[sudo-users] su nopasswd

Stevens, William William.Stevens at JPSHealth.org
Mon Dec 20 18:20:34 EST 2004


We have a vendor-installed application that uses sudo.  The installation
uses the su script to replace the su binary (moved su to su.old and
su.orig).  Several of the application accounts are set up in sudoers to
use the nopasswd option.  Recently, this stopped working, and now any
access to these accounts prompts for a password.

This usually occurs with an su -c "put some commands here" or a /bin/sh
-c "some commands here" line in the various scripts used for the
application.  Entering root's password or the account's password has no
observable effect.

Has anyone ever seen this behaviour, and does anyone have a guess about
what caused it?

I've looked through the log files and see errors like this:

Dec 20 15:02:45 : seso : command not allowed ; TTY=pts/9 ;
    PWD=/home/sn_root/opt/seso/gui/rdiag/osh.bin ; USER=root ;
    -c /home/sn_root/opt/aremote/sn_aremotelog_trunc.csh

but looking in sudoers gives this:

root    ALL=(ALL) ALL

seso    ALL= NOPASSWD: /sbin/sh -c

I see the /bin and /sbin difference, but it used to work, so I can only
guess that some other setting was regulating this command.

It's as if sudo has stopped reading the sudoers file.  Any thoughts or
ideas would be much appreciated.

Just in case it's useful, here are the permissions on the various sudo

---s--x--x   1 root     root       91972 May  4  2002
-r-xr-xr-x   1 root     root        2854 Jul  2  2003 /usr/bin/su*
-r--r-----   1 root     root        7521 Nov 20  2003

I know that's a little sketchy.  I can provide more details if needed.

Thanks in advance.

William M. Stevens, CISSP
JPS Radiology
(817) 927-3586

More information about the sudo-users mailing list