[sudo-users] Cmd_Alias conflict in include file

Bram Mertens mertensb.mazda at gmail.com
Wed Sep 12 04:34:30 EDT 2012 

On Tue, Sep 11, 2012 at 7:28 PM, Todd C. Miller
<Todd.Miller at courtesan.com> wrote:
> I think you have have two #includedir lines in your /etc/sudoers
> file.  Look for muliple occurrences of a line like:
>
> #includedir /etc/sudoers.d
>
> That was the only way I was able to reproduce the problem you are
> having.
>
>  - todd

AFAICT that isn't/wasn't the case on the machine on which I ran into this.

Since I locked myself out with my tests on that machine yesterday I've
now tried to reproduce it on a test system I can easily fix and I
can't reproduce it anymore.  I now have a working configuration (see
below) which I'll extend a bit so I won't spend more time to try to
find out what my mistake was.

Thanks for the all the quick help.

Just in case someone else runs into something simlar, here's the
configuration that does work:

These are all the rules using an include file:
[root at localhost ~]# grep -vh '^#' /etc/sudoers |grep .
Defaults    requiretty
Defaults   !visiblepw
Defaults    always_set_home
Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC
KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root    ALL=(ALL)       ALL
[root at localhost ~]# grep -vh '^#' /etc/sudoers.d/mazda |grep .
%isop   ALL=(ALL) ALL
%hpadm  ALL=(ALL) ALL
Cmnd_Alias     SHELLS = /bin/sh, /bin/csh, /bin/ksh, \
                        /bin/bash, /bin/dash, \
                        /usr/local/bin/tcsh, /usr/bin/rsh, \
                        /usr/local/bin/zsh
Cmnd_Alias     SU = /usr/bin/su
%isapbi ALL=(ALL) NOEXEC: ALL, !SU, !SHELLS

Only one include line:
[root at localhost ~]# grep include /etc/sudoers /etc/sudoers.d/mazda
/etc/sudoers:#includedir /etc/sudoers.d

Results in:
[testbi at localhost ~]$ sudo -l
[sudo] password for testbi:
Matching Defaults entries for testbi on this host:
    requiretty, !visiblepw, always_set_home, env_reset,
env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
    LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User testbi may run the following commands on this host:
    (ALL) NOEXEC: ALL, (ALL) !/usr/bin/su, (ALL) !/bin/sh, !/bin/csh,
!/bin/ksh, !/bin/bash, !/bin/dash, !/usr/local/bin/tcsh,
!/usr/bin/rsh, !/usr/local/bin/zsh

And just for completeness: as Matthew pointed out, this kind of
configuration only provides an indication of what commands shouldn't
be used, it does not provide complete security.

Thanks again

Bram Mertens

More information about the sudo-users mailing list