From shott at stanford.edu Mon Mar 1 12:29:03 2010 From: shott at stanford.edu (John Shott) Date: Mon, 01 Mar 2010 09:29:03 -0800 Subject: [sudo-users] Linux/Solaris differences in use of Cmnd_Alias? Message-ID: <4B8BF95F.4000909@stanford.edu> Sudo Community: We have been using sudo for several years on both Solaris and Linux platforms to control who can start a set of servers and make sure that they are running as the proper user. To do that, we have a wrapper script that is used to start some servers. Let's say that is named /usr/local/sbin/wrapper. In the wrapper script we start the server with the line to insure that the servers are owned by server_user and can only be started by specific named users. sudo -l server_user /usr/local/sbin/start_server. Because we are developing these servers, in addition to this production version, we often have a development version that is started with a similar wrapper script named /usr/local/sbin/wrapper-dev that actually starts the server with the sudo command line: sudo -l server_user /usr/local/sbin/server_start-dev Here is the relevant section of our /etc/sudoers file: #User_Alias and Cmnd_Alias definitions: User_Alias LEGAL_USERS=fred, bill, joe, server_user Cmnd_Alias SERVER_START = /usr/local/sbin/server_start* # Server_start privilege specification LEGAL_USERS this_host = (server_user) NOPASSWD: SERVER_START On Solaris, if I am a member of the LEGAL_USERS User_Alias, I can successfully start either /usr/local/sbin/server_start or /usr/local/sbin/server_start-dev using this approach of having a trailing asterisk in the SERVER_START Cmnd_Alias. However, on Linux (specifically RHEL5.4), if I run /usr/local/sbin/wrapper or /usr/local/sbin/wrapper-dev that should be calling: sudo -l server_user /usr/local/sbin/server_start and sudo -l server_user /usr/local/sbin/server_start-dev respectively, I get both a prompt for a password and then the error message: User server_user is not allowed to run the command "/usr/local/sbin/server_start" on this_host. (and the equivalent error message when it tries to run "/usr/local/sbin/server_start-dev"). While I can solve this by explicitly including both /usr/local/sbin/server_start and /usr/local/sbin/server_start-dev in the Cmnd_Alias on RHEL Linux, it seems as if using the wildcard * in the Cmnd_Alias should work .... and does work on Solaris. In fact, I think that this wildcard in the Cmnd_Alias actually used to work on RHEL Linux. Is this a misuse of a wildcard in a Cmnd_Alias? Can anyone explain why this works on Solaris 10, but not on RHEL Linux 5.4. Note: on Solaris 10, we are running Sudo 1.7.0 and on RHEL 5.4 we are running Sudo 1.6.9p17. Thanks for your consideration, John From ddoernberg at law.pace.edu Mon Mar 1 18:23:18 2010 From: ddoernberg at law.pace.edu (Doernberg, Prof. Donald L.) Date: Mon, 1 Mar 2010 18:23:18 -0500 Subject: [sudo-users] sudo command in Autostart Message-ID: <027616CC2DA53A45AE2E57E4DB1AF9DF40B83BBF45@EMAIL2.pace.edu> With apologies to all, I am a real newb to Kubuntu. I want to run a script in Autostart that has one sudo command in it. I've looked at documentation for the sudoers file, and I understand how I could edit it to make the sudo command operate for a user without a password, but that's much too broad a permission in my view. What I'd like to know is whether there is something I can insert in sudoers that would allow this single command to run at boot without a password but would otherwise leave the sudo password requirements unchanged. Thanks in advance. Don From felipe.alvarez at gmail.com Tue Mar 2 20:45:09 2010 From: felipe.alvarez at gmail.com (Felipe Alvarez) Date: Wed, 3 Mar 2010 11:45:09 +1000 Subject: [sudo-users] preventing user "bob" from executing sudo at all Message-ID: Hi list I want to prevent 'bob' from using sudo entirely. What should I type into /etc/sudoers (via visudo)? I want 'bob' to never gain root privileges, never use 'su', and never run anything as root user. Perhaps not related to sudo but ... If possible, I'd also like to prevent 'bob' from running mount, passwd, or any setUID program. Felipe From charles at wozi.com Tue Mar 2 21:11:40 2010 From: charles at wozi.com (Charles Marshall) Date: Tue, 2 Mar 2010 20:11:40 -0600 Subject: [sudo-users] preventing user "bob" from executing sudo at all In-Reply-To: References: Message-ID: <8F17F1F1-44E6-41F9-BC59-4C9DB8B7A0F2@wozi.com> Felipe, The best way to prevent a user from ever having any permissions to sudo anything is to just to never put the user in the file, and avoid putting him in any groups which are enabled for any operations. As for the preventing him from running setUID programs, I don't know that there is a good way to prevent that, because since it's setUID it doesn't need sudo to execute them. Others can correct me if I'm wrong, but removing the setuid bits from those things probably won't do any good for your other users, and may impact normal operation of the system. Hope this helps, Charles On Mar 2, 2010, at 7:45 PM, Felipe