[sudo-users] Configuring LDAP-UX Cient with sudo to use with OpenLDAP server.
Todd C. Miller
Todd.Miller at courtesan.com
Fri Sep 28 09:33:20 EDT 2012
On Fri, 28 Sep 2012 09:24:05 EDT, Evelyn Raupach-Carlos wrote:
> But when I run 'sudo -V | grep -i noexec' or 'sudo -V', I cannot confirm
> this.
> Is there another simple command I can use to confirm?
> Please help, .... the security folks here at IBM are killing me for proof
> ...................... and yes, even having the NOEXEC tag in the sudoers
> file is not enough, morons.
As of sudo 1.8.1 the noexec path is specified in sudo.conf, not
sudoers so the path to sudo_noexec.so will not appear in the "sudo
-V" output.
Is there some reason you can't just show them that it works?
For instance, a simple sudoers line like:
johnsmith ALL = NOEXEC: /usr/bin/env
would allow johnsmith to run the /usr/bin/env command to display
the environment (no args) but not run a command. E.g.
$ sudo env id
env: id: Permission denied
Without the NOEXEC tag the id command will succeed.
- todd
More information about the sudo-users
mailing list