[sudo-users] exempt_group question

Huibert.Kivits at mail.ing.nl Huibert.Kivits at mail.ing.nl
Fri Nov 3 16:57:11 EST 2006

Hi Martin,

IMHO, you've got two options:
1. Have user marto issue sudo commands like this:
    sudo /sbin/telinit
2. Add /sbin to the user's PATH, either through
   - the user's own .profile
   - the system-wide /etc/profile
  - a group profile, only to be executed by a specific group to which user marto belongs.

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,

Huibert Kivits
"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4

-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Martin Ivanov
Verzonden: vrijdag 3 november 2006 22:50
Aan: sudo-users at sudo.ws
Onderwerp: [sudo-users] exempt_group question

I am running Slackware Linux 11.0 with kernel 2.6.18
Here is my /etc/sudoers file:

root ALL=(ALL) ALL
Defaults:marto exempt_group=on
Cmnd_Alias MARTO = /bin/su, /sbin/telinit, /usr/sbin/checkinstall, /bin/ls, /sbin/mount, /sbin/installpkg, /sbin/removepkg marto marto = NOPASSWD: MARTO

As you can guess, my user is marto. The problem is that the commands from the /sbin directory cannot be found by sudo, because they are not in the in marto's PATH. So to free sudo from the PATH restriction, I decided to use the exempt_group string. However this does not seem to work. Whenever I type: sudo telinit 6 as marto, bash compains that it cannot find the command. If I add /sbin to marto's PATH, there is no problem. I wonder if there is some way to achieve that without modifying marto's PATH. I want marto to have access to commands in /sbin only via sudo.

Any suggestions will be appreciated.
Thank you very much in advance.


Survivor BG. Оцеляването продължава на www.survivor.btv.bg 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.

More information about the sudo-users mailing list