Results 1 to 5 of 5

Thread: sudoers - NOPASSWD tag not nopasswd-ing

  1. #1
    Join Date
    Jun 2008
    Location
    Montréal
    Beans
    17
    Distro
    Ubuntu Development Release

    sudoers - NOPASSWD tag not nopasswd-ing

    Trying to add access to a normal user to append to iptables (it's for intrusion detection, since this machine is too small to run snort or fail2ban).

    I'm having trouble getting a user to launch a command without being prompted for their password interactively.

    Here's /etc/sudoers :
    Code:
    Defaults    requiretty
    Defaults    env_reset
    root	ALL=(ALL) 	ALL
    Cmnd_Alias BLACKLIST_ADD = /usr/sbin/iptables -A BLACKLIST -s [0-9.]* -j REFUSE
    moses ALL = NOPASSWD: BLACKLIST_ADD
    In another terminal on the same host, as user 'moses' I attempt the command, and I'm prompted for a password:
    Code:
    [moses@nepeta ~]$ sudo /usr/sbin/iptables -A BLACKLIST -s 210.216.230.203 -j REFUSE
    [sudo] password for moses:
    What am I doing wrong here?

  2. #2
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: sudoers - NOPASSWD tag not nopasswd-ing

    It should just be

    Code:
    Cmnd_Alias BLACKLIST_ADD = /usr/sbin/iptables
    I do not think you can add all those options
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #3
    Join Date
    Jun 2008
    Location
    Montréal
    Beans
    17
    Distro
    Ubuntu Development Release

    Re: sudoers - NOPASSWD tag not nopasswd-ing

    Quote Originally Posted by bodhi.zazen View Post
    It should just be
    '/usr/sbin/iptables' I do not think you can add all those options.
    'man 5 sudoers' says I can. Read for yourself:

    A Cmnd_List is a list of one or more commandnames, directories, and
    other aliases. A commandname is a fully qualified filename which may
    include shell-style wildcards (see the Wildcards section below). A
    simple filename allows the user to run the command with any arguments
    he/she wishes. However, you may also specify command line arguments
    (including wildcards). Alternately, you can specify "" to indicate
    that the command may only be run without command line arguments.

    Cmnd_List ::= Cmnd | Cmnd ',' Cmnd_List

    commandname ::= filename | filename args | filename '""'

    Cmnd ::= '!'* commandname | '!'* directory | '!'* "sudoedit" | '!'* Cmnd_Alias
    So it should be possible. Although, in the dozen example /etc/sudoer files I've seen, I've never seen someone specify the arguments. That's really weird to me, since it seems like an efficient way of making sure the user doesn't pass bad parameters when they have root access.

    This is why I'm asking the forum: after an hour and a half of reading, I don't have an example of this feature being used, only described over and over again.
    Last edited by Mozai; May 8th, 2011 at 07:23 PM. Reason: spelling

  4. #4
    Join Date
    Jun 2008
    Location
    Montréal
    Beans
    17
    Distro
    Ubuntu Development Release

    Re: sudoers - NOPASSWD tag not nopasswd-ing

    Found it. There can't be a space between the tags and the command (or command alias).

    Thus 'moses ALL=NOPASSWD: BLACKLIST_ADD' is wrong
    and 'moses ALL=NOPASSWD:BLACKLIST_ADD' is right.
    (oh, and I had the wrong path for iptables, but that has nothing to do with /etc/sudoers)

  5. #5
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: sudoers - NOPASSWD tag not nopasswd-ing

    Glad you got it sorted. Syntax errors can be frustrating.

    Use visudo, it checks for such things

    You raise a good point re: options, I leaned something.

    It is useful, but rare that people give restricted root access, thus not all the various options are well known.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •