[sudo-users] sudoers anomaly
Jeffrey Seul
jeffreyseul at officemax.com
Tue Jul 15 15:22:05 EDT 2008
I've just gone through and created a nice unified sudoers file (that will
work for us until we can get to 1.7 and use the local includes instead) -
however I'm noticing some issues and I believe it's to do with the
runas_aliases and hoping you can help me -
If I set up a user with something like this -
# Oracle Administrators
%dba ALL=(ORACLE_USERS) NOPASSWD: !SHELLS, !BAD_CMDS, ALL
and then define a large (more than 30 objects) Runas_Alias (obviously it
comes befor the group permission) -
Runas_Alias ORACLE_USERS=orabp2, orabwd, orabwq, orabwx, oraep2, oraepd, oraepq, oraev1, oraevd, oramdd, oramdt, orapr2, orapt2, oraptd, oraptq, orartd, orartq, orarts, orartt, orasb1, orasm2, orawm1, orawm2, orawm3, orawmd, orawmq, orawms, orawmt, patrol, precise, orabix, orasrx, orasmx, oraxix
the user, even if they're in the dba group, will be prompted for password
and they'll yet be allowed to execute the command
If I shorten the list of users in the Runas_Alias, and wait the cursory
amount of time or clear my cache directory entry, it will no longer prompt
me for password
Any thoughts?
More information about the sudo-users
mailing list