Thanks for this tutorial..
Thanks for this tutorial..
I'm trying to modify sudoers to allow a script to mount/umount windows shared folders without prompting for a password.
But even if i carefully read all the how-to, untill the last post, i still can't mount any resource from the shell without sudo command. Here's my sudoers:
As you can see, to avoid any typo, i made a copy/paste of the line for the user www-data (added by avantfax, and it's working of course) and modified the new line for the user maxi, but nothing: it doesn't work. When i try a reboot or a mount it still says i need to be root user for that command. Everything seems to be right, here's the output for "sudo -l":Code:# /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL # Uncomment to allow members of group sudo to not need a password # (Note that later entries override this, so you might need to move # it further down) # %sudo ALL=NOPASSWD: ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL www-data ALL= NOPASSWD: /sbin/reboot, /sbin/halt, /usr/sbin/faxdeluser -f *, /usr/sbin/faxadduser -f * -u * -p * * #personalization maxi ALL= NOPASSWD: /sbin/reboot, /sbin/halt, /bin/mount #end personalization
and of course i've even verified the path (which mount) and the user (echo $USER).Code:Matching Defaults entries for maxi on this host: env_reset User maxi may run the following commands on this host: (ALL) ALL (root) NOPASSWD: /sbin/reboot, (root) /sbin/halt, (root) /bin/mount
At this point i'm lost and don't know what to do more
I've been through this thread ant can't really find the solution to my (simple) problem.
Here's what I'm trying to achieve:
As "canar" user I want to run a command, let's say "/opt/ocaml/bin/ocaml" as "duck" user
The only to achieve this is to give "canar" user root permission in sudoers, see below:
Host_Alias LAB = linuxbox
User_Alias LABTRUSTED = canar
Cmnd_Alias LABADMIN = /bin/bash, /bin/su, /bin
LABTRUSTED LAB=(ALL) NOPASSWD: LABADMIN
And run any command:
canar@linuxbox$ sudo -i -u duck 'id'
But basically, this is a huge security hole since canar can run whatever he wants as anyone (including root)
I want to restrict canar user to be able to login as duck user (or as anyone from a given group) without providing root access
Any help would be welcome!
Last edited by canar; April 5th, 2012 at 09:25 PM.
Is it possible to add a command on sudoers with specific parameters?
for instance i would like to add iptables command with parameters
-L -t nat -xvn to be executed for the user "testuser". I tried on visudo the following but it did not work:
Got a syntax error. Any ideas if it is possible to add commands with arguments/parameters?Code:testusr ALL=(ALL)NOPASSWD:/sbin/iptables -L -t nat -xvn
I have summarized the steps I had gone through in order to successfully add a set of rules to the sudoers configuration. You can see it right here. Enjoy!
I am trying to give sudo login access(without having to enter password) to 'user1' so that it can login as 'user2' and run scripts, commands etc. I have made below entry in sudoers file
user1 ALL = (user2) NOPASSWD: ALL
This doesn't work and I still get prompted for password when I do(as user1)
sudo su - user2
But when I change sudoers file to:
user1 ALL = (ALL) NOPASSWD: ALL
it works. However, this also allows 'user1' to sudo login as super user without password, which I don't want. Can someone help me fix this.
I have joined my ubuntu desktop to my Server 2003 AD windows domain and I can successfully log in with domain credentials.
However domain users, and domain admins can not access sudo commands even with the following in the /etc/sudoer file
I followed sever guides and all of them show the following as acceptable code for giving domain admin/users sudo ability.
Code:# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL %clbei\\domain^admins ALL=(ALL) ALL %clbei\\domain^users ALL=(ALL) ALL
Please advise and thank you!Code:uid=1587545172(jasonladmin) gid=1587544577(domain^users) groups=1587544577(domain^users),1587545199(certsvc_dcom_access),1587545333(tatemusers),1587545394(vpn^users),1587546501(sqlserver2005mssqluser$moe$tcm),1587544576(domain^admins),1587545212(wo_po),1587545213(front),1587546508(sqlserver2005sqlbrowseruser$moe),1587546510(sqlserver2005mssqluser$moe$mssqlserver),1587544582(schema^admins),1587544583(enterprise^admins),1587545500(exchange^public^folder^administrators),1587545721(tcm),1587545190(exchange^organization^administrators),1587545191(exchange^recipient^administrators),1587545192(exchange^view-only^administrators) jasonladmin@schemp:~$
Last edited by CLWSI; January 9th, 2013 at 04:23 PM.
I'm coming back to this tutorial for the third time already. Thanks, it's great. You made me make an account on the forums