[sudo-users] User is able to sudo without a password, but shouldn't be able to.

KodaK sakodak at gmail.com
Wed Jul 22 08:27:24 MDT 2015


I'm at wits end.  I have a Linux engineer who can sudo any command without
a password on one machine. This environment pushes a single sudoers to all
systems, but this only happens on one (as far as I know.)  I've exhausted all
possibilities I've come up with.  I'm hoping someone here can help me find
others.

Google is sort of unhelpful because every query I can think of give me answers
regarding how to give someone the ability to sudo without a password, and
I've got that covered. :)

This is a RHEL6 system.  RPM says the only file that has changed is sudoers:

[root at hostname ~]# rpm -V sudo
S.5....T.  c /etc/sudoers

The version we're running currently is

[root at hostname ~]# rpm -q sudo
sudo-1.8.6p3-15.el6.x86_64

Which was just upgraded from sudo-1.7.4p5-7.el6.x86_64 earlier today.

The user sees this:

[username at hostname ~]$ sudo -l
Matching Defaults entries for username on this host:
    logfile=/var/adm/sudo.log

User username may run the following commands on this host:
    (ALL) ALL
    (root) NOPASSWD: /usr/lbin/modprpw, /usr/lbin/getprpw,
/usr/sbin/userdbget,     /usr/sbin/userdbset

However (and this isn't cached, first run in session):

[username at hostname ~]$ sudo su -
[root at hostname ~]#

The user was not prompted for a password.

The user is using the same sudo as everyone else:

[username at hostname ~]$ which sudo
/usr/bin/sudo

[confusedengineer at hostname bin]$ which sudo
/usr/bin/sudo

These are the group memberships:

[root at hostname ~]# id username
uid=303062(username) gid=303062(username)
groups=303062(username),10(wheel),100(users)
[root at hostname ~]#

My personal account has these group memberships:

[root at hostname ~]# id confusedengineer
uid=366194(confusedengineer) gid=100(users)
groups=100(users),10(wheel),130(sshadm)
[root at hostname ~]#

But I'm prompted for a password.

wheel can sudo, but with a password:

[root at hostname ~]# grep wheel /etc/sudoers
%wheel          ALL = (ALL) ALL

The users other groups do not show up in sudoers:

Following the group rabbit hole:

[root at hostname ~]# egrep 'username|users' /etc/sudoers
User_Alias      SYSADMIN=sl10873,anon1,anon2,anon3,anon4,username
                /utils/security_scripts/delete_users.sh,/usr/local/bin/unlock.sh
[root at hostname ~]# grep SYSADMIN /etc/sudoers
User_Alias      SYSADMIN=sl10873,anon1,anon2,anon3,anon4,username
SYSADMIN         ALL = NOPASSWD: SACMD
[root at hostname ~]# grep SACMD /etc/sudoers
Cmnd_Alias      SACMD=/usr/lbin/modprpw,  /usr/lbin/getprpw,
/usr/sbin/userdbget, /usr/sbin/userdbset
SYSADMIN         ALL = NOPASSWD: SACMD

I've used -K and -k, I've also gone as far as deleting /var/db/sudo
and re-creating it.
I have no reason to believe this user is doing anything nefarious,
he's the one who
brought it to my attention.

If we take him out of wheel he can't run anything in wheel's "ALL"
rule, but it still
doesn't prompt him for a password.

What am I missing?  Has anyone ever seen anything similar?  Any ideas at all
would be appreciated.

Thanks,

--Jason


More information about the sudo-users mailing list