[sudo-workers] Disabling the "not allowed" message
Daniel Kopecek
dkopecek at redhat.com
Mon Nov 5 10:29:36 EST 2012
Hello,
I'm trying to get rid of the last message after an authentication
failure saying "Sorry, user ... is not allowed to execute '....' ...".
Since this message is appearing without authenticating with a correct
password first, it leaks information about the allowed commands (it
won't appear when the command is allowed):
# grep dnk /etc/sudoers
dnk ALL=(ALL) /bin/ls
$ sudo -V
Sudo version 1.8.6p3
Sudoers policy plugin version 1.8.6p3
Sudoers file grammar version 42
Sudoers I/O plugin version 1.8.6p3
$ sudo id
[sudo] password for dnk:
Sorry, try again.
[sudo] password for dnk:
Sorry, try again.
[sudo] password for dnk:
Sorry, try again.
sudo: 3 incorrect password attempts
Sorry, user dnk is not allowed to execute '/bin/id' as root on
x220.localdomain.
$ sudo ls
[sudo] password for dnk:
Sorry, try again.
[sudo] password for dnk:
Sorry, try again.
[sudo] password for dnk:
Sorry, try again.
sudo: 3 incorrect password attempts
It looks like this behavior cannot be changed at run-time with a
Defaults option. However, the path_info Defaults option looks like an
option whose scope could be extended to cover this case also. What do
you think?
Thanks,
Dan K.
More information about the sudo-workers
mailing list