudoers or is it only a configure/compile option? Can you confirm that this doesn't apply if sudo is not configured with the --with-secure-path option? By default, is this option set to yes if you configure with the default options (./configure) ? Is it possible to determine if your sudo has been builded with this configuration option (in sudo -V output probably) ? Yannick Bergeron yaberger at ca.ibm.com IT Specialist AIX / Samba / Load Balancer / DCE/DFS / SCM / Apache / Security / Perl scripting / etc. From Todd.Miller at courtesan.com Thu Jun 3 14:56:33 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 03 Jun 2010 14:56:33 -0400 Subject: [sudo-users] Sudo's secure path option can be cirumvented In-Reply-To: Your message of "Thu, 03 Jun 2010 10:22:04 EDT." References: Message-ID: <201006031856.o53IuX2Y008521@core.courtesan.com> In message so spake (yaberger): > I've just received the following security alert: > http://www.sudo.ws/sudo/alerts/secure_path.html > > I've a few questions concerning this part: > > Sudo "secure path" feature works by replacing the PATH environment > variable with a value specified in the sudoers file, or at compile time if > the --with-secure-path configure option is used. > > Is there any configuration related to that in sudoers or is it only a > configure/compile option? Sudo 1.7.0 and higher has the "secure_path" Defaults setting in sudoers. For older versions of sudo it was a compile-time option only. > Can you confirm that this doesn't apply if sudo is not configured with the > --with-secure-path option? > By default, is this option set to yes if you configure with the default > options (./configure) ? > Is it possible to determine if your sudo has been builded with this > configuration option (in sudo -V output probably) ? For sudo 1.6.0 and higher if you run "sudo -V" as root you will see something like this: Value to override user's $PATH with: /usr/bin:/bin if sudo has been built with --with-secure-path enabled. - todd From jr.aquino at citrixonline.com Fri Jun 4 14:33:56 2010 From: jr.aquino at citrixonline.com (Jr Aquino) Date: Fri, 4 Jun 2010 11:33:56 -0700 Subject: [sudo-users] Offtopic: Re: sudo + ldap - nisNetgroupTriple In-Reply-To: <06465F3D-EEF9-4B44-BBE5-43B828806547@citrixonline.com> References: <90176B60-A592-4FF2-8BA7-7C5B74B41415@citrixonline.com> <4BFC450A.7060807@mayo.edu> <4BFC8BF5.8060504@mayo.edu> <4BFD3578.8030307@mayo.edu> <06465F3D-EEF9-4B44-BBE5-43B828806547@citrixonline.com> Message-ID: <0C83845A-2380-41A6-897F-2AA9C3876069@citrixonline.com> Does anyone on the mailing list know where in the c code from sudo I would need to make modifications to make it look to a new type of ldap object for the netgroup's? I believe I have demonstrated that my method and my reasoning is sane. I have even managed to get openldap to fully crash when using a modify to the nis.schema to allow for nisNetgroupTriple to be an caseExactIA5Match and then making a modification to a nisNetgroupTriple. Seems that some ldap servers can allow for this behavior and others are more strict to the RFC to the point where I can crash out a 'stable' openldap daemon. Either way, I'd like to look into the possibility of making these code modifications and feel like the hostGroup object really isn't terribly different from a nisNetgroup other than the lack of the unused tuple format. Please let me know if any of you can tell me where I can start hacking at the code! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Jr Aquino | Information Security Specialist Citrix Online Division Citrix Systems, Inc. 7408 Hollister Avenue Goleta, CA 93117 USA www.citrixonline.com Desk: 805-690-3478 Email: jr.aquino at citrixonline.com www.gotomypc.com | Access Your PC from Anywhere www.gotomeeting.com | Online Meetings Made Easy www.gotoassist.com | Remote Support Made Easy On May 26, 2010, at 8:28 AM, Jr Aquino wrote: > Right, thats why I said role based access. > > the sudo role can contain: > > sudorole: > > sudoUser: %someusergroup > userGroup: someusergroup > > sudoHost: +somehostgroup > hostGroup: somehostgroup > hostGroup: nosudohostgroup > > sudoCommand: ALL > > someusergroup: > memberUid: username > > somehostgroup: > host: hosta > host: hostb > host: hostc > > nosudohostgroup: > host: hostd > host: hoste > host: hostf > > > I am not suggesting that the hostgroups or usergroups as they are > represented in the role should double as both login and escalation > rights. I define those separately with sudoHost vs hostGroup and > sudoUser vs userGroup. > > However I DO want to utilize the same sets of hostgroups / > usergroups as they are static containers that define groups of hosts > or users. > > In this demonstration, username has login and sudo access to hosta, > hostb, hostc, but it _only_ has login access to hostd, hoste, hostf. > > Does this help ease the confusion? > > On May 26, 2010, at 7:51 AM, Patrick Spinler wrote: > >> On 05/26/2010 09:16 AM, Jr Aquino wrote: >> >>> As such, I'd like to have a list of hosts that both sudo and >>> pam_ldap >>> can look to without having to duplicate the same data in 2 different >>> formats. >> >> Here's where I'd urge you to give careful consideration to your >> approach. You're talking about using the same object type for >> semantically different purposes, and in fact to contain different >> objects. >> >> *) A group of hosts for use in sudo rules >> *) A group of users for use in sudo rules >> *) A group of users to provision to a host >> >> In fact, these are all different, and *should* be represented >> differently in your repository. We do something like this: >> >> auth_ - a list of people provisioned to a host >> sudo_ - a list of people granted a specific sudo command >> hgrp_ - a list of hosts >> >> Even in the first two instances, provisioning v. sudo, I *want* to >> keep >> these separate. For example, when an intern joins our unix team >> for a >> summer assignment, I probably want to allow that intern to log into >> our >> machines so she can e.g. gather configuration info, but I probably >> don't >> want to grant that intern the full sudo rights I give normal unix >> admins. >> >> -- Pat > From germann at us.ibm.com Fri Jun 4 16:08:31 2010 From: germann at us.ibm.com (Ken Germann) Date: Fri, 4 Jun 2010 16:08:31 -0400 Subject: [sudo-users] #include & #include_dir not working for me in 1.7.2p1 Message-ID: Anyone able to offer some guidance on getting this feature to work? All of the documentation states that 1.7.x supports this new feature. I am running 1.7.2p2 on Solaris 9. The #include_dir and #include directives are not working. Please help! Thank You Ken Germann IBM Global Services Sr. Unix Administrator ? Contractor Hours: Mon to Fri ? 