[sudo-users] Linux/Solaris differences in use of Cmnd_Alias?

John Shott shott at stanford.edu
Mon Mar 1 12:29:03 EST 2010


Sudo Community:

We have been using sudo for several years on both Solaris and Linux 
platforms to control who can start a set of servers and make sure that 
they are running as the proper user.

To do that, we have a wrapper script that is used to start some 
servers.  Let's say that is named /usr/local/sbin/wrapper.

In the wrapper script we start the server with the line to insure that 
the servers are owned by server_user and can only be started by specific 
named users.

sudo -l server_user /usr/local/sbin/start_server.

Because we are developing these servers, in addition to this production 
version, we often have a development version that is started with a 
similar wrapper script named /usr/local/sbin/wrapper-dev that actually 
starts the server with the sudo command line:

sudo -l server_user /usr/local/sbin/server_start-dev

Here is the relevant section of our /etc/sudoers file:

#User_Alias and Cmnd_Alias definitions:

User_Alias        LEGAL_USERS=fred, bill, joe, server_user
Cmnd_Alias      SERVER_START = /usr/local/sbin/server_start*
 
# Server_start privilege specification

LEGAL_USERS           this_host = (server_user) NOPASSWD: SERVER_START

On Solaris, if I am a member of the LEGAL_USERS User_Alias, I can 
successfully start either /usr/local/sbin/server_start or 
/usr/local/sbin/server_start-dev using this approach of having a 
trailing asterisk in the SERVER_START Cmnd_Alias.

However, on Linux (specifically RHEL5.4), if I run 
/usr/local/sbin/wrapper or /usr/local/sbin/wrapper-dev that should be 
calling:

sudo -l server_user /usr/local/sbin/server_start

and

sudo -l server_user /usr/local/sbin/server_start-dev

respectively, I get both a prompt for a password and then the error message:

User server_user is not allowed to run the command 
"/usr/local/sbin/server_start" on this_host.

(and the equivalent error message when it tries to run 
"/usr/local/sbin/server_start-dev").

While I can solve this by explicitly including both 
/usr/local/sbin/server_start and /usr/local/sbin/server_start-dev in the 
Cmnd_Alias on RHEL Linux, it seems as if using the wildcard * in the 
Cmnd_Alias should work .... and does work on Solaris.  In fact, I think 
that this wildcard in the Cmnd_Alias actually used to work on RHEL Linux.

Is this a misuse of a wildcard in a Cmnd_Alias?  Can anyone explain why 
this works on Solaris 10, but not on RHEL Linux 5.4.
Note: on Solaris 10, we are running Sudo 1.7.0 and on RHEL 5.4 we are 
running Sudo 1.6.9p17.

Thanks for your consideration,

John








More information about the sudo-users mailing list