[sudo-users] Bizarre sudo behavior

Michael Potter michael at potter.name
Fri Jun 20 00:09:21 EDT 2008 

Mike,

Very curious problem.

Here are some suggestions:
1) curious that you are being prompted for the password.  what would happen
if you typed the pw correctly.

2) what would happen if you typed the full path for chuser.

3) try turning off centos' advanced security features.  I think they are
under some security tab that also controls the firewall.  I am not
suggesting that is a permanent fix, but maybe that will narrow down the
problem.  if you have a hard time finding what to turn off, let me know and
I will boot my centos machine.

4) I dont think it is an environment problem, but if it is it might show up
if you do this:
    sudo env
   for each test case and compare the output.

I dont have a warm feeling that my suggestions will help, but no one else
replied so I thought I would give it a shot.  If you figure out the
solution, please post it back to the group.  Even if you find out that it
was human error.

-- 
Michael Potter

On Wed, Jun 11, 2008 at 4:08 PM, Wood, Mike <Mike.Wood at kci1.com> wrote:

> Hi All,
>
>
>
> I'm new to the list, but not new to sudo.  I've got a bizarre sudo
> problem that I just can't solve, and I need your help.
>
> I've looked 6 months back through the archives, and didn't see anything
> useful.
>
> -
>
> Scenario:
>
> Sudo version 1.6.9p13 on AIX 5.3 TL5 SP5.
>
>
>
> Under certain circumstances, sudo commands don't seem to work.  I think
> it's an environment variable somewhere, but I'm not 100% sure.
>
>
>
> To reproduce the problem:  login directly as acostad.
>
> $ sudo -l
>
> User acostad may run the following commands on this host:
>
>    (root) NOPASSWD: sudoedit dsm.sys, sudoedit dsm.opt, sudoedit
> inclexcl, DSMJ, DSMC, DSMCAD, /usr/local/adm
>
> in-tools/make_tsm_nodedir
>
>    (root) NOPASSWD: /usr/bin/cancel, sudoedit /etc/hosts,
> /usr/local/admin-tools/ck_print_queue.ksh, sudoedit
>
>  ck_print_queue.dat
>
>    (root) NOPASSWD: /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
>
>    (root) NOPASSWD: /usr/local/admin-tools/resetuser,
> !/usr/local/admin-tools/resetuser root
>
>    (root) NOPASSWD: sudoedit /etc/usrtab, sudoedit /etc/usrlogon
>
>    (operator) NOPASSWD: /usr/bin/smitty mkuser, /usr/bin/smit mkuser
>
>    (operator) NOPASSWD: /usr/bin/chuser account_locked
>
>    (root) /usr/bin/su - root
>
> $ sudo chuser account_locked=false woodm
>
> Password:
>
> Sorry, try again.
>
> Password:
>
> Sorry, try again.
>
> Password:
>
> Sorry, try again.
>
> sudo: 3 incorrect password attempts
>
>
>
> But...su - root, then su - acostad:
>
> $ sudo -l
>
> User acostad may run the following commands on this host:
>
>    (root) NOPASSWD: sudoedit dsm.sys, sudoedit dsm.opt, sudoedit
> inclexcl, DSMJ, DSMC, DSMC
>
> AD, /usr/local/admin-tools/make_tsm_nodedir
>
>    (root) NOPASSWD: /usr/bin/cancel, sudoedit /etc/hosts,
> /usr/local/admin-tools/ck_print_q
>
> ueue.ksh, sudoedit ck_print_queue.dat
>
>    (root) NOPASSWD: /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
>
>    (root) NOPASSWD: /usr/local/admin-tools/resetuser,
> !/usr/local/admin-tools/resetuser roo
>
> t
>
>    (root) NOPASSWD: sudoedit /etc/usrtab, sudoedit /etc/usrlogon
>
>    (operator) NOPASSWD: /usr/bin/smitty mkuser, /usr/bin/smit mkuser
>
>    (operator) NOPASSWD: /usr/bin/chuser account_locked
>
>    (root) /usr/bin/su - root
>
> $ sudo chuser account_locked=false woodm
>
> $
>
>
>
> What gives?  Any idea where to look?
>
> Thanks!!!
>
>
>
> Mike Wood
>
> UNIX System Administrator
>
> Kinetic Concepts, Inc.
>
> 6103 Farinon Drive
>
> San Antonio, TX, 78249
>
>
>
> E-mail:  mike.wood at kci1.com
>
> Office:  (210) 255-6382
>
> Mobile:  (210) 825-5134
>
>
>
>
> *****************************************************************************
> "CONFIDENTIALITY NOTICE:  This transmission (including any
> accompanying attachments) is confidential, is intended only for the
> individual or entity named above, and is likely to contain privileged,
> proprietary and confidential information that is exempt from disclosure
> requests under applicable law.  If you are not the intended recipient,
> you are hereby notified that any disclosure, copying, distribution, use
> of or reliance upon any of the information contained in this transmission
> is strictly prohibited.  Any inadvertent or unauthorized disclosure shall
> not compromise or waive the confidentiality of this transmission or any
> applicable attorney-client privilege.
>
> If you have received this transmission in error, please immediately
> notify us at postmaster at kci1.com."
>
>
> Kinetic Concepts, Inc.
>
>
> ******************************************************************************
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

More information about the sudo-users mailing list