[sudo-users] Can't execute commands

Russell Van Tassell russell+sudo-users at loosenut.com
Fri Feb 3 14:05:04 EST 2006 

On Fri, Feb 03, 2006 at 08:37:51AM -0600, Mark F wrote:
> ADMIN           ALL=(ALL)       NOPASSWD: CMD_SYSTEM
> ADMIN           APPSERVER=(ALL) NOPASSWD: CMD_APPSERV
> ADMIN           DCTM=(DMADMIN)  NOPASSWD: CMD_DCTM
> ADMIN           FAST=(DMADMIN)  NOPASSWD: CMD_DCTM_IDX
> 
>   # Repository Staff
> RUSERS          ALL=(ALL) /bin/change_password
> TOMCAT          APPSERVER=(ALL) CMD_TOMCAT_BOUNCE
> RUSERS          DCTM=(DMADMIN) CMD_DCTM
> RUSERS          FAST=(DMADMIN) CMD_DCTM_IDX
> 
> I'm a member of ADMIN and RUSERS and the host is APPSERVER yet I'm only 
> able to execute the commands in the first ADMIN line and the first 
> RUSERS line.  The ones with ALL=(ALL)
> 
> Any idea why this could be?

Well, the first thing I notice there, is that all host lines except the
first ADMIN and RUSERS are set for alternate hosts or groups of hosts,
where-as the other is set for ALL.  My guess is that your Host_Alias
lines are not correct -- you can probably prove this by temporarily
swapping out the host specification (ie. comment the line) for something
a little less specific.

One of the troubleshooting pieces I find as helpful is to include a
"harmless" line in the sudoers to troubleshoot the networks (esp. since
many sysadmins can have trouble with CIDR blocks, the (my) preferred way
of delineating the hosts).  For you, I'd suggest adding something such
as this to the bottom of your sudoers file -- at least temporarily (ie.
until you get the hosts working, then comment it out):

ALL     APPSERVER = (nobody) "/bin/echo This is APPSERVER"
ALL     DCTM      = (nobody) "/bin/echo This is DCTM"
ALL     FAST      = (nobody) "/bin/echo This is FAST"

...with that, your host(s) should basically identify itself when you
execute "sudo -l" on it -- if not, something's most likely still wrong
with the Host_Alias.

Hope that helps...
Russell

-- 
Russell M. Van Tassell
russell at loosenut.com

The shoe that fits one person pinches another; there is no recipe for
living that suits all cases.                                 - Carl Jung

More information about the sudo-users mailing list