[sudo-users] Giving access to one app for all users

Paul Thompson p_thompson at mac.com
Thu May 18 14:14:20 EDT 2006 

On 17-May-06, at 9:34 PM, Bob Proulx wrote:

> Paul Thompson wrote:
>> Pirates-Cove:~ paul$ sudo -l
>> User paul may run the following commands on this host:
>>     (ALL) ALL
>>     (root) NOPASSWD: ALL
>> Pirates-Cove:~ paul$
>>
>>   If I understand this correctly, it seems to be saying that the
>> user paul can run all commands, and root may run all commands without
>> a password.
>
> As I read it the first line says that paul can run all commands as all
> users.  It will ask for a password for this.  The second line says
> that user paul can run all commands as root and will not ask for a
> password.  It is root because the sudoers file did not specify (ALL)
> in the users field and so defaults to (root).
>
>> The only thing I don't see is a reference to the print
>> command.
>
> Agreed.  This is so different from the file you showed that I have to
> wonder if the sudo you are using is actually referencing a completely
> different sudoers file than the one you think it is using.  The file
> you showed did not have any reference to "(root) NOPASSWD: ALL" for
> any user.  Are you sure you were using the right file?
>
> On my machine I can run strings on the binary and find the file path
> to the sudoers file.
>
>   strings /usr/bin/sudo | grep sudoers
>   ...
>   /etc/sudoers
>   ...
>
> Bob

   Hi,

   When I modified the sudoers file, I cd to /etc and then  
authenticated as root before I ran visudo -f /etc/sudoers to modify  
the file.  I tried the command you sent as my second admin and this  
is what I received back:

Password:
User paul may run the following commands on this host:
     (ALL) ALL
Pirates-Cove:~ paul$ strings /usr/bin/sudo | grep sudoers
strings: can't open file: /usr/bin/sudo (Permission denied)
Pirates-Cove:~ paul$ sudo strings /usr/bin/sudo | grep sudoers
user NOT in sudoers ;
%s is not in the sudoers file.  %s
unable to change to sudoers gid
/private/etc/sudoers
 >>> sudoers file: %s, line %d <<<
Send mail if the user is not in sudoers
Send mail if the user is not in sudoers for this host
Require fully-qualified hostnames in the sudoers file
ignore_local_sudoers
If LDAP directory is up, do we ignore local sudoers file
Available options in a sudoers ``Defaults'' line:
Pirates-Cove:~ paul$

I then tried a command I am a little more familiar with, and I  
received this back:

Pirates-Cove:~ paul$ locate sudoers
/private/etc/sudoers
/private/etc/sudoers.org
/usr/share/man/man5/sudoers.5
Pirates-Cove:~ paul$

   It appears that I only have two copies of sudoers, and one is my  
backup copy before I stated messing with the sudoers file.  As far as  
I can determine, I am using the right, but for some reason it is not  
acknowledging the changes I have made to it.

   Paul

More information about the sudo-users mailing list