Alvarez wrote: > Hi list > I want to prevent 'bob' from using sudo entirely. What should I type > into /etc/sudoers (via visudo)? I want 'bob' to never gain root > privileges, never use 'su', and never run anything as root user. > Perhaps not related to sudo but ... If possible, I'd also like to > prevent 'bob' from running mount, passwd, or any setUID program. > > > Felipe > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users Charles Marshall charles at wozi.com +1.773.230.8765 From mlh at zip.com.au Tue Mar 2 21:18:51 2010 From: mlh at zip.com.au (Matthew Hannigan) Date: Wed, 3 Mar 2010 13:18:51 +1100 Subject: [sudo-users] preventing user "bob" from executing sudo at all In-Reply-To: References: Message-ID: <20100303021851.GA4018@evofed.localdomain> On Wed, Mar 03, 2010 at 11:45:09AM +1000, Felipe Alvarez wrote: > Hi list > I want to prevent 'bob' from using sudo entirely. What should I type > into /etc/sudoers (via visudo)? I want 'bob' to never gain root > privileges, never use 'su', and never run anything as root user. > Perhaps not related to sudo but ... If possible, I'd also like to > prevent 'bob' from running mount, passwd, or any setUID program. sudo doesn't deny, it only allows. So the answer is nothing - you cannot stop evil bob from running su for instance. Well you can, but that would involve, say removing execution bits for "other" on all (setuid) executables, and putting everyone else into a group which are allowed to execute them. The real answer is type enforcement (selinux/flask etc) Theree are some existing commercial systems that do this. Often the overhead in complexity far outweighs the benefit. What did bob do to deserve this anyway? Matt From aaron.lewis1989 at gmail.com Tue Mar 2 21:26:01 2010 From: aaron.lewis1989 at gmail.com (Aaron Lewis) Date: Wed, 03 Mar 2010 10:26:01 +0800 Subject: [sudo-users] [Fwd: Re: preventing user "bob" from executing sudo at all] Message-ID: <4B8DC8B9.8000503@gmail.com> Sorry i forgot to send it to mail list. -- Best Regards, Aaron Lewis - PGP: 0xA476D2E9 irc: A4r0n on freenode From aaron.lewis1989 at gmail.com Wed Mar 3 00:57:05 2010 From: aaron.lewis1989 at gmail.com (Aaron Lewis) Date: Wed, 03 Mar 2010 13:57:05 +0800 Subject: [sudo-users] preventing user "bob" from executing sudo at all] Message-ID: <4B8DFA31.1080303@gmail.com> Oops , i don't know if it's problem with my thunderbird ;-) Forward is here.. ======================================================================= Well , if you wonna prevent bob from running SUID programs , You can try this : e.g su # chgrp wheel `which su` # chmod 4750 `which su` User who's not in group wheel has no permission to lauch anymore. What i've learned from slackware : ) Felipe Alvarez wrote: > Hi list > I want to prevent 'bob' from using sudo entirely. What should I type > into /etc/sudoers (via visudo)? I want 'bob' to never gain root > privileges, never use 'su', and never run anything as root user. > Perhaps not related to sudo but ... If possible, I'd also like to > prevent 'bob' from running mount, passwd, or any setUID program. > > > Felipe > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > -- Best Regards, Aaron Lewis - PGP: 0xA476D2E9 irc: A4r0n on freenode From felipe.alvarez at gmail.com Wed Mar 3 05:20:37 2010 From: felipe.alvarez at gmail.com (Felipe Alvarez) Date: Wed, 3 Mar 2010 20:20:37 +1000 Subject: [sudo-users] preventing user "bob" from executing sudo at all In-Reply-To: <8F17F1F1-44E6-41F9-BC59-4C9DB8B7A0F2@wozi.com> References: <8F17F1F1-44E6-41F9-BC59-4C9DB8B7A0F2@wozi.com> Message-ID: > The best way to prevent a user from ever having any > permissions to sudo > anything is to just to never put the user in the file, > and avoid putting him in any groups which are > enabled for any operations. Thank you for all the replies Bob doesn't exist, so he hasn't done anything wrong. I'm working on a security project, and need to secure the server from local accounts, not only Web/PHP/SQL attacks, but shell access, too. I need to lock down the account as much as possible. Is there a way to stop "sudo -s" or "sudo -i" Does sudoers prevent _everyone_ from using sudo, except for the users and the binaries (or scripts, files, executables) that I explicitly allow? Does this mean "sudo -s" and/or "sudo -i" are _disabled_ by default, until I explicitly enable them? Felipe From stevetucknott at yahoo.co.uk Wed Mar 3 05:25:56 2010 From: stevetucknott at yahoo.co.uk (Steve T) Date: Wed, 03 Mar 2010 10:25:56 +0000 Subject: [sudo-users] Keep Path FC9 Message-ID: <1267611956.2184.9.camel@retsol6400> I used sudo under FC6 and could simply do 'sudo command' knowing that the path for the command would be cloned from the current users (my) path. This does not appear to work in the same way under FC9 - is there a way to still achieve the same thing? Thanks From neuss at kit.edu Wed Mar 3 05:38:29 2010 From: neuss at kit.edu (Nicolas Neuss) Date: Wed, 03 Mar 2010 11:38:29 +0100 Subject: [sudo-users] Could not connect to database