[sudo-users] Configuring LDAP-UX Cient with sudo to use with OpenLDAP server.

Todd C. Miller Todd.Miller at courtesan.com
Fri Sep 28 09:33:20 EDT 2012

On Fri, 28 Sep 2012 09:24:05 EDT, Evelyn Raupach-Carlos wrote:

> But when I run 'sudo -V | grep -i noexec' or 'sudo -V', I cannot confirm 
> this.
> Is there another simple command I can use to confirm?
> Please help, .... the security folks here at IBM are killing me for proof 
> ...................... and yes, even having the NOEXEC tag in the sudoers 
> file is not enough, morons.

As of sudo 1.8.1 the noexec path is specified in sudo.conf, not
sudoers so the path to sudo_noexec.so will not appear in the "sudo
-V" output.

Is there some reason you can't just show them that it works?
For instance, a simple sudoers line like:

johnsmith ALL = NOEXEC: /usr/bin/env

would allow johnsmith to run the /usr/bin/env command to display
the environment (no args) but not run a command.  E.g.

$ sudo env id
env: id: Permission denied

Without the NOEXEC tag the id command will succeed.

 - todd

More information about the sudo-users mailing list