8:00 to 5;00 PM EST Voice: 407-824-5567 Email: germann at us.ibm.com From Todd.Miller at courtesan.com Fri Jun 4 16:22:50 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 04 Jun 2010 16:22:50 -0400 Subject: [sudo-users] #include & #include_dir not working for me in 1.7.2p1 In-Reply-To: Your message of "Fri, 04 Jun 2010 16:08:31 EDT." References: Message-ID: <201006042022.o54KMoeG018560@core.courtesan.com> In message so spake Ken Germann (germann): > Anyone able to offer some guidance on getting this feature to work? All of > the documentation states that 1.7.x supports this new feature. I am running > 1.7.2p2 on Solaris 9. The #include_dir and #include directives are not > working. Can you be a bit more specific? Do you get a parse error from visudo or sudo? If so, what is the error? - todd From germann at us.ibm.com Fri Jun 4 16:30:32 2010 From: germann at us.ibm.com (Ken Germann) Date: Fri, 4 Jun 2010 16:30:32 -0400 Subject: [sudo-users] #include & #include_dir not working for me in 1.7.2p1 In-Reply-To: <201006042022.o54KMoeG018560@core.courtesan.com> References: <201006042022.o54KMoeG018560@core.courtesan.com> Message-ID: Here is the snipped of the sudoers file: #includedir /etc/sudoers.d Host_Alias TVLDEV=wdw92,tvldata2,wdwsun06,wdwsun09,wdwsun10,wdwsun11,\ tvlsbr3,tvlwsn1,wdwsun56,wdwsun57,wdwsun58,wdwsun59,wdwsun50,\ wdwsun51 Here is the error I get when I try to run sudo: sudo: parse error in /usr/local/etc/sudoers near line 7 sudo: no valid sudoers sources found, quitting Thank You Ken Germann IBM Global Services Sr. Unix Administrator ? Contractor Hours: Mon to Fri ? 8:00 to 5;00 PM EST Voice: 407-824-5567 Email: germann at us.ibm.com From germann at us.ibm.com Fri Jun 4 16:31:26 2010 From: germann at us.ibm.com (Ken Germann) Date: Fri, 4 Jun 2010 16:31:26 -0400 Subject: [sudo-users] #include & #include_dir not working for me in 1.7.2p1 In-Reply-To: <201006042022.o54KMoeG018560@core.courtesan.com> References: <201006042022.o54KMoeG018560@core.courtesan.com> Message-ID: Sudo version 1.7.2p1 Sudoers path: /usr/local/etc/sudoers Authentication methods: 'pam' Thank You Ken Germann IBM Global Services Sr. Unix Administrator ? Contractor Hours: Mon to Fri ? 8:00 to 5;00 PM EST Voice: 407-824-5567 Email: germann at us.ibm.com From Todd.Miller at courtesan.com Fri Jun 4 17:28:38 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 04 Jun 2010 17:28:38 -0400 Subject: [sudo-users] #include & #include_dir not working for me in 1.7.2p1 In-Reply-To: Your message of "Fri, 04 Jun 2010 16:30:32 EDT." References: <201006042022.o54KMoeG018560@core.courtesan.com> Message-ID: <201006042128.o54LScNU030228@core.courtesan.com> In message so spake Ken Germann (germann): > Here is the snipped of the sudoers file: > > #includedir /etc/sudoers.d > Host_Alias TVLDEV=wdw92,tvldata2,wdwsun06,wdwsun09,wdwsun10,wdwsun11,\ > tvlsbr3,tvlwsn1,wdwsun56,wdwsun57,wdwsun58,wdwsun59,wdwsun50,\ > wdwsun51 > > Here is the error I get when I try to run sudo: > > sudo: parse error in /usr/local/etc/sudoers near line 7 > sudo: no valid sudoers sources found, quitting Are there valid sudoers files in /etc/sudoers.d or is it empty? Sudo would throw a parse error about an empty include dir in 1.7.2p1 (this was fixed in 1.7.2p2). - todd From jakrainer at yahoo.com Mon Jun 7 04:38:48 2010 From: jakrainer at yahoo.com (Jackson) Date: Mon, 7 Jun 2010 01:38:48 -0700 (PDT) Subject: [sudo-users] sudo and wildcards in the command line Message-ID: <113139.33009.qm@web52104.mail.re2.yahoo.com> Hello everyone, This is regarding the way sudo interprets wildcards in the command line. I?m using sudo 1.6.9.20 on AIX 6.1 and when I use, i.e. ls to list the contents of a directory that doesn?t belong to me, I get the following: $ sudo ls -l /home/user/.history/.sudo_* ls: 0653-341 The file /home/user/.history/.sudo_* does not exist.. But if I inform the full path of the file I can see it: $ sudo ls -l /home/user/.history/.sudo_wildcard_test.txt -rw-r--r-- 1 root system 0 Jun 07 08:29 /home/user/.history/.sudo_wildcard_test.txt If I run the first command as root it works: # ls -l /home/user/.history/.sudo_* -rw-r--r-- 1 root system 0 Jun 07 08:29 /home/user/.history/.sudo_wildcard_test.txt Is this fixed on newer versions of sudo? Is there anything that I can change in the configuration file to make it work? Thanks in advance, Jackson From Matthew.Stier at us.fujitsu.com Mon Jun 7 06:55:22 2010 From: Matthew.Stier at us.fujitsu.com (Stier, Matthew) Date: Mon, 7 Jun 2010 05:55:22 -0500 Subject: [sudo-users] sudo and wildcards in the command line In-Reply-To: <113139.33009.qm@web52104.mail.re2.yahoo.com> References: <113139.33009.qm@web52104.mail.re2.yahoo.com> Message-ID: <63F73C973E3E4547979026ECC295EF5C02949DE6@rchemxp01.fnc.net.local> Because shell wildcards are expanded before the command is executed. In your example, the first wildcard expansion is done using your account, and your permissions. The second wildcard expansion is being done as root, who has sufficient permissions to access /home, /home/user, and /home/user/.history. -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Jackson Sent: Monday, June 07, 2010 4:39 AM To: sudo-users at sudo.ws Subject: [sudo-users] sudo and wildcards in the command line Hello everyone, This is regarding the way sudo interprets wildcards in the command line. I?m using sudo 1.6.9.20 on AIX 6.1 and when I use, i.e. ls to list the contents of a directory that doesn?t belong to me, I get the following: $ sudo ls -l /home/user/.history/.sudo_* ls: 0653-341 The file /home/user/.history/.sudo_* does not exist.. But if I inform the full path of the file I can see it: $ sudo ls -l /home/user/.history/.sudo_wildcard_test.txt -rw-r--r-- 1 root system 0 Jun 07 08:29 /home/user/.history/.sudo_wildcard_test.txt If I run the first command as root it works: # ls -l /home/user/.history/.sudo_* -rw-r--r-- 1 root system 0 Jun 07 08:29 /home/user/.history/.sudo_wildcard_test.txt Is this fixed on newer versions of sudo? Is there anything that I can change in the configuration file to make it work? Thanks in advance, Jackson ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From maniac.nl at gmail.com Mon Jun 7 08:11:39 2010 From: maniac.nl at gmail.com (Mark Janssen) Date: Mon, 7 Jun 2010 14:11:39 +0200 Subject: [sudo-users] sudo and wildcards in the command line In-Reply-To: <113139.33009.qm@web52104.mail.re2.yahoo.com> References: <113139.33009.qm@web52104.mail.re2.yahoo.com> Message-ID: On Mon, Jun 7, 2010 at 10:38 AM, Jackson wrote: > Hello everyone, > > This is regarding the way sudo interprets wildcards in the command line. > I?m using sudo 1.6.9.20 on AIX 6.1 and when I use, i.e. ls to list the contents of a directory that doesn?t belong to me, I get the following: > > $ sudo ls -l /home/user/.history/.sudo_* > ls: 0653-341 The file /home/user/.history/.sudo_* does not exist.. Sudo (or any other program for that matter) doesn't process any wildcards. This is done by your shell. Since you don't have any rights to read the specific directory, your shell can't expand the wildcard. Which leaves it as-is. The string is literaly sent to ls, which (running as root, due to sudo) will try to list the file ".sudo_*" This file doens't exist, so it returns an error. > Is this fixed on newer versions of sudo? Is there anything that I can change in the configuration file to make it work? This is independant of sudo, I wouldn't know a 'clean' solution at the moment sudo sh -c "ls /home/user/.history/.sudo_*" works... but isn't very nice/safe either. -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | From germann at us.ibm.com Tue Jun 8 10:21:37 2010 From: germann at us.ibm.com (Ken Germann) Date: Tue, 8 Jun 2010 10:21:37 -0400 Subject: [sudo-users] Any ideas on why #include and #includedir Message-ID: Any ideas on why #include and #includedir are not working for me on Solaris 9 and 10 with the 1.7.2p1 build. The release notes say it is supposed to work. visudo accepts the file when I put them in the sudoers. When I run sudo, it gives me a parse error. I really need this feature to work. Thank You Ken Germann IBM Global Services Sr. Unix Administrator ? Contractor Hours: Mon to Fri ? 8:00 to 5;00 PM EST Voice: 407-824-5567 Email: germann at us.ibm.com From Sudhakar.PS at tatatel.co.in Thu Jun 10 06:23:49 2010 From: Sudhakar.PS at tatatel.co.in (Sudhakar PS) Date: Thu, 10 Jun 2010 15:53:49 +0530 Subject: [sudo-users] issues with sudo -i or sudo -s Message-ID: Hi I am facing a challenge while implementing SUDO for my Oracle users. Without any commands if I execute sudo -I -u roacle10, it takes me to the oracle10 login. I need to restrict user with group dba admin, not to login as oracle but to execute commands as Oracle10 user by executing his profile. Please suggest ways. Sudoers file is also pasted below: bash-3.00$ sudo -i -u oracle10 tcsumrpoc : oracle10 : INFOZECH : /software/ora10 >> --> ^D bash-3.00$ sudo -u oracle10 -i tcsumrpoc : oracle10 : INFOZECH : /software/ora10 >> --> ^D bash-3.00$ sudo -u oracle10 -i tcsumrpoc : oracle10 : INFOZECH : /software/ora10 >> Sudoers File: root ALL=(ALL) ALL oracle10 ALL=(ALL) ALL %dbaadmin ALL=(DB) ALL %dbaadmin ALL=(oracle10) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now # Cmnd alias specification Cmnd_Alias SHELLS=/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh,/bin/rsh,/bin /jsh,/bin/pfcsh,/bin/pfksh,/bin/pfsh,/bin/rksh,/bin/tcsh,/bin/zsh,/bin/b ash,/usr/bin/jsh,/usr/bin/pfcsh,/usr/bin/pfksh,/usr/bin/pfsh,/usr/bin/rk sh,/usr/bin/tcsh,/usr/bin/zsh,/usr/bin/bash,/bin/su -,/bin/su - root,/usr/bin/su -, /usr/bin/su - root,/bin/su "" %sysadmin ALL=!SHELLS %sysadmin ALL=NOEXEC: /usr/bin/vi,/usr/bin/more %sysadmin ALL= /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root %dbaadmin ALL=!SHELLS %dbaadmin ALL=NOEXEC: /usr/bin/vi,/usr/bin/more ======================================================================== ============================ ====================================== i-choose online store at www.tataindicom.com Your Comfort.Your Convenience.YourChoice. ====================================== DISCLAIMER: The information contained in this message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and permanently delete this message and any attachments from your system. Any dissemination, use, review, distribution, printing or copying of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change.TATATELESERVICES LTD. (including its group companies) shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. TATA TELESERVICES LTD. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. From Sudhakar.PS at tatatel.co.in Thu Jun 10 09:03:33 2010 From: Sudhakar.PS at tatatel.co.in (Sudhakar PS) Date: Thu, 10 Jun 2010 18:33:33 +0530 Subject: [sudo-users] issues with sudo -i or sudo -s In-Reply-To: References: Message-ID: Hi Mark Thanks for the guidance. I am facing one issue. dbaadmin$ sudo -u oracle10 , while executing this command, I would like the profile of oracle10 to be executed along with the command. It tells me command not found etc. I need to manually execute the profile file. I have multiple oracle versions installed on a single server, require the account profile to be executed along with the sudo -u . Let me know if I have some solution / workaround. Reg Sudhakar -----Original Message----- From: Mark Janssen [mailto:maniac.nl at gmail.com] Sent: Thursday, June 10, 2010 5:55 PM To: Sudhakar PS Cc: sudo-users at sudo.ws Subject: Re: [sudo-users] issues with sudo -i or sudo -s On Thu, Jun 10, 2010 at 12:23 PM, Sudhakar PS wrote: > Sudoers File: > oracle10 ALL=(ALL) ALL > %dbaadmin ? ? ? ALL=(DB) ALL > %dbaadmin ? ? ? ALL=(oracle10) ALL This gives everyone in group dbaadmin full root access... they sudo to oracle10, start a shell, and sudo to root ;P Only the ALL=(oracle10) line should be enough... dbaadmin$ sudo -u oracle10 is the command your users should use to run something as oracle10 > Cmnd_Alias > SHELLS=/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh,/bin/rsh,/bin > /jsh,/bin/pfcsh,/bin/pfksh,/bin/pfsh,/bin/rksh,/bin/tcsh,/bin/zsh,/bin/b > ash,/usr/bin/jsh,/usr/bin/pfcsh,/usr/bin/pfksh,/usr/bin/pfsh,/usr/bin/rk > sh,/usr/bin/tcsh,/usr/bin/zsh,/usr/bin/bash,/bin/su -,/bin/su - > root,/usr/bin/su -, /usr/bin/su - root,/bin/su "" > %sysadmin ? ? ? ALL=!SHELLS Negations don't work as you would expect... people can make a symlink to a shell and start that, or they can start vi, and use a shell-escape. They can write their own script, which runs a shell, and start that. > %sysadmin ? ? ? ALL=NOEXEC: /usr/bin/vi,/usr/bin/more You should make NOEXEC a default, and !NOEXEC the specific commands that NEED it. > %sysadmin ? ? ? ALL= /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root Second bit doesn't work as expected either... > %dbaadmin ? ? ? ALL=!SHELLS Same... > %dbaadmin ? ? ? ALL=NOEXEC: /usr/bin/vi,/usr/bin/more Same... -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | ====================================== i-choose online store at www.tataindicom.com Your Comfort.Your Convenience.YourChoice. ====================================== DISCLAIMER: The information contained in this message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and permanently delete this message and any attachments from your system. Any dissemination, use, review, distribution, printing or copying of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change.TATATELESERVICES LTD. (including its group companies) shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. TATA TELESERVICES LTD. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. From maniac.nl at gmail.com Thu Jun 10 08:25:25 2010 From: maniac.nl at gmail.com (Mark Janssen) Date: Thu, 10 Jun 2010 14:25:25 +0200 Subject: [sudo-users] issues with sudo -i or sudo -s In-Reply-To: References: Message-ID: On Thu, Jun 10, 2010 at 12:23 PM, Sudhakar PS wrote: > Sudoers File: > oracle10 ALL=(ALL) ALL > %dbaadmin ? ? ? ALL=(DB) ALL > %dbaadmin ? ? ? ALL=(oracle10) ALL This gives everyone in group dbaadmin full root access... they sudo to oracle10, start a shell, and sudo to root ;P Only the ALL=(oracle10) line should be enough... dbaadmin$ sudo -u oracle10 is the command your users should use to run something as oracle10 > Cmnd_Alias > SHELLS=/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh,/bin/rsh,/bin > /jsh,/bin/pfcsh,/bin/pfksh,/bin/pfsh,/bin/rksh,/bin/tcsh,/bin/zsh,/bin/b > ash,/usr/bin/jsh,/usr/bin/pfcsh,/usr/bin/pfksh,/usr/bin/pfsh,/usr/bin/rk > sh,/usr/bin/tcsh,/usr/bin/zsh,/usr/bin/bash,/bin/su -,/bin/su - > root,/usr/bin/su -, /usr/bin/su - root,/bin/su "" > %sysadmin ? ? ? ALL=!SHELLS Negations don't work as you would expect... people can make a symlink to a shell and start that, or they can start vi, and use a shell-escape. They can write their own script, which runs a shell, and start that. > %sysadmin ? ? ? ALL=NOEXEC: /usr/bin/vi,/usr/bin/more You should make NOEXEC a default, and !NOEXEC the specific commands that NEED it. > %sysadmin ? ? ? ALL= /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root Second bit doesn't work as expected either... > %dbaadmin ? ? ? ALL=!SHELLS Same... > %dbaadmin ? ? ? ALL=NOEXEC: /usr/bin/vi,/usr/bin/more Same... -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | From aaron.lewis1989 at gmail.com Thu Jun 10 10:14:45 2010 From: aaron.lewis1989 at gmail.com (Aaron Lewis) Date: Thu, 10 Jun 2010 22:14:45 +0800 Subject: [sudo-users] issues with sudo -i or sudo -s In-Reply-To: References: Message-ID: <4C10F355.1020509@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/10/2010 09:03 PM, Sudhakar PS wrote: > Hi Mark > > Thanks for the guidance. > > I am facing one issue. > > dbaadmin$ sudo -u oracle10 , while executing this command, I would like the profile of oracle10 to be executed along with the command. It tells me command not found etc. I need to manually execute the profile file. I have multiple oracle versions installed on a single server, require the account profile to be executed along with the sudo -u . Let me know if I have some solution / workaround. > Maybe `evn_keep' will help ? Looks like some environment variable is not passed to your shell. e.g Defaults:oracle10 env_keep="ORACLE_HOME" > Reg > Sudhakar > > > -----Original Message----- > From: Mark Janssen [mailto:maniac.nl at gmail.com] > Sent: Thursday, June 10, 2010 5:55 PM > To: Sudhakar PS > Cc: sudo-users at sudo.ws > Subject: Re: [sudo-users] issues with sudo -i or sudo -s > > On Thu, Jun 10, 2010 at 12:23 PM, Sudhakar PS wrote: >> Sudoers File: >> oracle10 ALL=(ALL) ALL >> %dbaadmin ALL=(DB) ALL >> %dbaadmin ALL=(oracle10) ALL > > This gives everyone in group dbaadmin full root access... they sudo to > oracle10, start a shell, and sudo to root ;P > Only the ALL=(oracle10) line should be enough... > dbaadmin$ sudo -u oracle10 > is the command your users should use to run something as oracle10 > >> Cmnd_Alias >> SHELLS=/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh,/bin/rsh,/bin >> /jsh,/bin/pfcsh,/bin/pfksh,/bin/pfsh,/bin/rksh,/bin/tcsh,/bin/zsh,/bin/b >> ash,/usr/bin/jsh,/usr/bin/pfcsh,/usr/bin/pfksh,/usr/bin/pfsh,/usr/bin/rk >> sh,/usr/bin/tcsh,/usr/bin/zsh,/usr/bin/bash,/bin/su -,/bin/su - >> root,/usr/bin/su -, /usr/bin/su - root,/bin/su "" >> %sysadmin ALL=!SHELLS > > Negations don't work as you would expect... people can make a symlink > to a shell and start that, or they can start vi, and use a > shell-escape. > They can write their own script, which runs a shell, and start that. > >> %sysadmin ALL=NOEXEC: /usr/bin/vi,/usr/bin/more > > You should make NOEXEC a default, and !NOEXEC the specific commands > that NEED it. > >> %sysadmin ALL= /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root > Second bit doesn't work as expected either... > >> %dbaadmin ALL=!SHELLS > Same... > >> %dbaadmin ALL=NOEXEC: /usr/bin/vi,/usr/bin/more > Same... > - -- Best Regards, Aaron Lewis - PGP: 0x4A6D32A0 FingerPrint EA63 26B2 6C52 72EA A4A5 EB6B BDFE 35B0 4A6D 32A0 irc: A4r0n on freenode -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwQ81UACgkQvf41sEptMqAnEwCgu3u6kyOESmb0ExAt4y6vnvsm itAAn03bzxnm5yXBxNYt9v8V0OWyOo7M =vKN+ -----END PGP SIGNATURE----- From Sudhakar.PS at tatatel.co.in Fri Jun 11 05:49:29 2010 From: Sudhakar.PS at tatatel.co.in (Sudhakar PS) Date: Fri, 11 Jun 2010 15:19:29 +0530 Subject: [sudo-users] issues with sudo -i or sudo -s In-Reply-To: <4C10F355.1020509@gmail.com> References: <4C10F355.1020509@gmail.com> Message-ID: Hi Tried with env_keep as well but unable to load the user profile. can anybody help me in this regard. Reg Sudhakar -----Original Message----- From: Aaron Lewis [mailto:aaron.lewis1989 at gmail.com] Sent: Thursday, June 10, 2010 7:45 PM To: Sudhakar PS Cc: Mark Janssen; sudo-users at sudo.ws Subject: Re: [sudo-users] issues with sudo -i or sudo -s -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/10/2010 09:03 PM, Sudhakar PS wrote: > Hi Mark > > Thanks for the guidance. > > I am facing one issue. > > dbaadmin$ sudo -u oracle10 , while executing this command, I would like the profile of oracle10 to be executed along with the command. It tells me command not found etc. I need to manually execute the profile file. I have multiple oracle versions installed on a single server, require the account profile to be executed along with the sudo -u . Let me know if I have some solution / workaround. > Maybe `evn_keep' will help ? Looks like some environment variable is not passed to your shell. e.g Defaults:oracle10 env_keep="ORACLE_HOME" > Reg > Sudhakar > > > -----Original Message----- > From: Mark Janssen [mailto:maniac.nl at gmail.com] > Sent: Thursday, June 10, 2010 5:55 PM > To: Sudhakar PS > Cc: sudo-users at sudo.ws > Subject: Re: [sudo-users] issues with sudo -i or sudo -s > > On Thu, Jun 10, 2010 at 12:23 PM, Sudhakar PS wrote: >> Sudoers File: >> oracle10 ALL=(ALL) ALL >> %dbaadmin ALL=(DB) ALL >> %dbaadmin ALL=(oracle10) ALL > > This gives everyone in group dbaadmin full root access... they sudo to > oracle10, start a shell, and sudo to root ;P > Only the ALL=(oracle10) line should be enough... > dbaadmin$ sudo -u oracle10 > is the command your users should use to run something as oracle10 > >> Cmnd_Alias >> SHELLS=/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh,/bin/rsh,/bin >> /jsh,/bin/pfcsh,/bin/pfksh,/bin/pfsh,/bin/rksh,/bin/tcsh,/bin/zsh,/bin/b >> ash,/usr/bin/jsh,/usr/bin/pfcsh,/usr/bin/pfksh,/usr/bin/pfsh,/usr/bin/rk >> sh,/usr/bin/tcsh,/usr/bin/zsh,/usr/bin/bash,/bin/su -,/bin/su - >> root,/usr/bin/su -, /usr/bin/su - root,/bin/su "" >> %sysadmin ALL=!SHELLS > > Negations don't work as you would expect... people can make a symlink > to a shell and start that, or they can start vi, and use a > shell-escape. > They can write their own script, which runs a shell, and start that. > >> %sysadmin ALL=NOEXEC: /usr/bin/vi,/usr/bin/more > > You should make NOEXEC a default, and !NOEXEC the specific commands > that NEED it. > >> %sysadmin ALL= /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root > Second bit doesn't work as expected either... > >> %dbaadmin ALL=!SHELLS > Same... > >> %dbaadmin ALL=NOEXEC: /usr/bin/vi,/usr/bin/more > Same... > - -- Best Regards, Aaron Lewis - PGP: 0x4A6D32A0 FingerPrint EA63 26B2 6C52 72EA A4A5 EB6B BDFE 35B0 4A6D 32A0 irc: A4r0n on freenode -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwQ81UACgkQvf41sEptMqAnEwCgu3u6kyOESmb0ExAt4y6vnvsm itAAn03bzxnm5yXBxNYt9v8V0OWyOo7M =vKN+ -----END PGP SIGNATURE----- ====================================== i-choose online store at www.tataindicom.com Your Comfort.Your Convenience.YourChoice. ====================================== DISCLAIMER: The information contained in this message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and permanently delete this message and any attachments from your system. Any dissemination, use, review, distribution, printing or copying of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change.TATATELESERVICES LTD. (including its group companies) shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. TATA TELESERVICES LTD. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. From Sudhakar.PS at tatatel.co.in Fri Jun 11 06:35:20 2010 From: Sudhakar.PS at tatatel.co.in (Sudhakar PS) Date: Fri, 11 Jun 2010 16:05:20 +0530 Subject: [sudo-users] issues with sudo -i or sudo -s References: <4C10F355.1020509@gmail.com> Message-ID: Hi My profile issues is address while execute the command "sudo -i -u oracle10 < any command>. If I don't pass on any command as an argument, it is leaving me to the shell of oracle10. I need to block user not accessing the shell of oracle10 directly. User should access everything through his individual login only. If I block the shells with !SHELLS, then -i is not working. Can anybody help is in this regard. Reg Sudhakar -----Original Message----- From: Sudhakar PS Sent: Friday, June 11, 2010 3:19 PM To: 'Aaron Lewis' Cc: Mark Janssen; sudo-users at sudo.ws Subject: RE: [sudo-users] issues with sudo -i or sudo -s Hi Tried with env_keep as well but unable to load the user profile. can anybody help me in this regard. Reg Sudhakar -----Original Message----- From: Aaron Lewis [mailto:aaron.lewis1989 at gmail.com] Sent: Thursday, June 10, 2010 7:45 PM To: Sudhakar PS Cc: Mark Janssen; sudo-users at sudo.ws Subject: Re: [sudo-users] issues with sudo -i or sudo -s -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/10/2010 09:03 PM, Sudhakar PS wrote: > Hi Mark > > Thanks for the guidance. > > I am facing one issue. > > dbaadmin$ sudo -u oracle10 , while executing this command, I would like the profile of oracle10 to be executed along with the command. It tells me command not found etc. I need to manually execute the profile file. I have multiple oracle versions installed on a single server, require