[sudo-users] is not allowed to execute '/bin/su -' as root

Huibert.Kivits at mail.ing.nl Huibert.Kivits at mail.ing.nl
Wed Mar 22 04:27:52 EST 2006 

Hi Jeremy,

sudoCommand should be written as follows:

sudoCommand: ALL

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,


Huibert Kivits
OPS&ITB/WPS/UAS/MSO UNIX
Locatiecode NA 00.92
T (020) 563 73 33, F (020) 563 70 02
E Huibert.Kivits at mail.ing.nl

"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4



-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Jeremy Hansen
Verzonden: dinsdag 21 maart 2006 23:00
Aan: sudo-users at sudo.ws
Onderwerp: [sudo-users] is not allowed to execute '/bin/su -' as root


I'm attempting to setup sudo control via ldap.  I seem to have most pieces worked out but yet I'm unable to get sudo to allow my user to actually run things.

Here's the info:

My defaults

dn: cn=defaults,ou=SUDOers,dc=blah,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: ignore_local_sudoers

User entry

dn: cn=jhansen,ou=SUDOers,dc=blah,dc=com
objectClass: top
objectClass: sudoRole
cn: jhansen
sudoUser: jhansen
sudoHost: ALL
sudoCommand: (ALL) ALL

Here is my output when I just try to do sudo su - as user jhansen

[jhansen at z000009 ~]$ sudo su -
LDAP Config Summary
===================
host         z000009.blah.com
port         389
ldap_version 3
sudoers_base ou=SUDOers,dc=blah,dc=com
binddn       (anonymous)
bindpw       (anonymous)
ssl          start_tls
===================
ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")
ldap_init(z000009.blah.com,389)
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
ldap_start_tls_s() ok
ldap_bind() ok
found:cn=defaults,ou=SUDOers,dc=blah,dc=com
ldap sudoOption: 'ignore_local_sudoers'
ldap search 
'(|(sudoUser=jhansen)(sudoUser=%jhansen)(sudoUser=%jhansen)(sudoUser=ALL))'
found:cn=jhansen,ou=SUDOers,dc=blah,dc=com
ldap sudoHost 'ALL' ... MATCH!
ldap sudoCommand '(ALL) ALL' ... not
ldap search 'sudoUser=+*'
user_matches=-1
host_matches=-1
sudo_ldap_check(0)=0x04
Password:
Sorry, user jhansen is not allowed to execute '/bin/su -' as root on z000009.blah.com.

The session looks as if it finds my user, says there's a match, but it seems to get something wrong on the sudoCommand entry...

Not really sure what's going on at this point.

My /etc/pam.d/sudo

auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

Any helps is appreciated.

Thanks
-jeremy


____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------

More information about the sudo-users mailing list