subject:"\[CentOS\] sudo"

Re: [CentOS] sudo (+ldap+kerberos) not accepting password

2014-01-19 Thread Mauricio Tavares

On Sun, Jan 19, 2014 at 6:12 PM, Mauricio Tavares  wrote:
> So I have this centos 5.10 box which authenticates network users
> against ldap(authorizing)+kerberos(authentication). And I now would
> like to have sudo be able to allow admins (netgroup chinbeards) to
> sudo about. I am not using sssd though (yet).
>
> Here is the output of me trying sudo (debug on):
>
> [raub@centos5-x64 ~]$ sudo pwd
> LDAP Config Summary
> ===
> uri  ldap://idir1.internal.domain.com/
> ldap://idir2.internal.domain.com/
> ldap_version 3
> sudoers_base ou=SUDOers,dc=domain,dc=com
> binddn   (anonymous)
> bindpw   (anonymous)
> bind_timelimit   12
> timelimit120
> ssl  start_tls
> tls_cacertdir/etc/openldap/cacerts
> ===
> sudo: ldap_initialize(ld, ldap://idir1.internal.domain.com/
> ldap://idir2.internal.domain.com/)
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
> sudo: ldap_set_option: timelimit -> 120
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120)
>
> sudo: ldap_start_tls_s() ok
> sudo: ldap_sasl_bind_s() ok
> sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com
> sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID'
> sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK'
> sudo: ldap sudoOption: 'env_keep+=SVN_SSH'
> sudo: ldap sudoOption: 'env_reset'
> sudo: ldap sudoOption: 'ignore_local_sudoers'
> sudo: ldap search
> '(|(sudoUser=raub)(sudoUser=%raub)(sudoUser=%chinbeards)(sudoUser=ALL))'
> sudo: ldap search 'sudoUser=+*'
> sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com
> sudo: ldap sudoUser netgroup '+chinbeards' ... MATCH!
> sudo: ldap sudoHost 'ALL' ... MATCH!
> sudo: ldap sudoCommand 'ALL' ... MATCH!
> sudo: Command allowed
> sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID'
> sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK'
> sudo: ldap sudoOption: 'env_keep+=SVN_SSH'
> sudo: ldap sudoOption: 'env_reset'
> sudo: ldap sudoOption: 'ignore_local_sudoers'
> sudo: user_matches=1
> sudo: host_matches=1
> sudo: sudo_ldap_lookup(0)=0x02
> [sudo] password for raub:
>
> It seems to me that it had no issues finding that I belong to the
> netgroup chinbeards (allowed to sudo), and realizing I can do a
> command. So, to me the sudo+ldap part of the transaction
> (authorization, kinda of what is mentioned in
> http://www.sudo.ws/sudoers.ldap.man.html and
> http://www.gratisoft.us/sudo/readme_ldap.html) seem to be fine.
>
> But, in the next step -- it asks for password -- is when things get
> interesting. At this point I would expect it to pass that to pam,
> which would then autenticate me with kerberos (I wonder if it would
> work by checking if I have a valid kerberos ticket. That is what
> happens when I, say, do ldapsearch. but I digress). But, according to
> /var/log/secure,
>
> Jan 17 10:07:13 centos5-x64 sudo: pam_unix(sudo:auth): authentication
> failure; logname=raub uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=
> user=raub
>
> It seems to have failed to authenticate me. Would it be due to pam not
> knowing about kerberos?
>
> Reading 
> http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-kerberos-pam.html,
> should I be able to get pam_krb5 in, say, /etc/pam.d/system-auth like
> this:
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> authrequired  pam_env.so
> authsufficientpam_unix.so nullok try_first_pass
> authrequisite pam_succeed_if.so uid >= 500 quiet
> authsufficientpam_krb5.so use_first_pass
> authrequired  pam_deny.so
>
> account required  pam_unix.so
> account sufficientpam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account required  pam_permit.so
>
> passwordrequisite pam_cracklib.so try_first_pass retry=3
> passwordsufficientpam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> passwordsufficientpam_krb5.so use_authtok
> passwordrequired  pam_deny.so
>
> session optional  pam_keyinit.so revoke
> session required  pam_limits.so
> session optional  pam_mkhomedir.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required  pam_unix.so
> session optional  pam_krb5.so

  Ok, I am not saying what I wrote above is proper, but the auth
entry is enough to satisfy sudo. But, how now I tell authconfig to
edit the file properly? The way I did it was

authconfig --enableldap --enableldaptls
--ldapserver=idir1.internal.domain.com,idir2.internal.domain.com
--ldapbasedn=dc=domain,dc=com --enablekrb5 --passalgo=sha512
--disablemd5 --update

but that does not seem to add the line to /etc/pam.d/system-auth to
tell it that kerberos is in the house.

[CentOS] sudo (+ldap+kerberos) not accepting password

2014-01-19 Thread Mauricio Tavares

So I have this centos 5.10 box which authenticates network users
against ldap(authorizing)+kerberos(authentication). And I now would
like to have sudo be able to allow admins (netgroup chinbeards) to
sudo about. I am not using sssd though (yet).

Here is the output of me trying sudo (debug on):

[raub@centos5-x64 ~]$ sudo pwd
LDAP Config Summary
===
uri  ldap://idir1.internal.domain.com/
ldap://idir2.internal.domain.com/
ldap_version 3
sudoers_base ou=SUDOers,dc=domain,dc=com
binddn   (anonymous)
bindpw   (anonymous)
bind_timelimit   12
timelimit120
ssl  start_tls
tls_cacertdir/etc/openldap/cacerts
===
sudo: ldap_initialize(ld, ldap://idir1.internal.domain.com/
ldap://idir2.internal.domain.com/)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_set_option: timelimit -> 120
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120)

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com
sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID'
sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK'
sudo: ldap sudoOption: 'env_keep+=SVN_SSH'
sudo: ldap sudoOption: 'env_reset'
sudo: ldap sudoOption: 'ignore_local_sudoers'
sudo: ldap search
'(|(sudoUser=raub)(sudoUser=%raub)(sudoUser=%chinbeards)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com
sudo: ldap sudoUser netgroup '+chinbeards' ... MATCH!
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID'
sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK'
sudo: ldap sudoOption: 'env_keep+=SVN_SSH'
sudo: ldap sudoOption: 'env_reset'
sudo: ldap sudoOption: 'ignore_local_sudoers'
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for raub:

It seems to me that it had no issues finding that I belong to the
netgroup chinbeards (allowed to sudo), and realizing I can do a
command. So, to me the sudo+ldap part of the transaction
(authorization, kinda of what is mentioned in
http://www.sudo.ws/sudoers.ldap.man.html and
http://www.gratisoft.us/sudo/readme_ldap.html) seem to be fine.

But, in the next step -- it asks for password -- is when things get
interesting. At this point I would expect it to pass that to pam,
which would then autenticate me with kerberos (I wonder if it would
work by checking if I have a valid kerberos ticket. That is what
happens when I, say, do ldapsearch. but I digress). But, according to
/var/log/secure,

Jan 17 10:07:13 centos5-x64 sudo: pam_unix(sudo:auth): authentication
failure; logname=raub uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=
user=raub

It seems to have failed to authenticate me. Would it be due to pam not
knowing about kerberos?

Reading 
http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-kerberos-pam.html,
should I be able to get pam_krb5 in, say, /etc/pam.d/system-auth like
this:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 500 quiet
authsufficientpam_krb5.so use_first_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required  pam_permit.so

passwordrequisite pam_cracklib.so try_first_pass retry=3
passwordsufficientpam_unix.so sha512 shadow nullok
try_first_pass use_authtok
passwordsufficientpam_krb5.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
session optional  pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required  pam_unix.so
session optional  pam_krb5.so
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo add user script

2013-07-18 Thread Brian Mathis

Some notes:

Every time you "echo $?", you are wiping out the return status (because
echo returns a success and changes $? to 0), so none of your if statements
will ever catch any errors.

Consider getting rid of the 'if' subtrees by negating your condition, which
will make it much easier to understand what's going on.  Having 6 levels of
nested 'if's is a sure sign that something should be done differently.
some_command
if [[ $? -ne 0 ]]; then
exit 1
fi

Take a look at the bash PIPESTATUS variable and make sure you are checking
the return value of the command you actually want to know about.

Skip the sudoers.tmp stuff and just use the echo command to append to
sudoers-template directly with:
echo "..." >> /tmp/sudoers-template

You have a few commands that try to reference a file called "$SUDOers" and
"$SUDOers-template", which might expand to /usr/bin/sudoers, or might be
the literal "$SUDOers", either of which is most definitely not what you
want.

Not sure what all that "http://host.jokefire.com"; stuff is, but you've
already specified your host in $USER@$HOST.  Also, http://... makes no
sense there.

You first few $SSH lines use single quotes, so the variables inside will
never get expanded, so you'll be trying the literal '$PASSWD' as the
password.

In addition to all of that, your approach is overly complicated.  Something
much more succinct should work just fine (untested general pseudo-code):

# Make temp copy to work on
if cp /etc/sudoers /tmp/sudoers.tmp; then
# If sudoers doesn't contain your line, then add it
if ! grep -q "%my_group" /etc/sudoers; then
echo "%my_group ..." >> /tmp/sudoers.tmp
fi
# Check syntax.  Replace original file if OK, otherwise, exit with
error
if visudo -cf /tmp/sudoers.tmp; then
mv -f /tmp/sudoers.tmp /etc/sudoers
else
exit 1
fi
else
exit 1
fi

Since you already have access to SSH, why not copy a full script file to
the server and execute it, instead of doing each step in a separate ssh?
Like:
scp update_sudoers.sh user@host:/tmp
ssh -t user@host "echo $PASSWD | sudo -S 'bash /tmp/update_sudoers.sh;
rm -f /tmp/update_sudoers.sh'"
That won't work if the server has /tmp mounted with the "noexec" option,
but you get the idea.

It could also probably be converted into a (long) one-liner and executed
using a single ssh/sudo command.  Just be careful about quoting.

