[sudo-users] sudo asks for a password when it shouldn't

Anthony Burton ant at pf-cvl.net
Thu Jan 31 10:16:42 EST 2008 

Greetings,

I have a user who is setup to be able to run certain commands with sudo 
without using a password since the commands are being run from a script 
(as part of a nagios monitoring scheme). What I'm seeing is this:

[nrpeagent at dbase libexec]$ id
uid=907(nrpeagent) gid=911(nrpeagent) groups=911(nrpeagent)
[nrpeagent at dbase libexec]$ sudo -l
User nrpeagent may run the following commands on this host:
     (oracle) NOPASSWD: /usr/local/oracle/product/10.2.0/db_1/bin/tnsping
     (oracle) NOPASSWD: /usr/local/oracle/product/10.2.0/db_1/bin/sqlplus
[nrpeagent at dbase libexec]$ sudo -u oracle tnsping r2d2db
Password:

Why does sudo ask for a password here?

I have this same line in a shell script which runs w/o asking for password:

...
case "$cmd" in
--tns)
     tnschk=$(sudo -u oracle tnsping $2)
...
...


The system is as follows:
[burtona at dbase libexec]$ uname -a
Linux dbase.localdomain 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 
2006 i686 i686 i386 GNU/Linux
[burtona at dbase libexec]$ cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 4)
[burtona at dbase libexec]$

And the appropriate lines from sudoers:

# Host alias specification
Host_Alias      DBASE = 192.168.10.37

# User alias specification
Runas_Alias    DB = oracle

# Cmnd alias specification
Cmnd_Alias      TNSPING = /usr/local/oracle/product/10.2.0/db_1/bin/tnsping
Cmnd_Alias      SQLPLUS = /usr/local/oracle/product/10.2.0/db_1/bin/sqlplus

# allow user nrpeagent to run the tnsping and sqlplus commands
# on host dbase(192.168.10.37) as user oracle with no password
nrpeagent       DBASE = (DB) NOPASSWD: TNSPING
nrpeagent       DBASE = (DB) NOPASSWD: SQLPLUS



My real problem is that I have another script trying to run an sqlplus 
command that is not working at all; sudo asks for a password every time. 
It worked for a time, and then seems to have quit, and I'm not sure why.

I have come to believe that it has to do with the settings in PAM:

[burtona at dbase libexec]$ cat /etc/pam.d/sudo
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_limits.so

But I have not yet figured out what these settings mean. It would be 
nice if sudo had a -v command that you could give it (ala -vvvv) like 
with ssh to see what it's doing.

Can someone give some insight into why sudo is asking for a password in 
these situations?

Thanks very much for your time,
Anthony

More information about the sudo-users mailing list