Message-ID: <87vdddadwa.fsf@ma-patru.mathematik.uni-karlsruhe.de> Hello, I have problems with one of my machines running Debian Lenny neuss at ma-x:~$ sudo echo "Hi" Could not connect to database Hi This is quite annoying, also because some cron jobs use sudo and I get an error mail every 10 minutes. Has anyone an idea what could help? The sudo version number shown in synaptic is 1.6.9-p17-2+lenny1. Thank you, Nicolas P.S.: This bug was reported also here: http://www.uluga.ubuntuforums.org/showthread.php?p=8677174 I must admit that I suffer from this problem quite some time (2 years?), but until now did not take the time to report it. IIRC it first occured after some Debian dist-upgrade process. From stevetucknott at yahoo.co.uk Wed Mar 3 06:51:10 2010 From: stevetucknott at yahoo.co.uk (Steve T) Date: Wed, 03 Mar 2010 11:51:10 +0000 Subject: [sudo-users] Keep Path FC9 In-Reply-To: <4B8E48F1.1080706@gmail.com> References: <1267611956.2184.9.camel@retsol6400> <4B8E48F1.1080706@gmail.com> Message-ID: <1267617071.2176.24.camel@retsol6400> On Wed, 2010-03-03 at 19:33 +0800, Aaron Lewis wrote: > Steve T wrote: > > I used sudo under FC6 and could simply do 'sudo command' knowing that > > the path for the command would be cloned from the current users (my) > > path. > > This does not appear to work in the same way under FC9 - is there a way > > to still achieve the same thing? > > > > > > Thanks > > ____________________________________________________________ > > sudo-users mailing list > > For list information, options, or to unsubscribe, visit: > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > Are you looking for secure_path ? > > man sudoers > > secure_path Path used for every command run from sudo. If you don?t > trust the people running sudo > to have a sane PATH environment variable you may want to use this. > Another use is if > you want to have the "root path" be separate from the "user path." Users > in the group > specified by the exempt_group option are not affected by secure_path. > This option is > set to /bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc by default. > > Hope it helps. > Aaron, Thanks for the reply. I'm not sure as most of the options are compile time and the sudo command was pre-compiled under FC9. I've tried the 'keep' options in the sudoers file to no avail. I had the same issue a year+ back and never resolved it - I'll have to try getting the source and compiling that. From aaron.lewis1989 at gmail.com Wed Mar 3 07:05:04 2010 From: aaron.lewis1989 at gmail.com (Aaron Lewis) Date: Wed, 03 Mar 2010 20:05:04 +0800 Subject: [sudo-users] Keep Path FC9 In-Reply-To: <1267617071.2176.24.camel@retsol6400> References: <1267611956.2184.9.camel@retsol6400> <4B8E48F1.1080706@gmail.com> <1267617071.2176.24.camel@retsol6400> Message-ID: <4B8E5070.2010301@gmail.com> Steve T wrote: > > On Wed, 2010-03-03 at 19:33 +0800, Aaron Lewis wrote: >> Steve T wrote: >> > I used sudo under FC6 and could simply do 'sudo command' knowing that >> > the path for the command would be cloned from the current users (my) >> > path. >> > This does not appear to work in the same way under FC9 - is there a way >> > to still achieve the same thing? >> > >> > >> > Thanks >> > ____________________________________________________________ >> > sudo-users mailing list > >> > For list information, options, or to unsubscribe, visit: >> > http://www.sudo.ws/mailman/listinfo/sudo-users >> > >> Are you looking for secure_path ? >> >> man sudoers >> >> secure_path Path used for every command run from sudo. If you don?t >> trust the people running sudo >> to have a sane PATH environment variable you may want to use this. >> Another use is if >> you want to have the "root path" be separate from the "user path." Users >> in the group >> specified by the exempt_group option are not affected by secure_path. >> This option is >> set to /bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc by default. >> >> Hope it helps. >> >> > Aaron, > Thanks for the reply. > > I'm not sure as most of the options are compile time and the sudo > command was pre-compiled under FC9. I've tried the 'keep' options in > the sudoers file to no avail. > > I had the same issue a year+ back and never resolved it - I'll have to > try getting the source and compiling that. ./configure --help shows --with-secure-path override the user's path with a built-in one ./configure --with-secure-path=no But i don't recommand you to do so , it's not secure ;-) -- Best Regards, Aaron Lewis - PGP: 0xA476D2E9 irc: A4r0n on freenode From stevetucknott at yahoo.co.uk Wed Mar 3 08:25:58 2010 From: stevetucknott at yahoo.co.uk (Steve T) Date: Wed, 03 Mar 2010 13:25:58 +0000 Subject: [sudo-users] Keep Path FC9 In-Reply-To: <4B8E5070.2010301@gmail.com> References: <1267611956.2184.9.camel@retsol6400> <4B8E48F1.1080706@gmail.com> <1267617071.2176.24.camel@retsol6400> <4B8E5070.2010301@gmail.com> Message-ID: <1267622758.2186.5.camel@retsol6400> On Wed, 2010-03-03 at 20:05 +0800, Aaron Lewis wrote: > Steve