[sudo-users] How to replace default "incorrect password attempts" message

Massimo Sgaravatto - INFN Padova massimo.sgaravatto at pd.infn.it
Sun Nov 15 09:55:02 EST 2009

Dear all

I have the following sudo use case.

I would like the following:

If user tomcat does a:

 	 sudo -u userx cmdx

the command should be executed without being asked for a password if userx 
is part of a set of "allowed users" (let's call it GOOD_ACCOUNTS) *and* if
cmdx is part of a set of "allowed commands" (let's call it GOOD_CMDS).

If instead userx is not part of GOOD_ACCOUNTS and/or cmdx is not part of 
GOOD_CMDS the command should fail reporting an "Authorization failure" 
message without being asked for a password

If was able to implement such use case setting in the sudoers:

Runas_Alias GOOD_ACCOUNTS = user1, user2, ... , usern
Cmnd_Alias GOOD_CMDS = cmd1, cmd2, ..., cmdn

Defaults        passwd_tries=0

This works
The only (cosmetic) problem is that if I specify in the sudo command a 
"bad" user and/or a "bad" command, I got as error message:

incorrect password attempts

while I would prefer something different (e.g. sudo authorization error)
I tried to set badpass_message in the sudoers, but it looks like it is 
only used when you type a wrong password

So is there a way to replace that default error message ?

Or are there some other (better) options to implement my use case ?

Thansk a lot, Massimo

             \\ ~ ~ //
             (/ @ @ /)
                          Massimo Sgaravatto
                          INFN Sezione di Padova
                          Via Marzolo, 8
                          35131 Padova - Italy
                          Tel: ++39 0498275908   Fax: ++39 0498275952
           oooO           E-mail: massimo.sgaravatto [at] pd.infn.it
           (   )   Oooo   Home page: http://www.pd.infn.it/~sgaravat
    --------\ (----(   )----------------------------------
             \_)    ) /

More information about the sudo-users mailing list