[sudo-users] Problem with defaults (v1.7.0rc2)
Chris O'Regan
chris at encs.concordia.ca
Fri Oct 24 13:12:09 EDT 2008
We've decided to install v1.7.0rc2 because we really want to use the
#include directive. Unfortunately we are encountering a serious problem:
We require that members of the wheel group use the root password when
running sudo and have this near the top of /etc/sudoers:
Defaults:%wheel rootpw
Non-wheel users are given very specific privileges and can use their own
password. This has been working well for years with the v1.6.x line of
sudo. With v1.7.0rc2 (have not tried earlier versions) this is being
applied to *all* users despite it being limited to group wheel. If I use
the same sudoers file with v1.6.x it works as expected. If I comment out
the above line with v1.7.0rc2 then the user is prompted for his own
password.
Here is the output of "sudo -l" (using v1.7.0rc2) for a test user
account that is *not* in the wheel group (I had to type the root
password to authenticate):
Matching Defaults entries for joeuser on this host:
shell_noargs
Runas and Command-specific defaults for joeuser:
Defaults>root editor=/usr/bin/vim:/encs/bin/vim:/usr/bin/vi
Defaults>root always_set_home Defaults>root env_reset
Defaults>root
env_keep=SSH_CLIENT SSH_TTY SSH_CONNECTION DISPLAY
User joeuser may run the following commands on this host:
(fis-card) ALL
As myself (in the wheel group):
Matching Defaults entries for chris on this host:
shell_noargs, rootpw
Runas and Command-specific defaults for chris:
Defaults>root editor=/usr/bin/vim:/encs/bin/vim:/usr/bin/vi
Defaults>root always_set_home Defaults>root env_reset
Defaults>root
env_keep=SSH_CLIENT SSH_TTY SSH_CONNECTION DISPLAY
User chris may run the following commands on this host:
(ALL) ALL
Notice that joeuser does *not* have "rootpw" as its defaults, so why is
sudo expecting root's password?
Thanks,
Chris
More information about the sudo-users
mailing list