T wrote: > > > > On Wed, 2010-03-03 at 19:33 +0800, Aaron Lewis wrote: > >> Steve T wrote: > >> > I used sudo under FC6 and could simply do 'sudo command' knowing that > >> > the path for the command would be cloned from the current users (my) > >> > path. > >> > This does not appear to work in the same way under FC9 - is there a way > >> > to still achieve the same thing? > >> > > >> > > >> > Thanks > >> > ____________________________________________________________ > >> > sudo-users mailing list > > >> > For list information, options, or to unsubscribe, visit: > >> > http://www.sudo.ws/mailman/listinfo/sudo-users > >> > > >> Are you looking for secure_path ? > >> > >> man sudoers > >> > >> secure_path Path used for every command run from sudo. If you don?t > >> trust the people running sudo > >> to have a sane PATH environment variable you may want to use this. > >> Another use is if > >> you want to have the "root path" be separate from the "user path." Users > >> in the group > >> specified by the exempt_group option are not affected by secure_path. > >> This option is > >> set to /bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc by default. > >> > >> Hope it helps. > >> > >> > > Aaron, > > Thanks for the reply. > > > > I'm not sure as most of the options are compile time and the sudo > > command was pre-compiled under FC9. I've tried the 'keep' options in > > the sudoers file to no avail. > > > > I had the same issue a year+ back and never resolved it - I'll have to > > try getting the source and compiling that. > ./configure --help shows > > --with-secure-path override the user's path with a built-in one > > ./configure --with-secure-path=no > > But i don't recommand you to do so , it's not secure ;-) > Aaron, I have just recompiled from source (after copying away the original sudo commands) and specified nothing (apart from where the bin and sbin dirs were) and that now seems to work as it did under FC6 - so I can only assume that FC9 was compiled with the option that you pointed out above (ie --with-secure-path) as that is the symptom I'm currently getting (ie the path is fixed for sudo). It doesn't pose a security risk - as its just an option that I use on my laptop, where I tend to use sudo rather than su'ing to root. Thanks for taking the time to help. From mwlucas at blackhelicopters.org Tue Mar 2 17:01:57 2010 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Tue, 2 Mar 2010 17:01:57 -0500 Subject: [sudo-users] problems with sudo, ldap, and passwords Message-ID: <20100302220157.GA45666@bewilderbeast.blackhelicopters.org> Hi, I'm trying to make sudo talk to my ldap server. Sudo is version 1.6.9.20, running on FreeBSD 9/i386, against an OpenLDAP 2.4 back end on FreeBSD 8/i386. Basic LDAP auth works, and I'm serving SSH keys out of my LDAP server. Sudo rejects the password for any user except root, however. I've verified the user's account and password with basic LDAP searches, e.g.: onvm2~;ldapsearch -ZWxD "uid=mwlucas,ou=people,dc=example,dc=com" Enter LDAP Password: # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (objectclass=*) # requesting: ALL <<>> When I try even "sudo -l", however, that same password is repeatedly rejected. onvm2~;sudo -l LDAP Config Summary =================== host ldap.example.com port -1 ldap_version 3 sudoers_base ou=sudoers,dc=example,dc=com binddn (anonymous) bindpw (anonymous) bind_timelimit 30000 timelimit 30 ssl start_tls tls_cacertfile /usr/local/etc/ssl/example.root.crt =================== sudo: ldap_init(ldap.example.com, 389) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_cacertfile -> /usr/local/etc/ssl/example.root.crt sudo: ldap_set_option: timelimit -> 30 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) sudo: ldap_start_tls_s() ok sudo: ldap_simple_bind_s() ok sudo: found:cn=defaults,ou=sudoers,dc=example,dc=com sudo: ldap search '(|(sudoUser=mwlucas)(sudoUser=%mwlucas)(sudoUser=%sysadmins)(sudoUser=ALL))' sudo: found:cn=%sysadmins,ou=sudoers,dc=example,dc=com sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap search 'sudoUser=+*' sudo: user_matches=-1 sudo: host_matches=-1 sudo: sudo_ldap_check(50)=0x02 Password: Speak English you fool --- there are no subtitles in this scene. Password: I have been called worse. Password: It's only your word against mine. sudo: 3 incorrect password attempts If I try "sudo -l" while logged in as root, though, sudo accepts my password and gives me the expected config. onvm2# sudo -l LDAP Config Summary =================== host ldap.example.com port -1 ldap_version 3 sudoers_base ou=sudoers,dc=example,dc=com binddn (anonymous) bindpw (anonymous) bind_timelimit 30000 timelimit 30 ssl start_tls tls_cacertfile /usr/local/etc/ssl/example.root.crt =================== sudo: ldap_init(ldap.example.com, 389) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_cacertfile -> /usr/local/etc/ssl/example.root.crt sudo: ldap_set_option: timelimit -> 30 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) sudo: ldap_start_tls_s() ok