[sudo-users] sudoers anomaly

Jeffrey Seul jeffreyseul at officemax.com
Tue Jul 15 15:22:05 EDT 2008

I've just gone through and created a nice unified sudoers file (that will
work for us until we can get to 1.7 and use the local includes instead) -
however I'm noticing some issues and I believe it's to do with the
runas_aliases and hoping you can help me -

If I set up a user with something like this -

# Oracle Administrators

and then define a large (more than 30 objects) Runas_Alias (obviously it
comes befor the group permission) -

Runas_Alias ORACLE_USERS=orabp2, orabwd, orabwq, orabwx, oraep2, oraepd, oraepq, oraev1, oraevd, oramdd, oramdt, orapr2, orapt2, oraptd, oraptq, orartd, orartq, orarts, orartt, orasb1, orasm2, orawm1, orawm2, orawm3, orawmd, orawmq, orawms, orawmt, patrol, precise, orabix, orasrx, orasmx, oraxix

the user, even if they're in the dba group, will be prompted for password
and they'll yet be allowed to execute the command

If I shorten the list of users in the Runas_Alias, and wait the cursory
amount of time or clear my cache directory entry, it will no longer prompt
me for password

Any thoughts?

More information about the sudo-users mailing list