the account profile to be executed along with the sudo -u . Let me know if I have some solution / workaround. > Maybe `evn_keep' will help ? Looks like some environment variable is not passed to your shell. e.g Defaults:oracle10 env_keep="ORACLE_HOME" > Reg > Sudhakar > > > -----Original Message----- > From: Mark Janssen [mailto:maniac.nl at gmail.com] > Sent: Thursday, June 10, 2010 5:55 PM > To: Sudhakar PS > Cc: sudo-users at sudo.ws > Subject: Re: [sudo-users] issues with sudo -i or sudo -s > > On Thu, Jun 10, 2010 at 12:23 PM, Sudhakar PS wrote: >> Sudoers File: >> oracle10 ALL=(ALL) ALL >> %dbaadmin ALL=(DB) ALL >> %dbaadmin ALL=(oracle10) ALL > > This gives everyone in group dbaadmin full root access... they sudo to > oracle10, start a shell, and sudo to root ;P > Only the ALL=(oracle10) line should be enough... > dbaadmin$ sudo -u oracle10 > is the command your users should use to run something as oracle10 > >> Cmnd_Alias >> SHELLS=/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh,/bin/rsh,/bin >> /jsh,/bin/pfcsh,/bin/pfksh,/bin/pfsh,/bin/rksh,/bin/tcsh,/bin/zsh,/bin/b >> ash,/usr/bin/jsh,/usr/bin/pfcsh,/usr/bin/pfksh,/usr/bin/pfsh,/usr/bin/rk >> sh,/usr/bin/tcsh,/usr/bin/zsh,/usr/bin/bash,/bin/su -,/bin/su - >> root,/usr/bin/su -, /usr/bin/su - root,/bin/su "" >> %sysadmin ALL=!SHELLS > > Negations don't work as you would expect... people can make a symlink > to a shell and start that, or they can start vi, and use a > shell-escape. > They can write their own script, which runs a shell, and start that. > >> %sysadmin ALL=NOEXEC: /usr/bin/vi,/usr/bin/more > > You should make NOEXEC a default, and !NOEXEC the specific commands > that NEED it. > >> %sysadmin ALL= /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root > Second bit doesn't work as expected either... > >> %dbaadmin ALL=!SHELLS > Same... > >> %dbaadmin ALL=NOEXEC: /usr/bin/vi,/usr/bin/more > Same... > - -- Best Regards, Aaron Lewis - PGP: 0x4A6D32A0 FingerPrint EA63 26B2 6C52 72EA A4A5 EB6B BDFE 35B0 4A6D 32A0 irc: A4r0n on freenode -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwQ81UACgkQvf41sEptMqAnEwCgu3u6kyOESmb0ExAt4y6vnvsm itAAn03bzxnm5yXBxNYt9v8V0OWyOo7M =vKN+ -----END PGP SIGNATURE----- ====================================== i-choose online store at www.tataindicom.com Your Comfort.Your Convenience.YourChoice. ====================================== DISCLAIMER: The information contained in this message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and permanently delete this message and any attachments from your system. Any dissemination, use, review, distribution, printing or copying of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change.TATATELESERVICES LTD. (including its group companies) shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. TATA TELESERVICES LTD. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. From richard at vdberg.org Fri Jun 11 06:41:00 2010 From: richard at vdberg.org (Richard van den Berg) Date: Fri, 11 Jun 2010 12:41:00 +0200 Subject: [sudo-users] issues with sudo -i or sudo -s In-Reply-To: References: <4C10F355.1020509@gmail.com> Message-ID: <84ed1274503da1ff08c1a13f75ef1e8a@localhost> On Fri, 11 Jun 2010 16:05:20 +0530, "Sudhakar PS" wrote: > If I block the shells with !SHELLS, then -i is not working. That is because the -i option uses the shell to execute the profile of the target user. Your users need to learn to set up the correct oracle environment in their own account, before using a sudo to oracle. Regards, Richard From maniac.nl at gmail.com Thu Jun 10 10:09:01 2010 From: maniac.nl at gmail.com (Mark Janssen) Date: Thu, 10 Jun 2010 16:09:01 +0200 Subject: [sudo-users] issues with sudo -i or sudo -s In-Reply-To: References: Message-ID: On Thu, Jun 10, 2010 at 3:03 PM, Sudhakar PS wrote: > dbaadmin$ sudo -u oracle10 , while ?executing this command, I would like ?the profile of oracle10 to be executed along with the command. It tells me command not found etc. I need to manually execute the profile file. I have multiple oracle versions installed on a single server, require the account profile to be executed along with the sudo -u . ?Let me know if I have some solution / workaround. It's probably easiest to create a wrapper-script, which sources the profile, and then executes the command -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | From eric.freeman at tbwachiat.com Thu Jun 17 16:51:21 2010 From: eric.freeman at tbwachiat.com (Eric Freeman) Date: Thu, 17 Jun 2010 16:51:21 -0400 Subject: [sudo-users] Help needed with sudo ssl and HPUX In-Reply-To: References: Message-ID: Below is my /etc/ldap.conf file I ran sudo -v as root and it appears to work. Immediately after that I issued the command su - eric_freeman and tried the same sudo -v and it failed. It appears when I am root sudo over SSL works. Yes, our LDAP server supports TLS. dbtest:/ # more /etc/ldap.conf uri ldap://10.20.2.165 ssl start_tls TLS_CHECKPEER off sudoers_base ou=xxx BINDDN cn=xxx BINDPW xxx timelimit 30 bind_timelimit 30 TLS_REQCERT never sudoers_debug 2 dbtest:/ # sudo -v LDAP Config Summary =================== uri ldap://10.20.2.165 ldap_version 3 sudoers_base ou=xxx binddn cn=xxx bindpw xxx bind_timelimit 30000 timelimit 30 ssl start_tls tls_checkpeer (no) =================== sudo: ldap_initialize(ld, ldap://10.20.2.165) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 0 sudo: ldap_set_option: timelimit -> 30 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: found:cn=defaults,ou=xxx sudo: ldap sudoOption: 'logfile=/var/adm/syslog/sudo.ldap.log' sudo: ldap sudoOption: 'log_year' sudo: user_matches=0 sudo: host_matches=0 sudo: sudo_ldap_lookup(53)=0x82 dbtest:/ # su - eric_freeman $ sudo -v LDAP Config Summary =================== uri ldap://10.20.2.165 ldap_version 3 sudoers_base ou=xxx binddn cn=xxx bindpw xxx bind_timelimit 30000 timelimit 30 ssl start_tls tls_checkpeer (no) =================== sudo: ldap_initialize(ld, ldap://10.20.2.165) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 0 sudo: ldap_set_option: timelimit -> 30 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) sudo: ldap_start_tls_s(): Connect error $ This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of TBWA Worldwide, its agencies or a client of such agencies. If you are not the intended recipient, you are nevertheless bound to respect the worldwide legal rights of TBWA Worldwide, its agencies and its clients. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media.If you have received this e-mail in error, please immediately notify us via e-mail to disclaimer at tbwaworld.com. We appreciate your cooperation. We make no warranties as to the accuracy or completeness of this e-mail and accept no liability for its content or use. Any opinions expressed in this e-mail are those of the author and do not necessarily reflect the opinions of TBWA Worldwide or any of its agencies or affiliates. From bryan at bevege.com Fri Jun 18 14:11:21 2010 From: bryan at bevege.com (Bryan) Date: Fri, 18 Jun 2010 18:11:21 +0000 (UTC) Subject: [sudo-users] 1.7.0rc1 interesting tests References: <484C426E.3080105@mayo.edu> <200806082123.m58LNka9027600@core.courtesan.com> <484C54F8.4030809@mayo.edu> <484C5889.4080809@mayo.edu> <200806082216.m58MGLSc010652@core.courtesan.com> <484C6078.5060505@mayo.edu> <484C6A98.4030706@mayo.edu> <200806082349.m58Nn90m023776@core.courtesan.com> <484C77B3.4040403@mayo.edu> <484C7E25.1080004@mayo.edu> <484C8BC7.2030101@mayo.edu> <200806091426.m59EQWgP014534@core.courtesan.com> <484D3F45.7050805@mayo.edu> Message-ID: This is off topic but the "tls_checkpeer no" fixed the sudo: ldap_start_tls_s(): Connect errors on my Centos 5.4 systems connecting to openldap 2.4.24 From richard at vdberg.org Mon Jun 21 09:28:24 2010 From: richard at vdberg.org (Richard van den Berg) Date: Mon, 21 Jun 2010 15:28:24 +0200 Subject: [sudo-users] 1.7.0rc1 interesting tests In-Reply-To: References: <484C426E.3080105@mayo.edu> <200806082123.m58LNka9027600@core.courtesan.com> <484C54F8.4030809@mayo.edu> <484C5889.4080809@mayo.edu> <200806082216.m58MGLSc010652@core.courtesan.com> <484C6078.5060505@mayo.edu> <484C6A98.4030706@mayo.edu> <200806082349.m58Nn90m023776@core.courtesan.com> <484C77B3.4040403@mayo.edu> <484C7E25.1080004@mayo.edu> <484C8BC7.2030101@mayo.edu> <200806091426.m59EQWgP014534@core.courtesan.com> <484D3F45.7050805@mayo.edu> Message-ID: <65eb0012f5e908ca2981821c4b48ac68@localhost> On Fri, 18 Jun 2010 18:11:21 +0000 (UTC), Bryan wrote: > This is off topic but the "tls_checkpeer no" fixed the sudo: > ldap_start_tls_s(): > Connect errors on my Centos 5.4 systems connecting to openldap 2.4.24 Without peer checking an attacker can do a man-in-the-middle attack against your LDAP server and serve up any sudo's she needs (like sudo ALL). Not a great idea for high risk environments. Richard From nikolas.britton at gmail.com Fri Jun 25 12:09:57 2010 From: nikolas.britton at gmail.com (Nikolas Britton) Date: Fri, 25 Jun 2010 11:09:57 -0500 Subject: [sudo-users] Why is root in the sudoers file? Message-ID: Hi, Why is root in the sudoers file? Root can do anything because it has a UID of 0. So adding "root ALL=(ALL) ALL" to the sudoers file is redundant because root does not need to use sudo! In my mind it just creates an extra security risk. for example: sudo sudo su - or sudo sudo bash to get around command logging. The place I work at has a project to add the following to our sudoers files: Cmnd_Alias SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo ALL ALL=!SUDOSUDO This is pointless from what I understand of sudo and unix. All that's needed to circumvent this is to copy the sudo binary to another location. for example: cp /bin/sudo /sbin/sudo; sudo /sbin/sudo su -. All that is needed to prevent this is the removal of "root ALL=(ALL) ALL" or the addition of "Defaults !root_sudo" to the sudoers file. I can't think of any reason why root is in the sudoers file. -Nikolas From Todd.Miller at courtesan.com Fri Jun 25 13:12:11 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 25 Jun 2010 13:12:11 -0400 Subject: [sudo-users] Why is root in the sudoers file? In-Reply-To: Your message of "Fri, 25 Jun 2010 11:09:57 CDT." References: Message-ID: <201006251712.o5PHCBOT012528@core.courtesan.com> In message so spake Nikolas Britton (nikolas.britton): > Why is root in the sudoers file? Root can do anything because it has a > UID of 0. So adding "root ALL=(ALL) ALL" to the sudoers file is > redundant because root does not need to use sudo! In my mind it just > creates an extra security risk. for example: sudo sudo su - or sudo > sudo bash to get around command logging. Having root in sudoers allows users who need to do "sudo su" or "sudo -s" for certain things to still use sudo have the commands logged. Obviously, you cannot force people to do this but this is where local policy about root access comes into play. > The place I work at has a project to add the following to our sudoers files: > > Cmnd_Alias SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo > ALL ALL=!SUDOSUDO > > This is pointless from what I understand of sudo and unix. All that's > needed to circumvent this is to copy the sudo binary to another > location. for example: cp /bin/sudo /sbin/sudo; sudo /sbin/sudo su -. Yes, there's little point in that. Giving access to ALL with certain restrictions is just not effective. The user could just make a copy of any command or shell, or simply write a script that does what they want, and run that. - todd From highc at stny.rr.com Fri Jun 25 14:57:12 2010 From: highc at stny.rr.com (highc at stny.rr.com) Date: Fri, 25 Jun 2010 14:57:12 -0400 Subject: [sudo-users] Why is root in the sudoers file? In-Reply-To: <201006251712.o5PHCBOT012528@core.courtesan.com> References: <201006251712.o5PHCBOT012528@core.courtesan.com> Message-ID: <4C24FC08.6080603@stny.rr.com> Todd C. Miller wrote: >> >>Cmnd_Alias SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo >>ALL ALL=!SUDOSUDO >> >>This is pointless from what I understand of sudo and unix. All that's >>needed to circumvent this is to copy the sudo binary to another >>location. for example: cp /bin/sudo /sbin/sudo; sudo /sbin/sudo su -. > > > Yes, there's