❧ Brian Mathis

On Wed, Jul 17, 2013 at 7:17 PM, Tim Dunphy  wrote:

> Hello list,
>
>  I took another stab at finding a way to add a sudo user remotely and it
> gets you most of the way there. If you execute the script as root it works
> beautifully and does just what you want. Which is add the user  to the
> group and gives that user group rights to certain commands.
>
> But if you execute it as a user who only has sudo access to the
> /etc/sudoers file it errors out.
>
> cloud:~] bluethundr% ./add_sudo.sh
> reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN
> ATTEMPT!
> [sudo] password for bluethundr: Sorry, try again.
> [sudo] password for bluethundr: Sorry, try again.
> [sudo] password for bluethundr: Sorry, try again.
> sudo: 3 incorrect password attempts
> Connection to $host closed.
> 1
> reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN
> ATTEMPT!
> bash: /tmp/sudoers.tmp: Permission denied
> Connection $host to closed.
> 1
>
> The main problem is that the script doesn't enter the password.
>
> I'm attempting to echo the user's sudo pass in like this:
>
> $SSH -t  $USER@$HOST   'echo $PASSWD | $SUDO -S
> $CP /etc/sudoers /tmp/sudoers-template'
>
>
> (of course I'm trying it out in my own environment before I try to use it
> in their environment).
>
>
> Here' s the script itself, I was hoping you could offer some help here:
>
> #!/bin/bash
>
> SSH='/usr/bin/ssh'
> ECHO='/bin/echo'
> TEE='/usr/bin/tee'
> SUDO='/usr/bin/sudo'
> VISUDO='/usr/sbin/visudo'
> CP='/bin/cp'
> CAT='/bin/cat'
> USER='user'
> HOST='beta'
> PASSWD='secret'
>
>
> $SSH -t  $USER@$HOST  'echo $PASSWD | $SUDO -S
> $CP /etc/sudoers /tmp/sudoers-template'
>
>echo $?
>
>  if [ $?  -eq 0  ]; then
>  $SSH -t  $USER@$HOST  'echo $PASSWD |
> $SUDO
> -S  echo "%my_group  ALL=(root) NOPASSWD:   /sbin/service, /bin/rm,
> /usr/bin/du, /bin/df" > /tmp/sudoers.tmp'
>  echo $?
>
>
>  if [ $? -eq 0 ]; then
>  $SSH -t $USER@$HOST  "echo $PASSWD | $SUDO
> -S $CAT /tmp/sudoers.tmp | $TEE -a /tmp/sudoers-template"
> echo $?
>
>if [ $? -eq 0 ]; then
>
>$SSH  $USER@$HOST   "$VISUDO -cf
> '/tmp/sudoers-template' 2>&1 >& /dev/null"
> echo $?
>
> if [ $? -eq 0 ]; then
>   $SSH -t $USER@$HOST    "echo $PASSWD |
> $SUDO -S  $CP '/etc/$SUDOers' '/tmp/sudoers.ba

Re: [CentOS] sudo add user script

2013-07-18 Thread Mike Burger

Consider using the NOPASSWD option, on the remote systems, to allow this
particular use to run this particular script.
-- 
Mike Burger
http://www.bubbanfriends.org

"It's always suicide-mission this, save-the-planet that. No one ever just
stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1


> Hello list,
>
>  I took another stab at finding a way to add a sudo user remotely and it
> gets you most of the way there. If you execute the script as root it works
> beautifully and does just what you want. Which is add the user  to the
> group and gives that user group rights to certain commands.
>
> But if you execute it as a user who only has sudo access to the
> /etc/sudoers file it errors out.
>
> cloud:~] bluethundr% ./add_sudo.sh
> reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN
> ATTEMPT!
> [sudo] password for bluethundr: Sorry, try again.
> [sudo] password for bluethundr: Sorry, try again.
> [sudo] password for bluethundr: Sorry, try again.
> sudo: 3 incorrect password attempts
> Connection to $host closed.
> 1
> reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN
> ATTEMPT!
> bash: /tmp/sudoers.tmp: Permission denied
> Connection $host to closed.
> 1
>
> The main problem is that the script doesn't enter the password.
>
> I'm attempting to echo the user's sudo pass in like this:
>
> $SSH -t  $USER@$HOST   'echo $PASSWD | $SUDO -S
> $CP /etc/sudoers /tmp/sudoers-template'
>
>
> (of course I'm trying it out in my own environment before I try to use it
> in their environment).
>
>
> Here' s the script itself, I was hoping you could offer some help here:
>
> #!/bin/bash
>
> SSH='/usr/bin/ssh'
> ECHO='/bin/echo'
> TEE='/usr/bin/tee'
> SUDO='/usr/bin/sudo'
> VISUDO='/usr/sbin/visudo'
> CP='/bin/cp'
> CAT='/bin/cat'
> USER='user'
> HOST='beta'
> PASSWD='secret'
>
>
> $SSH -t  $USER@$HOST  'echo $PASSWD | $SUDO -S
> $CP /etc/sudoers /tmp/sudoers-template'
>
>echo $?
>
>  if [ $?  -eq 0  ]; then
>  $SSH -t  $USER@$HOST  'echo $PASSWD |
> $SUDO
> -S  echo "%my_group  ALL=(root) NOPASSWD:   /sbin/service, /bin/rm,
> /usr/bin/du, /bin/df" > /tmp/sudoers.tmp'
>  echo $?
>
>
>  if [ $? -eq 0 ]; then
>  $SSH -t $USER@$HOST  "echo $PASSWD | $SUDO
> -S $CAT /tmp/sudoers.tmp | $TEE -a /tmp/sudoers-template"
> echo $?
>
>if [ $? -eq 0 ]; then
>
>$SSH  $USER@$HOST   "$VISUDO -cf
> '/tmp/sudoers-template' 2>&1 >& /dev/null"
> echo $?
>
> if [ $? -eq 0 ]; then
>   $SSH -t $USER@$HOST    "echo $PASSWD |
> $SUDO -S  $CP '/etc/$SUDOers' '/tmp/sudoers.bak'"
>  echo $?
>
>if [ $?  -eq 0 ]; then
>  $SSH -t $USER@$HOST    "echo $PASSWD |
> $SUDO -S  $CP '/tmp/$SUDOers-template' '/etc/sudoers'"
>  echo $?
>
>  if [ $?  -eq 0 ]; then
>   $SSH -t $USER@$HOST    "echo $PASSWD
> |
> $SUDO -S $VISUDO  -cf '/etc/sudoers'"
>
>  fi
> if [ $?  -eq 0 ]; then
>   $ECHO -e "You have successfully added the user to sudoers"
> fi
> fi
>fi
> fi
>fi
> fi
>
>
>
> Thanks!
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo add user script

2013-07-18 Thread Mike Burger

Consider using the NOPASSWD option, on the remote systems, to allow this
particular use to run this particular script.
-- 
Mike Burger
http://www.bubbanfriends.org

"It's always suicide-mission this, save-the-planet that. No one ever just
stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1


> Hello list,
>
>  I took another stab at finding a way to add a sudo user remotely and it
> gets you most of the way there. If you execute the script as root it works
> beautifully and does just what you want. Which is add the user  to the
> group and gives that user group rights to certain commands.
>
> But if you execute it as a user who only has sudo access to the
> /etc/sudoers file it errors out.
>
> cloud:~] bluethundr% ./add_sudo.sh
> reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN
> ATTEMPT!
> [sudo] password for bluethundr: Sorry, try again.
> [sudo] password for bluethundr: Sorry, try again.
> [sudo] password for bluethundr: Sorry, try again.
> sudo: 3 incorrect password attempts
> Connection to $host closed.
> 1
> reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN
> ATTEMPT!
> bash: /tmp/sudoers.tmp: Permission denied
> Connection $host to closed.
> 1
>
> The main problem is that the script doesn't enter the password.
>
> I'm attempting to echo the user's sudo pass in like this:
>
> $SSH -t  $USER@$HOST   'echo $PASSWD | $SUDO -S
> $CP /etc/sudoers /tmp/sudoers-template'
>
>
> (of course I'm trying it out in my own environment before I try to use it
> in their environment).
>
>
> Here' s the script itself, I was hoping you could offer some help here:
>
> #!/bin/bash
>
> SSH='/usr/bin/ssh'
> ECHO='/bin/echo'
> TEE='/usr/bin/tee'
> SUDO='/usr/bin/sudo'
> VISUDO='/usr/sbin/visudo'
> CP='/bin/cp'
> CAT='/bin/cat'
> USER='user'
> HOST='beta'
> PASSWD='secret'
>
>
> $SSH -t  $USER@$HOST  'echo $PASSWD | $SUDO -S
> $CP /etc/sudoers /tmp/sudoers-template'
>
>echo $?
>
>  if [ $?  -eq 0  ]; then
>  $SSH -t  $USER@$HOST  'echo $PASSWD |
> $SUDO
> -S  echo "%my_group  ALL=(root) NOPASSWD:   /sbin/service, /bin/rm,
> /usr/bin/du, /bin/df" > /tmp/sudoers.tmp'
>  echo $?
>
>
>  if [ $? -eq 0 ]; then
>  $SSH -t $USER@$HOST  "echo $PASSWD | $SUDO
> -S $CAT /tmp/sudoers.tmp | $TEE -a /tmp/sudoers-template"
> echo $?
>
>if [ $? -eq 0 ]; then
>
>$SSH  $USER@$HOST   "$VISUDO -cf
> '/tmp/sudoers-template' 2>&1 >& /dev/null"
> echo $?
>
> if [ $? -eq 0 ]; then
>   $SSH -t $USER@$HOST    "echo $PASSWD |
> $SUDO -S  $CP '/etc/$SUDOers' '/tmp/sudoers.bak'"
>  echo $?
>
>if [ $?  -eq 0 ]; then
>  $SSH -t $USER@$HOST    "echo $PASSWD |
> $SUDO -S  $CP '/tmp/$SUDOers-template' '/etc/sudoers'"
>  echo $?
>
>  if [ $?  -eq 0 ]; then
>   $SSH -t $USER@$HOST    "echo $PASSWD
> |
> $SUDO -S $VISUDO  -cf '/etc/sudoers'"
>
>  fi
> if [ $?  -eq 0 ]; then
>   $ECHO -e "You have successfully added the user to sudoers"
> fi
> fi
>fi
> fi
>fi
> fi
>
>
>
> Thanks!
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] sudo add user script

2013-07-17 Thread Tim Dunphy

Hello list,

 I took another stab at finding a way to add a sudo user remotely and it
gets you most of the way there. If you execute the script as root it works
beautifully and does just what you want. Which is add the user  to the
group and gives that user group rights to certain commands.