sudo: ldap_simple_bind_s() ok sudo: found:cn=defaults,ou=sudoers,dc=example,dc=com sudo: ldap search '(|(sudoUser=root)(sudoUser=%wheel)(sudoUser=%operator)(sudoUser=ALL))' sudo: found:cn=root,ou=sudoers,dc=example,dc=com sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap search 'sudoUser=+*' sudo: user_matches=-1 sudo: host_matches=-1 sudo: sudo_ldap_check(50)=0x02 User root may run the following commands on this host: LDAP Role: root RunAs: (ALL) Commands: ALL I've tried both with the default /usr/local/etc/pam.d/sudo, and the following config based on a modified /etc/pam.d/system: auth required pam_unix.so no_warn try_first_pass nullok auth required /usr/local/lib/pam_ldap.so no_warn try_first_pass account required /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail account required pam_login_access.so account required pam_unix.so session required /usr/local/lib/pam_mkhomedir.so session required pam_lastlog.so no_fail password required pam_unix.so no_warn try_first_pass I'd also tried changing pam.d/system and pam.d/other, even though the local pam.d/sudo should come first. I'm clearly missing something. Any suggestions, folks? Thanks, ==ml -- Michael W. Lucas mwlucas at BlackHelicopters.org http://www.MichaelWLucas.com/ Latest book: Cisco Routers for the Desperate, 2nd Edition http://www.CiscoRoutersForTheDesperate.com/ From mlh at zip.com.au Thu Mar 4 01:14:04 2010 From: mlh at zip.com.au (Matthew Hannigan) Date: Thu, 4 Mar 2010 17:14:04 +1100 Subject: [sudo-users] preventing user "bob" from executing sudo at all In-Reply-To: References: <8F17F1F1-44E6-41F9-BC59-4C9DB8B7A0F2@wozi.com> Message-ID: <20100304061404.GC23824@evofed.localdomain> On Wed, Mar 03, 2010 at 08:20:37PM +1000, Felipe Alvarez wrote: > > The best way to prevent a user from ever having any > > permissions to sudo > > anything is to just to never put the user in the file, > > and avoid putting him in any groups which are > > enabled for any operations. > > Thank you for all the replies > Bob doesn't exist, so he hasn't done anything wrong. Yes, I knew that; just joking along. See http://en.wikipedia.org/wiki/Alice_and_Bob > I'm working on a > security project, and need to secure the server from local accounts, > not only Web/PHP/SQL attacks, but shell access, too. I need to lock > down the account as much as possible. > Is there a way to stop "sudo -s" or "sudo -i" > Does sudoers prevent _everyone_ from using sudo, except for the users > and the binaries (or scripts, files, executables) that I explicitly > allow? Does this mean "sudo -s" and/or "sudo -i" are _disabled_ by > default, until I explicitly enable them? Correct. Funny story - waaay back when network file sharing was introduced as an option on PCs and Macs, I had a (paranoid) user who immediately when into file sharing options and disabled sharing. Or so he thought. What he HAD done is actually turn on sharing (by virtue of enabling the options) and (due to general computer illiteracy) had inadvertantly given network access to many of his 'secret' files. Regards, Matt From mwlucas at blackhelicopters.org Mon Mar 8 11:50:00 2010 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Mon, 8 Mar 2010 11:50:00 -0500 Subject: [sudo-users] problems with sudo, ldap, and passwords Message-ID: <20100308165000.GA82045@bewilderbeast.blackhelicopters.org> Hi, I'm trying to make sudo talk to my ldap server. Sudo is version 1.6.9.20, running on FreeBSD 9/i386, against an OpenLDAP 2.4 back end on FreeBSD 8/i386. Basic LDAP auth works, and I'm serving SSH keys out of my LDAP server. Sudo rejects the password for any user except root, however. I've verified the user's account and password with basic LDAP searches, e.g.: onvm2~;ldapsearch -ZWxD "uid=mwlucas,ou=people,dc=example,dc=com" Enter LDAP Password: # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (objectclass=*) # requesting: ALL <<>> When I try even "sudo -l", however, that same password is repeatedly rejected. onvm2~;sudo -l LDAP Config Summary =================== host ldap.example.com port -1 ldap_version 3 sudoers_base ou=sudoers,dc=example,dc=com binddn (anonymous) bindpw (anonymous) bind_timelimit 30000 timelimit 30 ssl start_tls tls_cacertfile /usr/local/etc/ssl/example.root.crt =================== sudo: ldap_init(ldap.example.com, 389) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_cacertfile -> /usr/local/etc/ssl/example.root.crt sudo: ldap_set_option: timelimit -> 30 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) sudo: ldap_start_tls_s() ok sudo: ldap_simple_bind_s() ok sudo: found:cn=defaults,ou=sudoers,dc=example,dc=com sudo: ldap search '(|(sudoUser=mwlucas)(sudoUser=%mwlucas)(sudoUser=%sysadmins)(sudoUser=ALL))' sudo: found:cn=%sysadmins,ou=sudoers,dc=example,dc=com sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap search 'sudoUser=+*' sudo: user_matches=-1 sudo: host_matches=-1 sudo: sudo_ldap_check(50)=0x02 Password: Speak English you fool --- there are no subtitles in this scene. Password: I have been called