Re: [Freeipa-users] sudo rules do not seem to work
On 10/08/2015 04:09 PM, Karl Forner wrote: Sorry I had disabled the emailing, just was your answers in the archives. How can I debug this ? Pavel (CC) has a nice sudo debug howto, maybe it would be helpful? Where is it ? Do you mean the slide "FreeIPA Training Series: Obtaining debugging information" from https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf ? Thanks ! Karl It is not yet publicly available. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo rules do not seem to work
Sorry I had disabled the emailing, just was your answers in the archives. >> How can I debug this ? >Pavel (CC) has a nice sudo debug howto, maybe it would be helpful? Where is it ? Do you mean the slide "FreeIPA Training Series: Obtaining debugging information" from https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf ? Thanks ! Karl -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo rules do not seem to work
On Wed, Oct 07, 2015 at 11:19:02AM +0200, Pavel Březina wrote: > On 10/07/2015 10:03 AM, Jakub Hrozek wrote: > >On Tue, Oct 06, 2015 at 06:28:14PM +0200, Karl Forner wrote: > >>Hello, > >> > >>I had assumed sudo rules worked because I have an "allow_all for admins" > >>sudo rule that seemed to work, but I wonder if there is an implicit rule > >>for the special group admins ? > >> > >> > >>Because I have tried to replicate this allow_all rule for for other user > >>groups, and it does not seem to work at all. > >>What's strange is that "sudo -l" report the appropriate rules, but they do > >>not work. > >> > >>For instance, some users have: (ALL) ALL listed with sudo -l, but they can > >>not use sudo. > >> > >>My user has: > >> (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status > >> (ALL) ALL > >> (root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *, /bin/chmod > >>-R g[+-]* * > >> (ALL) NOPASSWD: /usr/bin/less > >> (ALL) ALL > >> > >>but I'm prompted a password when doing "sudo /usr/bin/less". > >> > >>How can I debug this ? > > > >Pavel (CC) has a nice sudo debug howto, maybe it would be helpful? > > Hi, > you are prompted for password because (ALL) ALL rule is applied because of > last-match rule. See: http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html > sudoOrder. This might be a nice addition to your howto :) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo rules do not seem to work
On 10/07/2015 10:03 AM, Jakub Hrozek wrote: On Tue, Oct 06, 2015 at 06:28:14PM +0200, Karl Forner wrote: Hello, I had assumed sudo rules worked because I have an "allow_all for admins" sudo rule that seemed to work, but I wonder if there is an implicit rule for the special group admins ? Because I have tried to replicate this allow_all rule for for other user groups, and it does not seem to work at all. What's strange is that "sudo -l" report the appropriate rules, but they do not work. For instance, some users have: (ALL) ALL listed with sudo -l, but they can not use sudo. My user has: (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status (ALL) ALL (root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *, /bin/chmod -R g[+-]* * (ALL) NOPASSWD: /usr/bin/less (ALL) ALL but I'm prompted a password when doing "sudo /usr/bin/less". How can I debug this ? Pavel (CC) has a nice sudo debug howto, maybe it would be helpful? Hi, you are prompted for password because (ALL) ALL rule is applied because of last-match rule. See: http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo rules do not seem to work
On Tue, Oct 06, 2015 at 06:28:14PM +0200, Karl Forner wrote: > Hello, > > I had assumed sudo rules worked because I have an "allow_all for admins" > sudo rule that seemed to work, but I wonder if there is an implicit rule > for the special group admins ? > > > Because I have tried to replicate this allow_all rule for for other user > groups, and it does not seem to work at all. > What's strange is that "sudo -l" report the appropriate rules, but they do > not work. > > For instance, some users have: (ALL) ALL listed with sudo -l, but they can > not use sudo. > > My user has: > (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status > (ALL) ALL > (root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *, /bin/chmod > -R g[+-]* * > (ALL) NOPASSWD: /usr/bin/less > (ALL) ALL > > but I'm prompted a password when doing "sudo /usr/bin/less". > > How can I debug this ? Pavel (CC) has a nice sudo debug howto, maybe it would be helpful? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