But if you execute it as a user who only has sudo access to the
/etc/sudoers file it errors out.

cloud:~] bluethundr% ./add_sudo.sh
reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN
ATTEMPT!
[sudo] password for bluethundr: Sorry, try again.
[sudo] password for bluethundr: Sorry, try again.
[sudo] password for bluethundr: Sorry, try again.
sudo: 3 incorrect password attempts
Connection to $host closed.
1
reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN
ATTEMPT!
bash: /tmp/sudoers.tmp: Permission denied
Connection $host to closed.
1

The main problem is that the script doesn't enter the password.

I'm attempting to echo the user's sudo pass in like this:

$SSH -t  $USER@$HOST   'echo $PASSWD | $SUDO -S
$CP /etc/sudoers /tmp/sudoers-template'


(of course I'm trying it out in my own environment before I try to use it
in their environment).


Here' s the script itself, I was hoping you could offer some help here:

#!/bin/bash

SSH='/usr/bin/ssh'
ECHO='/bin/echo'
TEE='/usr/bin/tee'
SUDO='/usr/bin/sudo'
VISUDO='/usr/sbin/visudo'
CP='/bin/cp'
CAT='/bin/cat'
USER='user'
HOST='beta'
PASSWD='secret'


$SSH -t  $USER@$HOST  'echo $PASSWD | $SUDO -S
$CP /etc/sudoers /tmp/sudoers-template'

   echo $?

 if [ $?  -eq 0  ]; then
 $SSH -t  $USER@$HOST  'echo $PASSWD | $SUDO
-S  echo "%my_group  ALL=(root) NOPASSWD:   /sbin/service, /bin/rm,
/usr/bin/du, /bin/df" > /tmp/sudoers.tmp'
 echo $?


 if [ $? -eq 0 ]; then
 $SSH -t $USER@$HOST  "echo $PASSWD | $SUDO
-S $CAT /tmp/sudoers.tmp | $TEE -a /tmp/sudoers-template"
echo $?

   if [ $? -eq 0 ]; then

   $SSH  $USER@$HOST   "$VISUDO -cf
'/tmp/sudoers-template' 2>&1 >& /dev/null"
echo $?

if [ $? -eq 0 ]; then
  $SSH -t $USER@$HOST    "echo $PASSWD |
$SUDO -S  $CP '/etc/$SUDOers' '/tmp/sudoers.bak'"
 echo $?

   if [ $?  -eq 0 ]; then
 $SSH -t $USER@$HOST    "echo $PASSWD |
$SUDO -S  $CP '/tmp/$SUDOers-template' '/etc/sudoers'"
 echo $?

 if [ $?  -eq 0 ]; then
  $SSH -t $USER@$HOST    "echo $PASSWD |
$SUDO -S $VISUDO  -cf '/etc/sudoers'"

 fi
if [ $?  -eq 0 ]; then
  $ECHO -e "You have successfully added the user to sudoers"
fi
fi
   fi
fi
   fi
fi



Thanks!

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo issue error with securing commands

2012-11-08 Thread Stephen Harris

On Fri, Nov 09, 2012 at 11:37:34AM +1300, Gregory Machin wrote:
> line 117| greg ALL = /bin/chown -R root:root /opt
> line 118| greg ALL = /usr/bin/setfact -R -m u:greg.reeve:rwx /opt
> line 119| greg ALL = /usr/bin/setfact -d -R -m u:greg.reeve:rwx /opt

Try putting a \ in front of all the : in these lines

":" is one of the characters that needs quoting.

-- 

rgds
Stephen
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] sudo issue error with securing commands

2012-11-08 Thread Gregory Machin

Hi.

I have a user that I want to limit to only running a couple of commands ...
As in here user just copy and paste where needed , sorry thats all your
allowed to do ... but thus far I can't get the syntax correct for the
sudoers file

line 115| greg ALL = /bin/chmod -R o+rx /opt
line 116| greg ALL = /bin/chmod -R ug+rwx /opt
line 117| greg ALL = /bin/chown -R root:root /opt
line 118| greg ALL = /usr/bin/setfact -R -m u:greg.reeve:rwx /opt
line 119| greg ALL = /usr/bin/setfact -d -R -m u:greg.reeve:rwx /opt

visudo gives me the following :

>>> /etc/sudoers: syntax error near line 116 <<<
>>> /etc/sudoers: syntax error near line 117 <<<
>>> /etc/sudoers: syntax error near line 118 <<<


what am I missing ?

thanks

G
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo wildcards problem: for every argument a *-wildcard? Better solution?

2011-09-21 Thread John Doe

From: Sven Aluoor 

> On Tue, Sep 20, 2011 at 1:48 PM, John Doe  wrote:
>>  Tried with -- ?
>>  Maybe replace the last * with [! ]*
> doesn't work. Any other idea?

I tried the following in /etc/sudoers:
  myuser    ALL=/o*/te*

And cat /opt/test
  #!/bin/bash
  echo "$*"
  touch /root/test

Then:
  $ sudo /opt/test agentsvc --i --u root --sn 1m7command
  agentsvc --i --u root --sn 1m7command
With a /root/test file appearing.
Seems to work fine...

JD
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo wildcards problem: for every argument a *-wildcard? Better solution?

2011-09-21 Thread Sven Aluoor

On Tue, Sep 20, 2011 at 1:48 PM, John Doe  wrote:
> Tried with -- ?
> Maybe replace the last * with [! ]*

doesn't work. Any other idea?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo wildcards problem: for every argument a *-wildcard? Better solution?

2011-09-20 Thread John Doe

From: Sven Aluoor 

 I allow the user tommy to run this command as root
> sudoCommand: /app/appname/connectors/*/*/current/bin/*
> $ sudo /app/appname/connectors/zur/namename/current/bin/othername
> agentsvc --i --u root --sn 1m7command
> Sorry, user tommy is not allowed to execute
> '/app/appname/connectors/zur/namename/current/bin/othername agentsvc
> --i --u root --sn 1m7command' as root on testcentbox07.
> I guess because of wildcard arguments. Does every argument needs a
> *-wildcard? How to do when I don't know the number of arguments?

Tried with -- ?
Maybe replace the last * with [! ]*

JD
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] sudo wildcards problem: for every argument a *-wildcard? Better solution?

2011-09-20 Thread Sven Aluoor

Hi folks

I allow the user tommy to run this command as root

sudoCommand: /app/appname/connectors/*/*/current/bin/*

With "sudo -l" he sees the sudoers, but is unable to execute.

$ sudo /app/appname/connectors/zur/namename/current/bin/othername
agentsvc --i --u root --sn 1m7command
Sorry, user tommy is not allowed to execute
'/app/appname/connectors/zur/namename/current/bin/othername agentsvc
--i --u root --sn 1m7command' as root on testcentbox07.

I guess because of wildcard arguments. Does every argument needs a
*-wildcard? How to do when I don't know the number of arguments?

cheers Sven
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo #includedir function ignored CentOS 6

2011-08-02 Thread Trey Dockendorf

On Wed, Jul 27, 2011 at 7:39 AM, Craig White  wrote:

> On Tue, 2011-07-26 at 15:59 -0500, Trey Dockendorf wrote:
> > Well I verified that putting the following line in /etc/sudoers works
> >
> >
> > zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet
> >
> >
> > However if I put it in /etc/sudoers.d/zabbix-puppet it does not.
> >  Exact same spacing and everything.
> >
> >
> > The file was created with Puppet , and based on these errors I'm at a
> > loss...
> >
> >
> > I check the syntax, it fails
> >
> >
> > # visudo -c -f /etc/sudoers.d/zabbix-puppet
> > >>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<<
> > parse error in /etc/sudoers.d/zabbix-puppet near line 0
> >
> >
> > I then open the file with visudo, make absoltely no changes, just ":q"
> > out, still get error.
> >
> >
> > # visudo -f /etc/sudoers.d/zabbix-puppet
> > >>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<<
> >
> >
> > Then if I run the syntax check again it passes.  However I still can't
> > run the command without password prompt.
> >
> >
> > # visudo -c -f /etc/sudoers.d/zabbix-puppet
> > /etc/sudoers.d/zabbix-puppet: parsed OK
> >
> >
> > The files permissions are correct as specified by sudoers
> > documentation on #includedir
> 
> probably should ask on the puppet list since using an includedir
> function would be far more likely with puppet where most people would
> just tack on their edits to /etc/sudoers directly.
>
> I am sort of interested in your solution by the way (I am on the puppet
> list too) because I use puppet but so far, only on Ubuntu and it appears
> that our CentOS systems will eventually be phased out.
>
> by the way, I have seen the same sort of spookiness about syntax errors
> created by visudo on Ubuntu 10.04 on perfectly valid edits. Had me
> scratching my head too. I used to always just use emacs to edit the file
> but at work, I try to play by the conventions.
>
> Craig
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


Craig,

I got things working...I posted my module on github if your interested ,
https://github.com/treydock/puppet-sudo .  Was two problems.  First was
can't have quotations around the #includedir path, second was that puppet
wasn't puppeting a new line character in the file when using the "content"
approach (see modules note).

- Trey
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo #includedir function ignored CentOS 6

2011-07-27 Thread Craig White

On Tue, 2011-07-26 at 15:59 -0500, Trey Dockendorf wrote:
> Well I verified that putting the following line in /etc/sudoers works
> 
> 
> zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet
> 
> 
> However if I put it in /etc/sudoers.d/zabbix-puppet it does not.
>  Exact same spacing and everything.
> 
> 
> The file was created with Puppet , and based on these errors I'm at a
> loss...
> 
> 
> I check the syntax, it fails
> 
> 
> # visudo -c -f /etc/sudoers.d/zabbix-puppet 
> >>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<<
> parse error in /etc/sudoers.d/zabbix-puppet near line 0
> 
> 
> I then open the file with visudo, make absoltely no changes, just ":q"
> out, still get error.
> 
> 
> # visudo -f /etc/sudoers.d/zabbix-puppet 
> >>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<<
> 
> 
> Then if I run the syntax check again it passes.  However I still can't
> run the command without password prompt.
> 
> 
> # visudo -c -f /etc/sudoers.d/zabbix-puppet 
> /etc/sudoers.d/zabbix-puppet: parsed OK
> 
> 
> The files permissions are correct as specified by sudoers
> documentation on #includedir

probably should ask on the puppet list since using an includedir
function would be far more likely with puppet where most people would
just tack on their edits to /etc/sudoers directly.