worse. Password: It's only your word against mine. sudo: 3 incorrect password attempts If I try "sudo -l" while logged in as root, though, sudo accepts my password and gives me the expected config. onvm2# sudo -l LDAP Config Summary =================== host ldap.example.com port -1 ldap_version 3 sudoers_base ou=sudoers,dc=example,dc=com binddn (anonymous) bindpw (anonymous) bind_timelimit 30000 timelimit 30 ssl start_tls tls_cacertfile /usr/local/etc/ssl/example.root.crt =================== sudo: ldap_init(ldap.example.com, 389) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_cacertfile -> /usr/local/etc/ssl/example.root.crt sudo: ldap_set_option: timelimit -> 30 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) sudo: ldap_start_tls_s() ok sudo: ldap_simple_bind_s() ok sudo: found:cn=defaults,ou=sudoers,dc=example,dc=com sudo: ldap search '(|(sudoUser=root)(sudoUser=%wheel)(sudoUser=%operator)(sudoUser=ALL))' sudo: found:cn=root,ou=sudoers,dc=example,dc=com sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap search 'sudoUser=+*' sudo: user_matches=-1 sudo: host_matches=-1 sudo: sudo_ldap_check(50)=0x02 User root may run the following commands on this host: LDAP Role: root RunAs: (ALL) Commands: ALL I've tried both with the default /usr/local/etc/pam.d/sudo, and the following config based on a modified /etc/pam.d/system: auth required pam_unix.so no_warn try_first_pass nullok auth required /usr/local/lib/pam_ldap.so no_warn try_first_pass account required /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail account required pam_login_access.so account required pam_unix.so session required /usr/local/lib/pam_mkhomedir.so session required pam_lastlog.so no_fail password required pam_unix.so no_warn try_first_pass I'd also tried changing pam.d/system and pam.d/other, even though the local pam.d/sudo should come first. I'm clearly missing something. Any suggestions, folks? Thanks, ==ml -- Michael W. Lucas mwlucas at BlackHelicopters.org http://www.MichaelWLucas.com/ Latest book: Cisco Routers for the Desperate, 2nd Edition http://www.CiscoRoutersForTheDesperate.com/ From Todd.Miller at courtesan.com Mon Mar 8 12:00:07 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 08 Mar 2010 12:00:07 -0500 Subject: [sudo-users] problems with sudo, ldap, and passwords In-Reply-To: Your message of "Mon, 08 Mar 2010 11:50:00 EST." <20100308165000.GA82045@bewilderbeast.blackhelicopters.org> References: <20100308165000.GA82045@bewilderbeast.blackhelicopters.org> Message-ID: <201003081700.o28H07Tp024148@core.courtesan.com> This sounds more like a PAM issue than an LDAP issue. One FreeBSD user has reported problems caused by the following in auth/pam.c: /* * Set PAM_RUSER to the invoking user (the "from" user). * We set PAM_RHOST to avoid a bug in Solaris 7 and below. */ (void) pam_set_item(pamh, PAM_RUSER, user_name); (void) pam_set_item(pamh, PAM_RHOST, user_host); You could try commenting that bit out and see if the behavior changes. - todd From mwlucas at blackhelicopters.org Mon Mar 8 15:25:03 2010 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Mon, 8 Mar 2010 15:25:03 -0500 Subject: [sudo-users] problems with sudo, ldap, and passwords In-Reply-To: <201003081700.o28H07Tp024148@core.courtesan.com> References: <20100308165000.GA82045@bewilderbeast.blackhelicopters.org> <201003081700.o28H07Tp024148@core.courtesan.com> Message-ID: <20100308202503.GA83150@bewilderbeast.blackhelicopters.org> On Mon, Mar 08, 2010 at 12:00:07PM -0500, Todd C. Miller wrote: > This sounds more like a PAM issue than an LDAP issue. One FreeBSD > user has reported problems caused by the following in auth/pam.c: > > /* > * Set PAM_RUSER to the invoking user (the "from" user). > * We set PAM_RHOST to avoid a bug in Solaris 7 and below. > */ > (void) pam_set_item(pamh, PAM_RUSER, user_name); > (void) pam_set_item(pamh, PAM_RHOST, user_host); > > You could try commenting that bit out and see if the behavior changes. Behavior doesn't change with this, thanks. As you suspect PAM, I'll look back in that direction. Thanks, ==ml -- Michael W. Lucas mwlucas at BlackHelicopters.org http://www.MichaelWLucas.com/ Latest book: Cisco Routers for the Desperate, 2nd Edition http://www.CiscoRoutersForTheDesperate.com/ From jespasac at minibofh.org Tue Mar 9 03:51:39 2010 From: jespasac at minibofh.org (Jordi Espasa Clofent) Date: Tue, 09 Mar 2010 09:51:39 +0100 Subject: [sudo-users] problems with sudo, ldap, and passwords In-Reply-To: <20100308165000.GA82045@bewilderbeast.blackhelicopters.org> References: <20100308165000.GA82045@bewilderbeast.blackhelicopters.org> Message-ID: <4B960C1B.1010301@minibofh.org> I hope it helps a bit: # cat /etc/pam.d/sudo && cat /etc/pam.d/sshd && uname -r # # $FreeBSD: ports/security/sudo/files/pam.conf,v 1.5 2008/04/09 16:44:28 tmclaugh Exp $ # # PAM configuration for the "sudo" service # # auth #auth include system auth required /usr/local/lib/pam_ldap.so # account #account include system account sufficient /usr/local/lib/pam_ldap.so # session # XXX: pam_lastlog (used in system) causes users to appear as though # they are no longer logged in in system logs. #session required pam_permit.so session sufficient /usr/local/lib/pam_ldap.so # password #password include system password sufficient /usr/local/lib/pam_ldap.so # # $FreeBSD: src/etc/pam.d/sshd,v 1.15.12.1 2007/08/17 11:28:25 yar Exp $ # # PAM configuration for the "sshd" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so session required /usr/local/lib/pam_mkhomedir.