[sudo-users] Cmd_Alias conflict in include file
Bram Mertens
mertensb.mazda at gmail.com
Wed Sep 12 04:34:30 EDT 2012
On Tue, Sep 11, 2012 at 7:28 PM, Todd C. Miller
<Todd.Miller at courtesan.com> wrote:
> I think you have have two #includedir lines in your /etc/sudoers
> file. Look for muliple occurrences of a line like:
>
> #includedir /etc/sudoers.d
>
> That was the only way I was able to reproduce the problem you are
> having.
>
> - todd
AFAICT that isn't/wasn't the case on the machine on which I ran into this.
Since I locked myself out with my tests on that machine yesterday I've
now tried to reproduce it on a test system I can easily fix and I
can't reproduce it anymore. I now have a working configuration (see
below) which I'll extend a bit so I won't spend more time to try to
find out what my mistake was.
Thanks for the all the quick help.
Just in case someone else runs into something simlar, here's the
configuration that does work:
These are all the rules using an include file:
[root at localhost ~]# grep -vh '^#' /etc/sudoers |grep .
Defaults requiretty
Defaults !visiblepw
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC
KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root ALL=(ALL) ALL
[root at localhost ~]# grep -vh '^#' /etc/sudoers.d/mazda |grep .
%isop ALL=(ALL) ALL
%hpadm ALL=(ALL) ALL
Cmnd_Alias SHELLS = /bin/sh, /bin/csh, /bin/ksh, \
/bin/bash, /bin/dash, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
%isapbi ALL=(ALL) NOEXEC: ALL, !SU, !SHELLS
Only one include line:
[root at localhost ~]# grep include /etc/sudoers /etc/sudoers.d/mazda
/etc/sudoers:#includedir /etc/sudoers.d
Results in:
[testbi at localhost ~]$ sudo -l
[sudo] password for testbi:
Matching Defaults entries for testbi on this host:
requiretty, !visiblepw, always_set_home, env_reset,
env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User testbi may run the following commands on this host:
(ALL) NOEXEC: ALL, (ALL) !/usr/bin/su, (ALL) !/bin/sh, !/bin/csh,
!/bin/ksh, !/bin/bash, !/bin/dash, !/usr/local/bin/tcsh,
!/usr/bin/rsh, !/usr/local/bin/zsh
And just for completeness: as Matthew pointed out, this kind of
configuration only provides an indication of what commands shouldn't
be used, it does not provide complete security.
Thanks again
Bram Mertens
More information about the sudo-users
mailing list