I am sort of interested in your solution by the way (I am on the puppet
list too) because I use puppet but so far, only on Ubuntu and it appears
that our CentOS systems will eventually be phased out.

by the way, I have seen the same sort of spookiness about syntax errors
created by visudo on Ubuntu 10.04 on perfectly valid edits. Had me
scratching my head too. I used to always just use emacs to edit the file
but at work, I try to play by the conventions.

Craig

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo #includedir function ignored CentOS 6

2011-07-26 Thread Trey Dockendorf

Well I verified that putting the following line in /etc/sudoers works

zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet

However if I put it in /etc/sudoers.d/zabbix-puppet it does not.  Exact same
spacing and everything.

The file was created with Puppet , and based on these errors I'm at a
loss...

I check the syntax, it fails

# visudo -c -f /etc/sudoers.d/zabbix-puppet
>>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<<
parse error in /etc/sudoers.d/zabbix-puppet near line 0

I then open the file with visudo, make absoltely no changes, just ":q" out,
still get error.

# visudo -f /etc/sudoers.d/zabbix-puppet
>>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<<

Then if I run the syntax check again it passes.  However I still can't run
the command without password prompt.

# visudo -c -f /etc/sudoers.d/zabbix-puppet
/etc/sudoers.d/zabbix-puppet: parsed OK

The files permissions are correct as specified by sudoers documentation on
#includedir

-r--r-   1 root root   56 Jul 26 15:55 zabbix-puppet


Does anyone else have the #includedir working in CentOS 5.6 or 6?

Thanks
- Trey


On Mon, Jul 25, 2011 at 7:12 PM, John R Pierce  wrote:

> On 07/25/11 4:41 PM, Trey Dockendorf wrote:
> > I am unable to get the #includedir function to work with sudo.  This
> > works just fine on all my CentOS 5.6 servers, but on 6 it is being
> > ignored.  I have this line in the file /etc/sudoers.d/zabbix-puppet
> >
> > zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet
> >
> > However sudo still requires a password.  If I put that same line into
> > /etc/sudoers file , there is no password prompt.  At the end of my
> > sudoers file I have this line
> >
> > #includedir "/etc/sudoers.d"
> >
>
> did you edit these files with visudo -f /path/to/file ?   I'd try that.
>
>
> --
> john r pierceN 37, W 122
> santa cruz ca mid-left coast
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo #includedir function ignored CentOS 6

2011-07-25 Thread John R Pierce

On 07/25/11 4:41 PM, Trey Dockendorf wrote:
> I am unable to get the #includedir function to work with sudo.  This 
> works just fine on all my CentOS 5.6 servers, but on 6 it is being 
> ignored.  I have this line in the file /etc/sudoers.d/zabbix-puppet
>
> zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet
>
> However sudo still requires a password.  If I put that same line into 
> /etc/sudoers file , there is no password prompt.  At the end of my 
> sudoers file I have this line
>
> #includedir "/etc/sudoers.d"
>

did you edit these files with visudo -f /path/to/file ?   I'd try that.


-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo #includedir function ignored CentOS 6

2011-07-25 Thread Tom H

On Mon, Jul 25, 2011 at 7:41 PM, Trey Dockendorf  wrote:
>
> I am unable to get the #includedir function to work with sudo.  This works
> just fine on all my CentOS 5.6 servers, but on 6 it is being ignored.  I
> have this line in the file /etc/sudoers.d/zabbix-puppet
> zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet
> However sudo still requires a password.  If I put that same line into
> /etc/sudoers file , there is no password prompt.  At the end of my sudoers
> file I have this line
> #includedir "/etc/sudoers.d"
> It seems that line is being ignored.
> The permissions on the file in that directory are 0440.

Have you tried "zabbix ALL = NOPASSWD:
/var/lib/zabbix/bin/start_puppet" (spaces before and after "=")?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo #includedir function ignored CentOS 6

2011-07-25 Thread Trey Dockendorf

Correction, seems to be broken in 5.6 as well...I also had this interesting
argument with sudo...

# visudo -c -f /etc/sudoers.d/zabbix-puppet
>>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<<
parse error in /etc/sudoers.d/zabbix-puppet near line 0

(((NOTE: I made absolutely no changes , just did ":q")))
# visudo -f /etc/sudoers.d/zabbix-puppet
>>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<<


# visudo -c -f /etc/sudoers.d/zabbix-puppet
/etc/sudoers.d/zabbix-puppet: parsed OK


:-/

- Trey


On Mon, Jul 25, 2011 at 6:41 PM, Trey Dockendorf  wrote:

> I am unable to get the #includedir function to work with sudo.  This works
> just fine on all my CentOS 5.6 servers, but on 6 it is being ignored.  I
> have this line in the file /etc/sudoers.d/zabbix-puppet
>
> zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet
>
> However sudo still requires a password.  If I put that same line into
> /etc/sudoers file , there is no password prompt.  At the end of my sudoers
> file I have this line
>
> #includedir "/etc/sudoers.d"
>
> It seems that line is being ignored.
>
> The permissions on the file in that directory are 0440.
>
> Any ideas would be greatly appreciated.
>
> Thanks
> - Trey
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Sudo #includedir function ignored CentOS 6

2011-07-25 Thread Trey Dockendorf

I am unable to get the #includedir function to work with sudo.  This works
just fine on all my CentOS 5.6 servers, but on 6 it is being ignored.  I
have this line in the file /etc/sudoers.d/zabbix-puppet

zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet

However sudo still requires a password.  If I put that same line into
/etc/sudoers file , there is no password prompt.  At the end of my sudoers
file I have this line

#includedir "/etc/sudoers.d"

It seems that line is being ignored.

The permissions on the file in that directory are 0440.

Any ideas would be greatly appreciated.

Thanks
- Trey
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo doing DNS lookup

2010-12-10 Thread Nico Kadel-Garcia

On Fri, Dec 10, 2010 at 8:43 AM, Steve Clark  wrote:
> Hi,
>
> I have a confusing problem. I have two centos 5,5 boxes. Both have
> sudo.i386    1.7.2p1-9.el5_5
> installed
>
> I am using the same sudoers file, but the one on box A keeps trying to do
> DNS lookups
> while the one on box B does not. How do I disable this DNS lookup?
>
> Thanks for any info.

It's probably looking up the hostname of the host you're on, to match
against host informaiton in sudoers entries. Do you have your hostname
and IP address in /etc/hosts on each machine? And do you have fully
qualified hostnames, matching the entries in /etc/hosts?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo doing DNS lookup

2010-12-10 Thread Tom H

On Fri, Dec 10, 2010 at 2:23 PM, Steve Clark  wrote:
> On 12/10/2010 10:40 AM, Tom H wrote:
> On Fri, Dec 10, 2010 at 8:43 AM, Steve Clark  wrote:
>>>
>>> I have a confusing problem. I have two centos 5,5 boxes. Both have
>>> sudo.i386    1.7.2p1-9.el5_5
>>> installed
>>>
>>> I am using the same sudoers file, but the one on box A keeps trying to do
>>> DNS lookups while the one on box B does not. How do I disable this DNS
>>> lookup?
>>
>> Do both hosts have their hostnames in "/etc/hosts"?
>>
>> Do both hosts have "hosts: files dns" in "/etc/nsswitch.conf"?
>
> I have resolved the problem as far why they behaved differently.
> Someone had put an entry in /etc/resolv.conf when normally we run our
> own nameserver at 127.0.0.1.
> Putting a hostname and address in the /etc/hosts also fixed the problem.
>
> But I still don't understand why it wants to do a DNS lookup when I don't
> have
> Defaults fqdn
> in the sudoers file.

A WAG: Since sudo rights are assigned on a box by box basis (unless
you use "ALL"), sudo has to check on which box you are running it.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo doing DNS lookup

2010-12-10 Thread Steve Clark


On 12/10/2010 10:40 AM, Tom H wrote:

On Fri, Dec 10, 2010 at 8:43 AM, Steve Clark  wrote:
   

I have a confusing problem. I have two centos 5,5 boxes. Both have
sudo.i3861.7.2p1-9.el5_5
installed

I am using the same sudoers file, but the one on box A keeps trying to do
DNS lookups while the one on box B does not. How do I disable this DNS
lookup?
 
   



Do both hosts have their hostnames in "/etc/hosts"?

Do both hosts have "hosts: files dns" in "/etc/nsswitch.conf"?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

   


strace shows the  DNS lookup.

I have resolved the problem as far why they behaved differently.
Someone had put an entry in /etc/resolv.conf when normally we run our
own nameserver at 127.0.0.1.
Putting a hostname and address in the /etc/hosts also fixed the problem.

But I still don't understand why it wants to do a DNS lookup when I don't
have
Defaults fqdn
in the sudoers file.