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_ldap.so use_authok password required pam_unix.so no_warn try_first_pass 7.0-RELEASE-p4 From edwardspl at ita.org.mo Tue Mar 9 09:39:25 2010 From: edwardspl at ita.org.mo (Edward. S. P. Leong) Date: Tue, 09 Mar 2010 22:39:25 +0800 Subject: [sudo-users] sudo config problem Message-ID: <4B965D9D.6050809@ita.org.mo> Dear All, Mine is Fedora 11... [root]# rpm -qa | grep "sudo" sudo-1.7.2p5-1.fc11.x86_64 [root]# After config the sudo, then there is some of error : [root@ ~]# visudo visudo: Warning: unused User_Alias ADMINS visudo: Warning: unused Cmnd_Alias DELEGATING visudo: Warning: unused Cmnd_Alias DRIVERS visudo: Warning: unused Host_Alias FILESERVERS visudo: Warning: unused Cmnd_Alias LOCATE visudo: Warning: unused Host_Alias MAILSERVERS visudo: Warning: unused Cmnd_Alias NETWORKING visudo: Warning: unused Cmnd_Alias PROCESSES visudo: Warning: unused Cmnd_Alias SERVICES visudo: Warning: unused Cmnd_Alias SOFTWARE visudo: Warning: unused Cmnd_Alias STORAGE [root@ ~]# Is there any solution for it ? Thanks ! Edward. From Todd.Miller at courtesan.com Tue Mar 9 10:47:01 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 09 Mar 2010 10:47:01 -0500 Subject: [sudo-users] sudo config problem In-Reply-To: Your message of "Tue, 09 Mar 2010 22:39:25 +0800." <4B965D9D.6050809@ita.org.mo> References: <4B965D9D.6050809@ita.org.mo> Message-ID: <201003091547.o29Fl1Um021851@core.courtesan.com> In message <4B965D9D.6050809 at ita.org.mo> so spake "Edward. S. P. Leong" (edwardspl): > Mine is Fedora 11... > > [root]# rpm -qa | grep "sudo" > sudo-1.7.2p5-1.fc11.x86_64 > [root]# > > After config the sudo, then there is some of error : > [root@ ~]# visudo > visudo: Warning: unused User_Alias ADMINS > visudo: Warning: unused Cmnd_Alias DELEGATING > visudo: Warning: unused Cmnd_Alias DRIVERS > visudo: Warning: unused Host_Alias FILESERVERS > visudo: Warning: unused Cmnd_Alias LOCATE > visudo: Warning: unused Host_Alias MAILSERVERS > visudo: Warning: unused Cmnd_Alias NETWORKING > visudo: Warning: unused Cmnd_Alias PROCESSES > visudo: Warning: unused Cmnd_Alias SERVICES > visudo: Warning: unused Cmnd_Alias SOFTWARE > visudo: Warning: unused Cmnd_Alias STORAGE > [root@ ~]# > > Is there any solution for it ? This just means that you have several aliases defined that you are not actually using. Visudo warns about this in case they are typos or unintentional. It is not, however, an error and sudo will still run. - todd From aldo at cleartalk.net Mon Mar 22 14:41:34 2010 From: aldo at cleartalk.net (Aldo Zavala) Date: Mon, 22 Mar 2010 11:41:34 -0700 Subject: [sudo-users] =?iso-8859-1?q?how_to_uninstall_sudo_=3F?= Message-ID: <20100322184134.f497b9ee@mail.cleartalk.net> Hi to all =) I just compiled the sudo-1.7.2p5 in FreeBSD 8.0 it works just great. However for packet maintenance purposes I would need how to uninstall and upgrade the package, I tried make uninstall and make deinstall and none of those worked. How is supposed to uninstall or upgrade it? Thanks in advance! Aldo From GMenini at ose.com.uy Mon Mar 22 15:11:31 2010 From: GMenini at ose.com.uy (Gabriel Menini) Date: Mon, 22 Mar 2010 16:11:31 -0300 Subject: [sudo-users] how to uninstall sudo ? In-Reply-To: <20100322184134.f497b9ee@mail.cleartalk.net> Message-ID: sudo-users-bounces at courtesan.com escribi? el 2010-03-22 15:41:34: > Hi to all =) > > I just compiled the sudo-1.7.2p5 in FreeBSD 8.0 it works just > great. However for packet maintenance purposes I would need how to > uninstall and upgrade the package, I tried make uninstall and make > deinstall and none of those worked. How is supposed to uninstall or > upgrade it? Hello, Aldo. Maybe you'd better refer to FreeBSD specific install/upgrade documentation. As far as I can tell, If you installed from Sudo web site sources, you'll have to patch it or, in the other hand, download a fresh release and re-install. > > Thanks in advance! Regards, > > Aldo Gabriel Menini From aldo at cleartalk.net Mon Mar 22 16:04:51 2010 From: aldo at cleartalk.net (Aldo Zavala) Date: Mon, 22 Mar 2010 13:04:51 -0700 Subject: [sudo-users] =?iso-8859-1?q?how_to_uninstall_sudo_=3F?