[sudo-users] Odd sudo behavior: some users can, others cannot
jason.axley at wamu.net
Mon May 8 11:31:43 EDT 2006
All of the users are definitely in the correct group. That was
validated. I also validated the sudo config using testsudoers and found
that the rules are correctly allowing the activity, so there is some
other bug preventing the rule from actually working.
Here is some additional information that has allowed us a workaround:
Users with read/execute access to the script in question (script.sh)
could successfully execute the script via sudo. The script was
originally mode 750, so only users that were in the other group that had
read/execute rights could execute it. The users that were getting the
puzzling error (not a permission denied, but a 'not authorized to run
sudo on this host' error) were not members of that group. But, members
of that group _could_ execute the sudo command.
So, as a test, we changed the mode to 755 on the script and voila, the
users who were denied before were suddenly able to run the script! This
is our workaround for now. But it points out two issues with sudo:
1. Fundamentally, sudo should _not_ require the *sudo user* to have
read/execute to a script. Only the user that sudo will *execute the
script as* should need read/execute privileges.
2. Sudo should log a more appropriate error to syslog and to the user
than what it is currently doing. "Permission denied to script _blah_"
would be more helpful than the current red herring. I think that from
taking a peek at the code, those errors tend to be the catch-all error
conditions and are being implicitly triggered instead of explicitly. So
perhaps the code that decides what the error is should be more
granularly inspecting what is triggering the error.
Jason Axley, CISSP
Sr. Security Engineer
PGP Key Fingerprint: 9551 3500 5FF1 9130 F5A8 2BD4 4BEB 47DE 1D6A F7C0
From: Bob Proulx [mailto:bob at proulx.com]
Sent: Saturday, May 06, 2006 3:23 PM
To: Axley, Jason
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] Odd sudo behavior: some users can, others
Axley, Jason wrote:
> Host_Alias UATAPP = appu711, appu712, appu713, appu714
> Runas_Alias WLOGIC = weblogic, blah
> %somegroup UATAPP = (WLOGIC) /opt/weblogic/bin/script.sh
> Both users are members of somegroup and are running this on the box
Can you double check the groups that each user are really members of
with 'id' or 'groups'? I have seen problems in other contexts where
users were not actually in the groups they were thought to be in.
I assume it works fine if you actually list the users out?
> I can't see a reason that sudo -l would list a command correctly that
> a user should be able to execute and then deny them execution of that
> command--unless there is some sort of bug lingering here.
That does seem curious. If you could debug this further I am sure it
would be appreciated. This is very hard to debug by inspection.
Personally I am not sure what other advice to offer.
More information about the sudo-users