Again here is part of an strace of sudo cat /etc/rc.local;

...
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(53), 
sin_addr=inet_addr("127.0.0.1")}, 28) = 0

fcntl64(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
gettimeofday({1292009049, 862615}, NULL) = 0
poll([{fd=4, events=POLLOUT}], 1, 0)= 1 ([{fd=4, revents=POLLOUT}])
send(4, "\206r\1\0\0\1\0\0\0\0\0\0\5Z7070\tnetwolves\3com"..., 37, 
MSG_NOSIGNAL) = 37

poll([{fd=4, events=POLLIN}], 1, 5000)  = 1 ([{fd=4, revents=POLLIN}])
ioctl(4, FIONREAD, [86])= 0
recvfrom(4, "\206r\205\203\0\1\0\0\0\1\0\0\5Z7070\tnetwolves\3com"..., 
1024, 0, {sa_family=AF_INET, sin_port=htons(53), 
sin_addr=inet_addr("127.0.0.1")}, [16]) = 86

close(4)= 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(53), 
sin_addr=inet_addr("127.0.0.1")}, 28) = 0

fcntl64(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
gettimeofday({1292009049, 864056}, NULL) = 0
poll([{fd=4, events=POLLOUT}], 1, 0)= 1 ([{fd=4, revents=POLLOUT}])
send(4, "\324\305\1\0\0\1\0\0\0\0\0\0\5Z7070\tnetwolves\3com"..., 51, 
MSG_NOSIGNAL) = 51

poll([{fd=4, events=POLLIN}], 1, 5000)  = 1 ([{fd=4, revents=POLLIN}])
ioctl(4, FIONREAD, [100])   = 0
recvfrom(4, 
"\324\305\205\203\0\1\0\0\0\1\0\0\5Z7070\tnetwolves\3com"..., 1024, 0, 
{sa_family=AF_INET, sin_port=htons(53), 
sin_addr=inet_addr("127.0.0.1")}, [16]) = 100

close(4)= 0
readlink("/proc/self/exe", "/usr/bin/sudo"..., 4095) = 13







--
Stephen Clark
*NetWolves*
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo doing DNS lookup

2010-12-10 Thread Tom H

On Fri, Dec 10, 2010 at 8:43 AM, Steve Clark  wrote:
>
> I have a confusing problem. I have two centos 5,5 boxes. Both have
> sudo.i386    1.7.2p1-9.el5_5
> installed
>
> I am using the same sudoers file, but the one on box A keeps trying to do
> DNS lookups while the one on box B does not. How do I disable this DNS
> lookup?

Do both hosts have their hostnames in "/etc/hosts"?

Do both hosts have "hosts: files dns" in "/etc/nsswitch.conf"?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo doing DNS lookup

2010-12-10 Thread John Hodrien

On Fri, 10 Dec 2010, Scott Robbins wrote:

> Just to eliminate other possibilities--are either of these
> authenticating against an LDAP server?

That was entirely the line I was probing.  nsswitch.conf would be telling.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo doing DNS lookup

2010-12-10 Thread John Doe

From: Steve Clark 
> Without the:
> Defaults fqdn
> it hangs for a long time, this is when I don't have connection to the net,
> if I have connection there is just a slight pause while tries to do the DNS 
> lookup.

Did you compare the following files between both servers?
  /etc/hosts
  /etc/resolv.conf
  /etc/nsswitch.conf

JD


  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo doing DNS lookup

2010-12-10 Thread Scott Robbins

On Fri, Dec 10, 2010 at 02:53:19PM +, John Hodrien wrote:
> On Fri, 10 Dec 2010, Steve Clark wrote:
> 

> > it hangs for a long time, this is when I don't have connection to the net,
> > if I have connection there is just a slight pause while tries to do the DNS
> > lookup.
> 
> What makes you sure it's a DNS lookup that causes the long hang when there's
> no network connection?
> 

Just to eliminate other possibilities--are either of these
authenticating against an LDAP server?

-- 
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

Xander: Generally speaking, when scary things get scared, not 
good. 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo doing DNS lookup

2010-12-10 Thread John Hodrien

On Fri, 10 Dec 2010, Steve Clark wrote:

> it hangs for a long time, this is when I don't have connection to the net,
> if I have connection there is just a slight pause while tries to do the DNS
> lookup.

What makes you sure it's a DNS lookup that causes the long hang when there's
no network connection?

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo doing DNS lookup

2010-12-10 Thread Steve Clark


On 12/10/2010 09:04 AM, John Doe wrote:

From: Steve Clark
   

I have a confusing problem. I have two centos 5,5 boxes. Both have
sudo.i3861.7.2p1-9.el5_5
 

installed
   

I am using the same sudoers file, but the one on box A keeps trying to do DNS
lookups
while the one on box B does not. How do I disable this DNS lookup?
 

Do you have fqdn in sudoers?

   

No, thats the crazy part. I don't have that enabled and it still does the
DNS lookup. I tried turning it on to see what would happen and the
only thing different was it spit out:
$ sudo vi /etc/resolv.conf
sudo: unable to resolve host Z7070.netwolves.com
Vim: Caught deadly signal TERM

Vim: Finished.
Terminated

I finally killed it from another terminal cause it was taking so long.

Without the:
Defaults fqdn
it hangs for a long time, this is when I don't have connection to the net,
if I have connection there is just a slight pause while tries to do the DNS
lookup.



man sudoers:
"Beware that turning on fqdn requires sudo to make DNS
  lookups which may make sudo unusable if DNS stops
  working"

JD



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

   



--
Stephen Clark
*NetWolves*
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo doing DNS lookup

2010-12-10 Thread John Doe

From: Steve Clark 
>I have a confusing problem. I have two centos 5,5 boxes. Both have
>sudo.i3861.7.2p1-9.el5_5   
installed
>I am using the same sudoers file, but the one on box A keeps trying to do DNS 
>lookups
>while the one on box B does not. How do I disable this DNS lookup?

Do you have fqdn in sudoers?

man sudoers:
"Beware that turning on fqdn requires sudo to make DNS
 lookups which may make sudo unusable if DNS stops
 working"

JD


  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo doing DNS lookup

2010-12-10 Thread Steve Clark


On 12/10/2010 08:46 AM, Baird, Josh wrote:


Maybe I am missing something here.. but what does 'sudo' have to do 
with DNS resolution?


*From:* centos-boun...@centos.org [mailto:centos-boun...@centos.org] 
*On Behalf Of *Steve Clark

*Sent:* Friday, December 10, 2010 7:44 AM
*To:* CentOS mailing list
*Subject:* [CentOS] sudo doing DNS lookup

Hi,

I have a confusing problem. I have two centos 5,5 boxes. Both have
sudo.i3861.7.2p1-9.el5_5   
installed


I am using the same sudoers file, but the one on box A keeps trying to 
do DNS lookups

while the one on box B does not. How do I disable this DNS lookup?

Thanks for any info.




That is a very good question.

But here is part of an strace of
sudo cat /etc/hosts


socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(53), 
sin_addr=inet_addr("198.6.1.4")}, 28) = 0

fcntl64(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
gettimeofday({1291986809, 169934}, NULL) = 0
poll([{fd=4, events=POLLOUT}], 1, 0)= 1 ([{fd=4, revents=POLLOUT}])
send(4, "\1\231\1\0\0\1\0\0\0\0\0\0\5Z7070\tnetwolves\3com"..., 51, 
MSG_NOSIGNAL) = 51

poll([{fd=4, events=POLLIN}], 1, 5000)  = 1 ([{fd=4, revents=POLLIN}])
ioctl(4, FIONREAD, [113])   = 0
recvfrom(4, "\1\231\201\203\0\1\0\0\0\1\0\0\5Z7070\tnetwolves\3com"..., 
1024, 0, {sa_family=AF_INET, sin_port=htons(53), 
sin_addr=inet_addr("198.6.1.4")}, [16]) = 113

close(4)


--
Stephen Clark
*NetWolves*
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo doing DNS lookup

2010-12-10 Thread Baird, Josh

Maybe I am missing something here.. but what does 'sudo' have to do with
DNS resolution?

From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of Steve Clark
Sent: Friday, December 10, 2010 7:44 AM
To: CentOS mailing list
Subject: [CentOS] sudo doing DNS lookup

Hi,

I have a confusing problem. I have two centos 5,5 boxes. Both have
sudo.i3861.7.2p1-9.el5_5
installed

I am using the same sudoers file, but the one on box A keeps trying to
do DNS lookups
while the one on box B does not. How do I disable this DNS lookup?

Thanks for any info.

-- 
Stephen Clark
NetWolves
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] sudo doing DNS lookup

2010-12-10 Thread Steve Clark


Hi,

I have a confusing problem. I have two centos 5,5 boxes. Both have
sudo.i3861.7.2p1-9.el5_5   
installed


I am using the same sudoers file, but the one on box A keeps trying to 
do DNS lookups

while the one on box B does not. How do I disable this DNS lookup?

Thanks for any info.

--
Stephen Clark
*NetWolves*
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

2010-10-08 Thread Tom H

On Thu, Oct 7, 2010 at 11:35 PM, David Goldsmith  wrote:
> On 10/7/2010 9:59 PM, Tom H wrote:
>> On Thu, Oct 7, 2010 at 9:48 PM, David Goldsmith  wrote:
>>> On 10/7/2010 9:25 PM, Tom H wrote:
 On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith  
 wrote:
> Two servers, each have normal user umask values of 0077 and root umask
> values on 0022.
>
> On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from
> base), here are the results of touching a file as a user, as root and as
> a user sudoing to root:
>
> user: touch file        - result is 600
> root: touch file        - result is 644
> user: sudo touch file   - result is 644
>
> On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from
> updates), here are the results of the same actions:
>
> user: touch file        - result is 600
> root: touch file        - result is 644
> user: sudo touch file   - result is 600         ** this differs **
>
> On the second system, if I downgrade sudo to the base version, it
> behaves the same as on the first server, so this appears to be sudo
> version specific rather than an i386 vs x86-64 difference.
>
> Looking at the changelogs at the package home site, I don't see anything
> obvious that covers this change:
>
> http://www.courtesan.com/sudo/stable.html#1.7.0
> http://www.courtesan.com/sudo/stable.html#1.7.1
> http://www.courtesan.com/sudo/stable.html#1.7.2
>
> Does anyone know how to change the behavior with the umask values when
> using the newer version of sudo?
>
> This is causing us some issues when sudoing to update an SVN working
> directory used by our Puppet server.

 Check for a "umask" variable/line in the two installs' /etc/sudoers file.
>>>
>>> "grep -i mask /etc/sudoers" on both servers gets no hits.
>>
>> Any differences in the env_keep, env_delete, env_check settings (if
>> they are used) in sudoers?
>
> Both servers have the same defaults settings:
>
> # Defaults specification
> Defaults    log_year, logfile=/var/log/sudo.log
> Defaults    loglinelen=0
> Defaults    env_reset
> Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
>                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
>                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE
> LC_IDENTIFICATION \
>                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME
> LC_NUMERIC \
>                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE
> LINGUAS \
>                        _XKB_CHARSET XAUTHORITY"

Sorry. The "Defaults" suggestion was silly given that there was no
umask setting.

