[sudo-users] sudo asks for a password when it shouldn't
Anthony Burton
ant at pf-cvl.net
Thu Jan 31 10:16:42 EST 2008
Greetings,
I have a user who is setup to be able to run certain commands with sudo
without using a password since the commands are being run from a script
(as part of a nagios monitoring scheme). What I'm seeing is this:
[nrpeagent at dbase libexec]$ id
uid=907(nrpeagent) gid=911(nrpeagent) groups=911(nrpeagent)
[nrpeagent at dbase libexec]$ sudo -l
User nrpeagent may run the following commands on this host:
(oracle) NOPASSWD: /usr/local/oracle/product/10.2.0/db_1/bin/tnsping
(oracle) NOPASSWD: /usr/local/oracle/product/10.2.0/db_1/bin/sqlplus
[nrpeagent at dbase libexec]$ sudo -u oracle tnsping r2d2db
Password:
Why does sudo ask for a password here?
I have this same line in a shell script which runs w/o asking for password:
...
case "$cmd" in
--tns)
tnschk=$(sudo -u oracle tnsping $2)
...
...
The system is as follows:
[burtona at dbase libexec]$ uname -a
Linux dbase.localdomain 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT
2006 i686 i686 i386 GNU/Linux
[burtona at dbase libexec]$ cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 4)
[burtona at dbase libexec]$
And the appropriate lines from sudoers:
# Host alias specification
Host_Alias DBASE = 192.168.10.37
# User alias specification
Runas_Alias DB = oracle
# Cmnd alias specification
Cmnd_Alias TNSPING = /usr/local/oracle/product/10.2.0/db_1/bin/tnsping
Cmnd_Alias SQLPLUS = /usr/local/oracle/product/10.2.0/db_1/bin/sqlplus
# allow user nrpeagent to run the tnsping and sqlplus commands
# on host dbase(192.168.10.37) as user oracle with no password
nrpeagent DBASE = (DB) NOPASSWD: TNSPING
nrpeagent DBASE = (DB) NOPASSWD: SQLPLUS
My real problem is that I have another script trying to run an sqlplus
command that is not working at all; sudo asks for a password every time.
It worked for a time, and then seems to have quit, and I'm not sure why.
I have come to believe that it has to do with the settings in PAM:
[burtona at dbase libexec]$ cat /etc/pam.d/sudo
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_limits.so
But I have not yet figured out what these settings mean. It would be
nice if sudo had a -v command that you could give it (ala -vvvv) like
with ssh to see what it's doing.
Can someone give some insight into why sudo is asking for a password in
these situations?
Thanks very much for your time,
Anthony
More information about the sudo-users
mailing list