[sudo-users] is not allowed to execute '/bin/su -' as root

Jeremy Hansen jeremy at smokehabanos.com
Wed Mar 22 11:31:26 EST 2006


Thanks.  Actually figured this out shortly after my email.  Works out.

Thanks
-jeremy


On 3/22/06 1:27 AM, "Huibert.Kivits at mail.ing.nl"
<Huibert.Kivits at mail.ing.nl> wrote:

> Hi Jeremy,
> 
> sudoCommand should be written as follows:
> 
> sudoCommand: ALL
> 
> Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med
> vänliga hälsningar / nuosirdziausi linkejimai,
> 
> 
> Huibert Kivits
> OPS&ITB/WPS/UAS/MSO UNIX
> Locatiecode NA 00.92
> T (020) 563 73 33, F (020) 563 70 02
> E Huibert.Kivits at mail.ing.nl
> 
> "...all too often, when organizations develop information security programs,
> they treat security issues as a simple 'check-box' on the list of required
> corporate functions."
> Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN:
> 0-596-00130-4
> 
> 
> 
> -----Oorspronkelijk bericht-----
> Van: sudo-users-bounces at courtesan.com
> [mailto:sudo-users-bounces at courtesan.com] Namens Jeremy Hansen
> Verzonden: dinsdag 21 maart 2006 23:00
> Aan: sudo-users at sudo.ws
> Onderwerp: [sudo-users] is not allowed to execute '/bin/su -' as root
> 
> 
> I'm attempting to setup sudo control via ldap.  I seem to have most pieces
> worked out but yet I'm unable to get sudo to allow my user to actually run
> things.
> 
> Here's the info:
> 
> My defaults
> 
> dn: cn=defaults,ou=SUDOers,dc=blah,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: defaults
> description: Default sudoOption's go here
> sudoOption: ignore_local_sudoers
> 
> User entry
> 
> dn: cn=jhansen,ou=SUDOers,dc=blah,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: jhansen
> sudoUser: jhansen
> sudoHost: ALL
> sudoCommand: (ALL) ALL
> 
> Here is my output when I just try to do sudo su - as user jhansen
> 
> [jhansen at z000009 ~]$ sudo su -
> LDAP Config Summary
> ===================
> host         z000009.blah.com
> port         389
> ldap_version 3
> sudoers_base ou=SUDOers,dc=blah,dc=com
> binddn       (anonymous)
> bindpw       (anonymous)
> ssl          start_tls
> ===================
> ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")
> ldap_init(z000009.blah.com,389)
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
> ldap_start_tls_s() ok
> ldap_bind() ok
> found:cn=defaults,ou=SUDOers,dc=blah,dc=com
> ldap sudoOption: 'ignore_local_sudoers'
> ldap search 
> '(|(sudoUser=jhansen)(sudoUser=%jhansen)(sudoUser=%jhansen)(sudoUser=ALL))'
> found:cn=jhansen,ou=SUDOers,dc=blah,dc=com
> ldap sudoHost 'ALL' ... MATCH!
> ldap sudoCommand '(ALL) ALL' ... not
> ldap search 'sudoUser=+*'
> user_matches=-1
> host_matches=-1
> sudo_ldap_check(0)=0x04
> Password:
> Sorry, user jhansen is not allowed to execute '/bin/su -' as root on
> z000009.blah.com.
> 
> The session looks as if it finds my user, says there's a match, but it seems
> to get something wrong on the sudoCommand entry...
> 
> Not really sure what's going on at this point.
> 
> My /etc/pam.d/sudo
> 
> auth       required     pam_stack.so service=system-auth
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
> 
> Any helps is appreciated.
> 
> Thanks
> -jeremy
> 
> 
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
> -----------------------------------------------------------------
> ATTENTION:
> The information in this electronic mail message is private and
> confidential, and only intended for the addressee. Should you
> receive this message by mistake, you are hereby notified that
> any disclosure, reproduction, distribution or use of this
> message is strictly prohibited. Please inform the sender by
> reply transmission and delete the message without copying or
> opening it.
> 
> Messages and attachments are scanned for all viruses known.
> If this message contains password-protected attachments, the
> files have NOT been scanned for viruses by the ING mail domain.
> Always scan attachments before opening them.
> -----------------------------------------------------------------
> 






More information about the sudo-users mailing list