I've looked through the man pages of 1.6.x and 1.7.x and the umask
description is different:

For 1.6.x, the default is 0022.

For 1.7.x, the default is 0022 but "The actual umask that is used will
be the union of the user's umask and 0022. This guarantees that sudo
never lowers the umask when running a command."
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

2010-10-08 Thread Phil Schaffner

David Goldsmith wrote on 10/08/2010 09:09 AM:
...
> Since the sudo 1.6.9 systems don't like seeing that line in their config
> file, I either need to get all the systems upgraded to 1.7.2 or modify
> Puppet to push different versions of the /etc/sudoers depending on what
> version of sudo is installed.

And why would you NOT want to have the latest security and bug-fix 
updates, and get consistent behavior across the board as a bonus?

Phil
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

2010-10-08 Thread David Goldsmith

On 10/8/2010 4:42 AM, John Doe wrote:
> From: David Goldsmith 
> 
>> On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5  (from
>> base), here are the results of touching a file as a user, as root and  as
>> a user sudoing to root:
>> On the second server (CentOS  x86-64) running sudo 1.7.2p1-7 (from
>> updates), here are the results of the  same actions:
> 
> Maybe check the release notes...
> http://www.sudo.ws/sudo/stable.html
> A quick look got:
> "A new Defaults option "umask_override" will cause sudo to set 
> the umask specified in sudoers even if it is more permissive  than 
> the invoking user's umask. "
> 
> JD

Ok, I missed that last bullet on changes from 1.7.0 to 1.7.1.  However,
on both servers, there is no umask_override line in the /etc/sudoers
file and if I run "sudo -V" as root and grep for umask, I get the same
output on both versions:

  # sudo -V | grep -i umask
  Umask to use or 0777 to use user's: 022

So that would seem to me that it ought to have been using a umask of 022
resulting in test files with 644 permissions.

These sections from the sudoers man page on the each version seems to
explain the difference:

1.6.9 man page:

   umask   Umask to use when running the command.  Negate this
   option or set it to 0777 to preserve the userâs
   umask.  The default is 0022.

1.7.2 man page:

   umask_override  If set, sudo will set the umask as specified by
   sudoers without modification.  This makes it
   possible to specify a more permissive umask in
   sudoers than the userâs own umask and matches
   historical behavior.  If umask_override is not set,
   sudo will set the umask to be the union of the
   userâs umask and what is specified in sudoers.  This
   flag is off by default.

   umask   Umask to use when running the command.  Negate this
   option or set it to 0777 to preserve the userâs
   umask.  The actual umask that is used will be the
   union of the userâs umask and 0022.  This guarantees
   that sudo never lowers the umask when running a
   command.  Note on systems that use PAM, the default
   PAM configuration may specify its own umask which
   will override the value set in sudoers.

If I add "Defaultsumask_override" in /etc/sudoers on the system with
sudo 1.7.2, then the umask behavior I was expecting occurs -- "sudo
touch file" results in a file with 644 perms (based on root's umask).

Since the sudo 1.6.9 systems don't like seeing that line in their config
file, I either need to get all the systems upgraded to 1.7.2 or modify
Puppet to push different versions of the /etc/sudoers depending on what
version of sudo is installed.

Thanks for the responses.

David Goldsmith
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

2010-10-08 Thread John Doe

From: David Goldsmith 

> On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5  (from
> base), here are the results of touching a file as a user, as root and  as
> a user sudoing to root:
> On the second server (CentOS  x86-64) running sudo 1.7.2p1-7 (from
> updates), here are the results of the  same actions:

Maybe check the release notes...
http://www.sudo.ws/sudo/stable.html
A quick look got:
"A new Defaults option "umask_override" will cause sudo to set 
the umask specified in sudoers even if it is more permissivethan 
the invoking user's umask. "

JD


  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

2010-10-07 Thread David Goldsmith

On 10/7/2010 9:59 PM, Tom H wrote:
> On Thu, Oct 7, 2010 at 9:48 PM, David Goldsmith  wrote:
>> On 10/7/2010 9:25 PM, Tom H wrote:
>>> On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith  wrote:
 Two servers, each have normal user umask values of 0077 and root umask
 values on 0022.

 On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from
 base), here are the results of touching a file as a user, as root and as
 a user sudoing to root:

 user: touch file- result is 600
 root: touch file- result is 644
 user: sudo touch file   - result is 644

 On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from
 updates), here are the results of the same actions:

 user: touch file- result is 600
 root: touch file- result is 644
 user: sudo touch file   - result is 600 ** this differs **

 On the second system, if I downgrade sudo to the base version, it
 behaves the same as on the first server, so this appears to be sudo
 version specific rather than an i386 vs x86-64 difference.

 Looking at the changelogs at the package home site, I don't see anything
 obvious that covers this change:

 http://www.courtesan.com/sudo/stable.html#1.7.0
 http://www.courtesan.com/sudo/stable.html#1.7.1
 http://www.courtesan.com/sudo/stable.html#1.7.2

 Does anyone know how to change the behavior with the umask values when
 using the newer version of sudo?

 This is causing us some issues when sudoing to update an SVN working
 directory used by our Puppet server.
>>>
>>> Check for a "umask" variable/line in the two installs' /etc/sudoers file.
>>
>> "grep -i mask /etc/sudoers" on both servers gets no hits.
> 
> Any differences in the env_keep, env_delete, env_check settings (if
> they are used) in sudoers?


Both servers have the same defaults settings:

# Defaults specification
Defaultslog_year, logfile=/var/log/sudo.log
Defaultsloglinelen=0
Defaultsenv_reset
Defaultsenv_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME
LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE
LINGUAS \
_XKB_CHARSET XAUTHORITY"


David Goldsmith
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

2010-10-07 Thread Tom H

On Thu, Oct 7, 2010 at 9:48 PM, David Goldsmith  wrote:
> On 10/7/2010 9:25 PM, Tom H wrote:
>> On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith  wrote:
>>> Two servers, each have normal user umask values of 0077 and root umask
>>> values on 0022.
>>>
>>> On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from
>>> base), here are the results of touching a file as a user, as root and as
>>> a user sudoing to root:
>>>
>>> user: touch file        - result is 600
>>> root: touch file        - result is 644
>>> user: sudo touch file   - result is 644
>>>
>>> On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from
>>> updates), here are the results of the same actions:
>>>
>>> user: touch file        - result is 600
>>> root: touch file        - result is 644
>>> user: sudo touch file   - result is 600         ** this differs **
>>>
>>> On the second system, if I downgrade sudo to the base version, it
>>> behaves the same as on the first server, so this appears to be sudo
>>> version specific rather than an i386 vs x86-64 difference.
>>>
>>> Looking at the changelogs at the package home site, I don't see anything
>>> obvious that covers this change:
>>>
>>> http://www.courtesan.com/sudo/stable.html#1.7.0
>>> http://www.courtesan.com/sudo/stable.html#1.7.1
>>> http://www.courtesan.com/sudo/stable.html#1.7.2
>>>
>>> Does anyone know how to change the behavior with the umask values when
>>> using the newer version of sudo?
>>>
>>> This is causing us some issues when sudoing to update an SVN working
>>> directory used by our Puppet server.
>>
>> Check for a "umask" variable/line in the two installs' /etc/sudoers file.
>
> "grep -i mask /etc/sudoers" on both servers gets no hits.

Any differences in the env_keep, env_delete, env_check settings (if
they are used) in sudoers?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

2010-10-07 Thread David Goldsmith

On 10/7/2010 9:25 PM, Tom H wrote:
> On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith  wrote:
>> Two servers, each have normal user umask values of 0077 and root umask
>> values on 0022.
>>
>> On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from
>> base), here are the results of touching a file as a user, as root and as
>> a user sudoing to root:
>>
>> user: touch file- result is 600
>> root: touch file- result is 644
>> user: sudo touch file   - result is 644
>>
>> On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from
>> updates), here are the results of the same actions:
>>
>> user: touch file- result is 600
>> root: touch file- result is 644
>> user: sudo touch file   - result is 600 ** this differs **
>>
>> On the second system, if I downgrade sudo to the base version, it
>> behaves the same as on the first server, so this appears to be sudo
>> version specific rather than an i386 vs x86-64 difference.
>>
>> Looking at the changelogs at the package home site, I don't see anything
>> obvious that covers this change:
>>
>> http://www.courtesan.com/sudo/stable.html#1.7.0
>> http://www.courtesan.com/sudo/stable.html#1.7.1
>> http://www.courtesan.com/sudo/stable.html#1.7.2
>>
>> Does anyone know how to change the behavior with the umask values when
>> using the newer version of sudo?
>>
>> This is causing us some issues when sudoing to update an SVN working
>> directory used by our Puppet server.
> 
> Check for a "umask" variable/line in the two installs' /etc/sudoers file.

"grep -i mask /etc/sudoers" on both servers gets no hits.

David Goldsmith
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

2010-10-07 Thread Tom H

On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith  wrote:
> Two servers, each have normal user umask values of 0077 and root umask
> values on 0022.
>
> On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from
> base), here are the results of touching a file as a user, as root and as
> a user sudoing to root:
>
> user: touch file        - result is 600
> root: touch file        - result is 644
> user: sudo touch file   - result is 644
>
> On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from
> updates), here are the results of the same actions:
>
> user: touch file        - result is 600
> root: touch file        - result is 644
> user: sudo touch file   - result is 600         ** this differs **
>
> On the second system, if I downgrade sudo to the base version, it
> behaves the same as on the first server, so this appears to be sudo
> version specific rather than an i386 vs x86-64 difference.
>
> Looking at the changelogs at the package home site, I don't see anything
> obvious that covers this change:
>
> http://www.courtesan.com/sudo/stable.html#1.7.0
> http://www.courtesan.com/sudo/stable.html#1.7.1
> http://www.courtesan.com/sudo/stable.html#1.7.2
>
> Does anyone know how to change the behavior with the umask values when
> using the newer version of sudo?
>
> This is causing us some issues when sudoing to update an SVN working
> directory used by our Puppet server.

