[sudo-users] Prompted for password when NOPASSWD specified

Vitezslav Cizek vcizek at suse.cz
Thu Mar 1 04:16:10 EST 2012

* V Středa 29. únor 2012, 19:04:13 [CET] Boxall, John napsal:
> Regards,
> On a RHEL 5.6 system with sudo 1.7.2p1 we are experiencing unexpected behaviour when attempting "sudo /bin/su - user1". 
> Background: 
> user1 is an Active Directory service account that is not allowed to be logged in locally and is managed by Quest Authentication Services vasd daemon (4.0.3-78). The account is used as the administration account for the installation and administration of some third party software. The users that can login are also managed by QAS. The lines below are from the QAS section of /etc/sudoers, which is controled by an AD group policy object:
> # VGP (vgp_sudoext) Sudoers Section Start ( DO NOT EDIT! )
> %groupX ALL=(root) NOPASSWD: /bin/su - user1
> %groupX ALL=(root) ALL
> # VGP (vgp_sudoext) Sudoers Section End
> No other lines/parameters have been changed above the VGP/QAS section from the default RH build.
> Behaviour:
> When a member (userX) of a valid group (groupX) logs in and attempts to run the above command they are asked for the AD password of the user1 account. We are expecting from the first line of the above section that userX would not be prompted for any password.
> However, if we temporarily comment out the second line (using visudo), userX can execute the command and becomes logged in as user1.

Here's your problem:

From man sudoers:
When multiple entries match for a user, they are applied in order.  Where there are multiple matches, the last match is used (which is not
necessarily the most specific match.

So just switch the two lines and it'll work as expected.

Vita Cizek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: </pipermail/sudo-users/attachments/20120301/b2af9960/attachment.bin>

More information about the sudo-users mailing list