= In-Reply-To: OF327B77DE.FCA6ECB2-ON832576EE.00691186-832576EE.0069A4D2@ose.com.uy Message-ID: <20100322200451.2b2da8bc@mail.cleartalk.net> Hi, I downloaded and compiled this: ftp://ftp.sudo.ws/pub/sudo/sudo-1.7.2p5.tar.gz ... so do you recommend me to better install the FreeBSD port of sudo? If yes, how could I uninstall my non-platform sudo version? _____ From: Gabriel Menini [mailto:GMenini at ose.com.uy] To: sudo-users at sudo.ws Sent: Mon, 22 Mar 2010 12:11:31 -0700 Subject: Re: [sudo-users] how to uninstall sudo ? sudo-users-bounces at courtesan.com escribi? el 2010-03-22 15:41:34: > Hi to all =) > > I just compiled the sudo-1.7.2p5 in FreeBSD 8.0 it works just > great. However for packet maintenance purposes I would need how to > uninstall and upgrade the package, I tried make uninstall and make > deinstall and none of those worked. How is supposed to uninstall or > upgrade it? Hello, Aldo. Maybe you'd better refer to FreeBSD specific install/upgrade documentation. As far as I can tell, If you installed from Sudo web site sources, you'll have to patch it or, in the other hand, download a fresh release and re-install. > > Thanks in advance! Regards, > > Aldo Gabriel Menini ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From Todd.Miller at courtesan.com Mon Mar 22 16:10:41 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 22 Mar 2010 16:10:41 -0400 Subject: [sudo-users] =?iso-8859-1?q?how_to_uninstall_sudo_=3F?= In-Reply-To: Your message of "Mon, 22 Mar 2010 11:41:34 PDT." <20100322184134.f497b9ee@mail.cleartalk.net> References: <20100322184134.f497b9ee@mail.cleartalk.net> Message-ID: <201003222010.o2MKAf66029036@core.courtesan.com> In message <20100322184134.f497b9ee at mail.cleartalk.net> so spake "Aldo Zavala" (aldo): > I just compiled the sudo-1.7.2p5 in FreeBSD 8.0 it works just great. However > for packet maintenance purposes I would need how to uninstall and upgrade th > e package, I tried make uninstall and make deinstall and none of those worked > . How is supposed to uninstall or upgrade it? There is no uninstall target. If you need to upgrade you can just re-run "make install", it will not overwrite an existing sudoers file. - todd From mahlon at martini.nu Wed Mar 24 18:44:31 2010 From: mahlon at martini.nu (Mahlon E. Smith) Date: Wed, 24 Mar 2010 15:44:31 -0700 Subject: [sudo-users] Netgroups and host+user pairings Message-ID: <20100324224431.GF86140@martini.nu> Hi! I'm transitioning a bunch of CFEngine-pushed sudoers files into LDAP. Very exciting! Among this aged, organically grown pile of sudo spaghetti (spaghetto? sughetti?) is a bunch of "this user has root on their own machine" style rules, which will (unfortunately) be carried over. We're using netgroups (via LDAP) extensively, for nearly everything host related in this environment. What I'd really like to do is have a one to one mapping of: (mahlon-workstation.example.com,mahlon,) (bob-workstation.example.com,bob,) (...) in a single netgroup -- lets call it 'local_sudo'. Then, a single sudoRole LDAP entry that specifies: +local_sudo +local_sudo = (root) ALL (or whatever) Of course, this says any user in that netgroup can gain root on any machine in that netgroup. Whoops. I saw a similar thread on this list about this, circa 2003. I don't see anything in the documentation for a different syntax to "pivot" the meaning of the netgroup from a matrix, to a one-to-one match. I obviously can create separate sudoRole entries for each host->user relationship -- just trying to simplify. Is such a thing possible in sudo nowadays? From a netgroup perspective, it seems like a useful way to do this -- using netgroups for login roles, for example, would behave in the 'one-to-one' fashion. -- Mahlon E. Smith http://www.martini.nu/contact.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 155 bytes Desc: not available URL: From lwmoore at us.ibm.com Wed Mar 24 14:57:30 2010 From: lwmoore at us.ibm.com (Lemuel Moore) Date: Wed, 24 Mar 2010 14:57:30 -0400 Subject: [sudo-users] Retain SSH_AUTH_SOCK environment variable Message-ID: I use PuTTY on my windows workstation with "Allow agent forwarding" set to SSH using private/public to my AIX system. I then issue "env | grep SSH_AUTH_SOCK" and receive: SSH_AUTH_SOCK=/tmp/ssh-xxxxxxxxxx/agent.11112222" . I then issue "sudo su - usertest". I then issue "env | grep SSH_AUTH_SOCK" and receive: " " In my sudoers file I have the following defined: Defaults env_reset,env_keep+="SSH_AUTH_SOCK" Any idea why this is not working? From jamie.beverly at yahoo.com Thu Mar 25 22:17:36 2010 From: jamie.beverly at yahoo.com (Jamie Beverly) Date: Thu, 25 Mar 2010 19:17:36 -0700 (PDT) Subject: [sudo-users] Retain SSH_AUTH_SOCK environment variable In-Reply-To: References: Message-ID: <485915.34232.qm@web31801.mail.mud.yahoo.com> ----- Original Message ---- > From: Lemuel Moore > To: sudo-users at sudo.ws > Sent: Wed, March 24, 2010 11:57:30 AM > Subject: [sudo-users] Retain SSH_AUTH_SOCK environment variable > > > I use PuTTY on my windows workstation with "Allow agent forwarding" set > to > SSH using private/public to my AIX system. > I then issue "env | grep > SSH_AUTH_SOCK" and receive: > SSH_AUTH_SOCK=/tmp/ssh-xxxxxxxxxx/agent.11112222" > I then issue "sudo su - usertest". 'su -' is clearing that env variable, not sudo. If you have a reasonably modern version of sudo, just use 'sudo -i'.