Check for a "umask" variable/line in the two installs' /etc/sudoers file.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

2010-10-07 Thread David Goldsmith

Two servers, each have normal user umask values of 0077 and root umask
values on 0022.

On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from
base), here are the results of touching a file as a user, as root and as
a user sudoing to root:

user: touch file- result is 600
root: touch file- result is 644
user: sudo touch file   - result is 644

On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from
updates), here are the results of the same actions:

user: touch file- result is 600
root: touch file- result is 644
user: sudo touch file   - result is 600 ** this differs **

On the second system, if I downgrade sudo to the base version, it
behaves the same as on the first server, so this appears to be sudo
version specific rather than an i386 vs x86-64 difference.


Looking at the changelogs at the package home site, I don't see anything
obvious that covers this change:

http://www.courtesan.com/sudo/stable.html#1.7.0
http://www.courtesan.com/sudo/stable.html#1.7.1
http://www.courtesan.com/sudo/stable.html#1.7.2

Does anyone know how to change the behavior with the umask values when
using the newer version of sudo?

This is causing us some issues when sudoing to update an SVN working
directory used by our Puppet server.

Thanks,
David Goldsmith
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo for Virtual Machine Manager

2010-02-24 Thread Rui Miguel Silva Seabra

Em 24-02-2010 00:22, David McGuffey escreveu:
> I've done everything stated in the various guidance to get a regular
> user to use virt-manager (graphical Virtual Machine Manager) under
> CentOS 5.4 with KVM.  Placing the user in the kvm group and changing
> permissions on several files to include kvm has not worked...the user
> still needs to enter the root password to use the graphical VMM.
> 
> I thought of pressing sudo into service for this task.  Anyone think
> this will work?

Sure, should work.

> Anyone got a better way? 

Look at wireshark, use as an example :)

[...@roque ~]$ cat /etc/pam.d/wireshark
#%PAM-1.0
authsufficient  pam_rootok.so
#auth   sufficient  pam_timestamp.so
authinclude system-auth
account requiredpam_permit.so
session requiredpam_permit.so
session optionalpam_xauth.so
#sessionoptionalpam_timestamp.so

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] sudo for Virtual Machine Manager

2010-02-23 Thread David McGuffey

I've done everything stated in the various guidance to get a regular
user to use virt-manager (graphical Virtual Machine Manager) under
CentOS 5.4 with KVM.  Placing the user in the kvm group and changing
permissions on several files to include kvm has not worked...the user
still needs to enter the root password to use the graphical VMM.

I thought of pressing sudo into service for this task.  Anyone think
this will work?

Anyone got a better way? 

DaveM


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo command

2009-10-23 Thread Patrick McEvoy

Are you trying to run sudo when logged in as root?  sudo is only used by 
non root users.

Robert Heller wrote:
> At Fri, 23 Oct 2009 10:50:38 +0530 CentOS mailing list  
> wrote:
>
>   
>>
>> Hi guys,
>> Thanks
>>
>> What i am trying to achieve is; when executing
>>
>> # sudo make install
>> Password:*
>>
>> this password entered is root password.
>>
>> it gives is error
>>
>> Sorry, try again.
>> 
>
> Sudo asks for the user's password NOT the root password.  Please read
> the documentation, carefully.
>
> man sudo
> man sudoers
>
>
>   
>> but when i do a su - and then gave the same root password. I am able to
>> switch account to user.
>>
>> ---
>>
>> Am am trying to add my account to sudoers file. It should be easy i think.
>>
>>
>> Regards,
>> Vijay Shanker Dubey
>> Ph: +91-9818311884
>>
>>
>> On Fri, Oct 23, 2009 at 2:09 AM, Robert Heller  wrote:
>>
>> 
>>> At Thu, 22 Oct 2009 14:00:27 -0400 CentOS mailing list 
>>> wrote:
>>>
>>>   

 Hello guys;

 I am not able to use sudo command on my just installed centos5.3

 But i know i am using right password to root.

 Is this is by default not enabled; if so, what to do.
 
>>> You don't use root's password, you use your own password.
>>>
>>> This assumes you have an entry in /etc/sudoers for your account.
>>>
>>>   
 Regards,
 Vijay Shanker Dubey
 Ph: +91-9818311884

 MIME-Version: 1.0

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


 
>>> --
>>> Robert Heller -- 978-544-6933
>>> Deepwoods Software-- Download the Model Railroad System
>>> http://www.deepsoft.com/  -- Binaries for Linux and MS-Windows
>>> hel...@deepsoft.com   -- http://www.deepsoft.com/ModelRailroadSystem/
>>>
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>>>   
>> MIME-Version: 1.0
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>>  
>>   
>> 
>
>   

-- 

Patrick McEvoy
System Administrator
Silva Capital Management, LLC
625 N. Michigan Ave, Suite 412
Chicago, IL 60611
Office: 312-397-0400, Fax: 312-397-0404
Cell: 773-517-1287
pmce...@silvacapitalmgmt.com


  Silva Capital Management, LLC 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo command

2009-10-23 Thread Robert Heller

At Fri, 23 Oct 2009 10:50:38 +0530 CentOS mailing list  
wrote:

> 
> 
> 
> Hi guys,
> Thanks
> 
> What i am trying to achieve is; when executing
> 
> # sudo make install
> Password:*
> 
> this password entered is root password.
> 
> it gives is error
> 
> Sorry, try again.

Sudo asks for the user's password NOT the root password.  Please read
the documentation, carefully.

man sudo
man sudoers


> 
> but when i do a su - and then gave the same root password. I am able to
> switch account to user.
> 
> ---
> 
> Am am trying to add my account to sudoers file. It should be easy i think.
> 
> 
> Regards,
> Vijay Shanker Dubey
> Ph: +91-9818311884
> 
> 
> On Fri, Oct 23, 2009 at 2:09 AM, Robert Heller  wrote:
> 
> > At Thu, 22 Oct 2009 14:00:27 -0400 CentOS mailing list 
> > wrote:
> >
> > >
> > >
> > >
> > > Hello guys;
> > >
> > > I am not able to use sudo command on my just installed centos5.3
> > >
> > > But i know i am using right password to root.
> > >
> > > Is this is by default not enabled; if so, what to do.
> >
> > You don't use root's password, you use your own password.
> >
> > This assumes you have an entry in /etc/sudoers for your account.
> >
> > >
> > >
> > > Regards,
> > > Vijay Shanker Dubey
> > > Ph: +91-9818311884
> > >
> > > MIME-Version: 1.0
> > >
> > > ___
> > > CentOS mailing list
> > > CentOS@centos.org
> > > http://lists.centos.org/mailman/listinfo/centos
> > >
> > >
> >
> > --
> > Robert Heller -- 978-544-6933
> > Deepwoods Software-- Download the Model Railroad System
> > http://www.deepsoft.com/  -- Binaries for Linux and MS-Windows
> > hel...@deepsoft.com   -- http://www.deepsoft.com/ModelRailroadSystem/
> >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> 
> MIME-Version: 1.0
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
>   
>  

-- 
Robert Heller -- 978-544-6933
Deepwoods Software-- Download the Model Railroad System
http://www.deepsoft.com/  -- Binaries for Linux and MS-Windows
hel...@deepsoft.com   -- http://www.deepsoft.com/ModelRailroadSystem/
  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo command

2009-10-22 Thread Frank Cox

On Fri, 23 Oct 2009 11:18:56 +0530
vijay shanker wrote:

> if it expects my own password then why not i can execute these command
> without giving "sudo" as prefix.

Because sudo is the program that gives you the rights to execute certain
commands as root without actually being the root user.  If you don't run the
program "through" sudo, you won't get the rights.

> If i am a genuine sudoer then can i edit files on which only root has
> execution rights.

If you have the relevant permissions set in sudoers, then the answer is yes.

The whole objective of sudo is to allow some users to do certain things that
could otherwise be done only as root, without actually allowing the user to
become root.

In short, sudo allows you to set things up so a certain user can execute a
specific list of commands as root, but can't execute other commands as root.
The list of commands that you allow that user to execute is determined by the
sudoers file.

-- 
MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo command

2009-10-22 Thread vijay shanker

Goood John,
But you please also clarify what does sudo means;

if it expects my own password then why not i can execute these command
without giving "sudo" as prefix.

If i am a genuine sudoer then can i edit files on which only root has
execution rights.


Regards,
Vijay Shanker Dubey
Ph: +91-9818311884


On Fri, Oct 23, 2009 at 10:59 AM, John R Pierce  wrote:

> vijay shanker wrote:
> > Hi guys,
> >
> > Thanks
> >
> > What i am trying to achieve is; when executing
> >
> > # sudo make install
> > Password:*
> >
> > this password entered is root password.
>
> sudo expeccts your USER password, not the root password.   the whole
> idea is the admin doesn't ened to give out the root password to give
> controlled admin privs to a user.
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo command

2009-10-22 Thread John R Pierce

vijay shanker wrote:
> Hi guys,
>
> Thanks
>
> What i am trying to achieve is; when executing 
>
> # sudo make install
> Password:*
>
> this password entered is root password.

sudo expeccts your USER password, not the root password.   the whole 
idea is the admin doesn't ened to give out the root password to give 
controlled admin privs to a user.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo command

2009-10-22 Thread vijay shanker

Hi guys,
Thanks

What i am trying to achieve is; when executing

# sudo make install
Password:*

this password entered is root password.

it gives is error

Sorry, try again.

but when i do a su - and then gave the same root password. I am able to
switch account to user.

---

Am am trying to add my account to sudoers file. It should be easy i think.