little point in that. Giving access to ALL with certain > restrictions is just not effective. The user could just make a > copy of any command or shell, or simply write a script that does > what they want, and run that. > > - todd > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > > Let's assume that 99.9% of the work a system SA does is via sudo; clearly, they need to be granted a -very- broad range of activites. While you cannot -stop- system admins from taking overt harmful actions, you can make it so that they must take an 'overt' action to defeat some of the restrictions. By having this be done as an 'overt' action, rather than an 'incidental' action, does this not show some level of control. For instance, doesn't someone taking an action of copying /usr/local/bin/sudo /home/myid/bin/sudo show support some form of 'mal intent'. I appreciate this is a matter of providing only an 'opportunity to demonstrate' malfeasance rather than a rock solid cage; but isn't that better than nothing? Interesting discussion! -Chris. From maniac.nl at gmail.com Fri Jun 25 21:06:05 2010 From: maniac.nl at gmail.com (Mark Janssen) Date: Sat, 26 Jun 2010 03:06:05 +0200 Subject: [sudo-users] Why is root in the sudoers file? In-Reply-To: References: Message-ID: On Fri, Jun 25, 2010 at 6:09 PM, Nikolas Britton wrote: > Hi, > > Why is root in the sudoers file? Root can do anything because it has a > UID of 0. So adding "root ALL=(ALL) ALL" to the sudoers file is True... it's mostly pointless, but I think it's still useful for some situations. I have some scripts that use sudo inside the script. If these scripts were to be run by root they would suddenly fail, because root wasn't allowed to sudo, while a 'normal' user in these cases would. If course, I'm making some things too easy for myself, but as you said, root is already root, and running sudo again won't cause much harm (and will log whatever command was run). -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | From justin at jalcorn.net Fri Jun 25 22:35:46 2010 From: justin at jalcorn.net (Justin Alcorn) Date: Fri, 25 Jun 2010 22:35:46 -0400 Subject: [sudo-users] Why is root in the sudoers file? In-Reply-To: References: Message-ID: On Fri, Jun 25, 2010 at 9:06 PM, Mark Janssen wrote: > said, root is already root, and running sudo again won't cause much > harm (and will log whatever command was run). > That's the point. Even if you "sudo su -" you should continue to run EVERY command with sudo - so you have an audit trail of what you did. It's just good sysadmin hygiene. -- Justin B. Alcorn The views expressed here are not necessarily my own, much less anyone else's. PGP Fingerprint A36D D691 C5B0 BE15 5A2A AF49 AA1C 372C From nikolas.britton at gmail.com Sat Jun 26 08:07:38 2010 From: nikolas.britton at gmail.com (Nikolas Britton) Date: Sat, 26 Jun 2010 07:07:38 -0500 Subject: [sudo-users] Why is root in the sudoers file? In-Reply-To: References: Message-ID: On Fri, Jun 25, 2010 at 9:35 PM, Justin Alcorn wrote: > On Fri, Jun 25, 2010 at 9:06 PM, Mark Janssen wrote: > >> said, root is already root, and running sudo again won't cause much >> harm (and will log whatever command was run). >> > > That's the point. ?Even if you "sudo su -" you should continue to run > EVERY command with sudo - so you have an audit trail of what you did. > It's just good sysadmin hygiene. > When you "sudo su -" at my work the shell profile is configured to record all of the commands you run with your name attached to it. From Todd.Miller at courtesan.com Mon Jun 28 09:56:10 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 28 Jun 2010 09:56:10 -0400 Subject: [sudo-users] sudo 1.7.3rc1 available Message-ID: <201006281356.o5SDuABD021802@core.courtesan.com> The first release candidate of sudo 1.7.3 is now available. Sudo 1.7.3 is scheduled for release on June 30th. Download links: http://www.sudo.ws/sudo/dist/beta/sudo-1.7.3rc1.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.3rc1.tar.gz Major changes between sudo 1.7.2p7 and 1.7.3rc1: * Support for logging I/O for the command being run. For more information, see the documentation for the "log_input" and "log_output" Defaults options in the sudoers manual. Also see the sudoreplay manual for how to replay I/O log sessions. * The use_pty sudoers option can be used to force a command to be run in a pseudo-pty, even when I/O logging is not enabled. * On some systems, sudo can now detect when a user has logged out and back in again when tty-based time stamps are in use. Supported systems include Solaris systems with the devices file system, Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys only). * On AIX systems, the registry setting in /etc/security/user is now taken into account when looking up users and groups. Sudo now applies the correct the user and group ids when running a command as a user whose account details come from a different source (e.g. LDAP or DCE vs. local files). * Support for multiple 'sudoers_base' and 'uri' entries in ldap.conf. When multiple entries are listed, sudo will try each one in the order in which they are specified. * Sudo's SELinux support should now function correctly when running commands as a non-root user and when one of stdin, stdout or stderr is not a terminal. * Sudo will now use the Linux audit system with configure with the --with-linux-audit flag. * Sudo now uses mbr_check_membership() on systems that support it to determine group membership. Currently, only Darwin (Mac OS X) supports this. * When the tty_tickets sudoers option is enabled but there is no terminal device, sudo will no longer use or create a tty-based ticket file. Previously, sudo would use a tty name of "unknown". As a consequence, if a user has no terminal device, sudo will now always prompt for a password. * The passwd_timeout and timestamp_timeout options may now be specified as floating point numbers for more granular timeout values. * Negating the fqdn option in sudoers now works correctly when sudo is configured with the --with-fqdn option. In previous versions of sudo the fqdn was set before sudoers was parsed.