On 10/07/2015 10:03 AM, Jakub Hrozek wrote:
On Tue, Oct 06, 2015 at 06:28:14PM +0200, Karl Forner wrote:
Hello,

I had assumed sudo rules worked because I have an "allow_all for admins"
sudo rule that seemed to work, but I wonder if there is an implicit rule
for the special group admins ?


Because I have tried to replicate this allow_all rule for for other user
groups, and it does not seem to work at all.
What's strange is that "sudo -l"  report the appropriate rules, but they do
not work.

For instance, some users have: (ALL) ALL listed with sudo -l, but they can
not use sudo.

My user has:
     (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
     (ALL) ALL
     (root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *, /bin/chmod
-R g[+-]* *
     (ALL) NOPASSWD: /usr/bin/less
     (ALL) ALL

but I'm prompted a password when doing "sudo /usr/bin/less".

How can I debug this ?

Pavel (CC) has a nice sudo debug howto, maybe it would be helpful?

Hi,
you are prompted for password because (ALL) ALL rule is applied because of last-match rule. See: http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to