Regards,
Vijay Shanker Dubey
Ph: +91-9818311884


On Fri, Oct 23, 2009 at 2:09 AM, Robert Heller  wrote:

> At Thu, 22 Oct 2009 14:00:27 -0400 CentOS mailing list 
> wrote:
>
> >
> >
> >
> > Hello guys;
> >
> > I am not able to use sudo command on my just installed centos5.3
> >
> > But i know i am using right password to root.
> >
> > Is this is by default not enabled; if so, what to do.
>
> You don't use root's password, you use your own password.
>
> This assumes you have an entry in /etc/sudoers for your account.
>
> >
> >
> > Regards,
> > Vijay Shanker Dubey
> > Ph: +91-9818311884
> >
> > MIME-Version: 1.0
> >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> >
>
> --
> Robert Heller -- 978-544-6933
> Deepwoods Software-- Download the Model Railroad System
> http://www.deepsoft.com/  -- Binaries for Linux and MS-Windows
> hel...@deepsoft.com   -- http://www.deepsoft.com/ModelRailroadSystem/
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo command

2009-10-22 Thread Robert Heller

At Thu, 22 Oct 2009 14:00:27 -0400 CentOS mailing list  
wrote:

> 
> 
> 
> Hello guys;
> 
> I am not able to use sudo command on my just installed centos5.3
> 
> But i know i am using right password to root.
> 
> Is this is by default not enabled; if so, what to do.

You don't use root's password, you use your own password.

This assumes you have an entry in /etc/sudoers for your account.

> 
> 
> Regards,
> Vijay Shanker Dubey
> Ph: +91-9818311884
> 
> MIME-Version: 1.0
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
>

-- 
Robert Heller -- 978-544-6933
Deepwoods Software-- Download the Model Railroad System
http://www.deepsoft.com/  -- Binaries for Linux and MS-Windows
hel...@deepsoft.com   -- http://www.deepsoft.com/ModelRailroadSystem/


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo command

2009-10-22 Thread Les Mikesell

Benjamin Donnachie wrote:
> 2009/10/22 Jay :
>> sudo su -
> 
> sudo -s is so much neater! :)
>

But it is yet another unnecessary special case to remember.

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo command

2009-10-22 Thread Benjamin Donnachie

2009/10/22 Jay :
> sudo su -

sudo -s is so much neater! :)

Ben
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo command

2009-10-22 Thread Benjamin Donnachie

2009/10/22 vijay shanker :
> I am not able to use sudo command on my just installed centos5.3

What are you trying to achieve?  Perhaps su is the command you need?

Ben
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo command

2009-10-22 Thread Jay

use your user password for sudo not root's password.

sudo su -
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sudo command

2009-10-22 Thread Alan Sparks

vijay shanker wrote:
> Hello guys;
>
> I am not able to use sudo command on my just installed centos5.3
>
> But i know i am using right password to root.
>
> Is this is by default not enabled; if so, what to do.
>

You really need to configure /etc/sudoers, if you have not already.
-Alan
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Sudo command

2009-10-22 Thread vijay shanker

Hello guys;

I am not able to use sudo command on my just installed centos5.3

But i know i am using right password to root.

Is this is by default not enabled; if so, what to do.


Regards,
Vijay Shanker Dubey
Ph: +91-9818311884
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo

2008-10-10 Thread Stephen Harris

On Fri, Oct 10, 2008 at 12:49:49PM -0400, [EMAIL PROTECTED] wrote:
> Hi
> 
> Biz_User needs to switch to Sales_User, and  I tried following in sudoers:
> Biz_User ALL=(Sales_User) ALL
> 
> but I get following error when I run sudo su - Sales_User
> 
> "Sorry, user Biz_User is not allowed to execute '/usr/bin/su - Sales_User'
> as root on Server_Name"

What you gave him the ability to do was run
  sudo -u Sales_User anycommand
(which may be sufficient)

What you've described as wanting is
  Biz_User ALL=(root) /usr/bin/su - Sales_User

Something totally different :-)

The clue is the "as root" part of the error; "sudo su - Sales_User" means
'run the su - Sales_User command as root'

-- 

rgds
Stephen
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo

2008-10-10 Thread mouss

[EMAIL PROTECTED] a écrit :
> Hi
>
> Biz_User needs to switch to Sales_User, and  I tried following in
> sudoers:
> Biz_User ALL=(Sales_User) ALL
>
> but I get following error when I run sudo su - Sales_User
>
> "Sorry, user Biz_User is not allowed to execute '/usr/bin/su -
> Sales_User'
> as root on Server_Name"


$ man sudo
...
   When - is used, it must be specified as the last su option.
The other forms (-l and --login) do not have this
   restriction.

>
> I know that if I add root in allowed users list, I can switch
> to other user , but in that way user can switch to root as well.
>
> %Biz_Users ALL=(Sales_User,root) ALL
>
> any better idea ?

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] sudo

2008-10-10 Thread centos


Hi

Biz_User needs to switch to Sales_User, and  I tried following in sudoers:
Biz_User ALL=(Sales_User) ALL

but I get following error when I run sudo su - Sales_User

"Sorry, user Biz_User is not allowed to execute '/usr/bin/su - Sales_User'
as root on Server_Name"

I know that if I add root in allowed users list, I can switch
to other user , but in that way user can switch to root as well.

%Biz_Users ALL=(Sales_User,root) ALL

any better idea ?


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo

2008-02-26 Thread Ralph Angenendt

Centos wrote:
> Hello
>
> unfortunately other users can change to my user name with sudo,
> how I can prevent it ? is there a command to prevent to change to only my 
> user name ?

DO NOT HIJACK THREADS ON A MAILING LIST. Post a "fresh" mail to
centos@centos.org, don't just blindly reply to some mail and just change
the subject.

And yes, any user which is allowed to switch to root can also switch to
any other user on the system. That's what root is allowed to do. See the
manual page of /etc/sudoers on how to just enable specific commands (why
do all of those users need to be root anyway?).

Ralph

pgpwzn5OL5THF.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo

2008-02-25 Thread John R Pierce


Centos wrote:

Hello

unfortunately other users can change to my user name with sudo,
how I can prevent it ? is there a command to prevent to change to only 
my user name ?


if you allow users open access to sudo, they can do anything that root 
can, which is just about anything.


the alternative is to allow only very restrictive use of sudo, running 
very specific commands as specific users only.   this is all controlled 
via /etc/sudoers, see the man pages.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] sudo

2008-02-25 Thread Centos


Hello

unfortunately other users can change to my user name with sudo,
how I can prevent it ? is there a command to prevent to change to only my 
user name ?


Thanks 


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo path

2007-07-21 Thread Eduardo Dela Rosa


Sorry for my typo error - should have been:

Modify your ~./bash_profile and add /sbin to your PATH.

cheers!

On 7/22/07, Eduardo Dela Rosa <[EMAIL PROTECTED]> wrote:


Modify your ~/.bash_profile and /sbin to your path, i.e.,

PATH=/sbin:/usr/sbin:$PATH:$HOME/bin



On 7/22/07, centos <[EMAIL PROTECTED]> wrote:
>
> Hello
>
> Any time I am running sudo, I should have full path to the command,
> for example sudo /sbin/ifconfig
>
> Is there any way to set the path for sudo ?
>
> Thanks
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



--
Eduardo Dela Rosa





--
Eduardo Dela Rosa
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo path

2007-07-21 Thread Eduardo Dela Rosa


Modify your ~/.bash_profile and /sbin to your path, i.e.,

PATH=/sbin:/usr/sbin:$PATH:$HOME/bin



On 7/22/07, centos <[EMAIL PROTECTED]> wrote:


Hello

Any time I am running sudo, I should have full path to the command,
for example sudo /sbin/ifconfig

Is there any way to set the path for sudo ?

Thanks
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos





--
Eduardo Dela Rosa
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo path

2007-07-21 Thread John R Pierce


Brad Oaks wrote:

And while you're at it, you might as well supply the full path to su.


indeed, many traditional Unix (such as Solaris) admins tend to type the 
full path to most all admin commands, so you're sure you're running the 
correct stuff.   
___

CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo path

2007-07-21 Thread centos

but su - will change the user to root.
any other way ?
I don't want to change the user to root and work,
want to stay with the same user, but having my PATH apply while I am 
using sudo

sudo man page says we can user -s to use SHELL environment, so I can 
alias sudo to sudo -s
but still I should set this alias on all of our servers that I am going 
to login.

The *-s* (/shell/) option runs the shell specified by the /SHELL/ 
environment variable if it is set or the shell as specified in /passwd/.

thanks

Brad Oaks wrote:

And while you're at it, you might as well supply the full path to su.
Quite a while ago I was taught to give the full path to su.  This
instruction was given with a warning that it's more secure in case a
malicious user was able to get a command named 'su' into your path
ahead of the binary you're intending to execute.

I use:
sudo /bin/su -

Although, presumably under this logic, someone could have snuck
another binary in named 'sudo', too.  To take my own medicine, I
should be doing:
/usr/bin/sudo /bin/su -

Putting my $0.02 in where it wasn't necessarily asked for,
--bradoaks

On 7/21/07, Johnny Hughes <[EMAIL PROTECTED]> wrote:

centos wrote:
> Hello
>
> Any time I am running sudo, I should have full path to the command,
> for example sudo /sbin/ifconfig
>
> Is there any way to set the path for sudo ?

use this command to get that (instead of just sudo):

sudo su -

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo path

2007-07-21 Thread Brad Oaks

And while you're at it, you might as well supply the full path to su.
Quite a while ago I was taught to give the full path to su.  This
instruction was given with a warning that it's more secure in case a
malicious user was able to get a command named 'su' into your path
ahead of the binary you're intending to execute.

I use:
sudo /bin/su -

Although, presumably under this logic, someone could have snuck
another binary in named 'sudo', too.  To take my own medicine, I
should be doing:
/usr/bin/sudo /bin/su -

Putting my $0.02 in where it wasn't necessarily asked for,
--bradoaks

On 7/21/07, Johnny Hughes <[EMAIL PROTECTED]> wrote:

centos wrote:
> Hello
>
> Any time I am running sudo, I should have full path to the command,
> for example sudo /sbin/ifconfig
>
> Is there any way to set the path for sudo ?

use this command to get that (instead of just sudo):

sudo su -

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo path

2007-07-21 Thread Johnny Hughes

centos wrote:
> Hello
> 
> Any time I am running sudo, I should have full path to the command,
> for example sudo /sbin/ifconfig
> 
> Is there any way to set the path for sudo ?

use this command to get that (instead of just sudo):

sudo su -




signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] sudo path

2007-07-21 Thread centos


Hello

Any time I am running sudo, I should have full path to the command,
for example sudo /sbin/ifconfig

Is there any way to set the path for sudo ?

Thanks
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

69 matches

Mail list logo