Results 1 to 6 of 6

Thread: Peculiar case of sudoers, it seems to be ignored by the system.

  1. #1
    Join Date
    Apr 2007
    Beans
    891
    Distro
    Ubuntu 10.04 Lucid Lynx

    Peculiar case of sudoers, it seems to be ignored by the system.

    I have a redhat enterprise linux that I am trying to configure for sudo, it is a personal machine and I dont care that much about relaxing the security settings.

    I have the following two users, one is member of sba and teel groups and the other one is member sba group:

    Code:
    pre: sba, teel
    mtpre: sba
    Now I want to give sudo permissions to these two users so that they could execute any command using sudo without the need to specify a password. To do so I edited the /etc/sudoers file (it was not present at the beginning, I created the file) and added the following lines to it:

    Code:
    bash-4.1$ sudo cat /etc/sudoers
    Password:
    
    %admin ALL=(ALL) NOPASSWD: ALL
    
    %teel ALL=(ALL) NOPASSWD: ALL
    
    %sudo ALL=(ALL) NOPASSWD: ALL
    
    %sba ALL=(ALL) NOPASSWD: ALL
    
    mtpre ALL=(ALL) NOPASSWD: ALL
    
    pre ALL=(ALL) NOPASSWD: ALL
    
    
    bash-4.1$

    The mtpre user can use sudo but need to enter password when using sudo and the pre user cannot use sudo at all.

    Code:
    [pre@machine1 ~]$ sudo cat /etc/sudoers
    Sorry, user pre is not allowed to execute '/bin/cat /etc/sudoers' as root on machine1.
    If I do a ls -al using the mtpre for the sudoers file I get:

    Code:
    bash-4.1$  ls -al /etc/sudoers
    -r--r----- 1 root root 519 Mar 30 23:05 /etc/sudoers
    Do you see any problem in the sudoers file (I used visudo to edit it and I am sure that syntactically it is fine as visudo did not complain about it) or anywhere that can cause this peculiar issue? Do you know any solution or any means of diagnosing the problem?

    Thank you.
    Ubuntu 10.04
    ATI 3470
    4 GB RAM.

  2. #2
    Join Date
    Feb 2013
    Beans
    Hidden!

    Re: Peculiar case of sudoers, it seems to be ignored by the system.

    TBH, this seems pretty overengineered to me. What exactly are you trying to achieve? Are there other members of the listed groups (admin, sudo, teel, sba) that should have full sudo permissions? Why would the following not be enough?
    Code:
    Defaults always_set_home
    pre,mtpre ALL=(ALL:ALL) NOPASSWD: ALL
    If this doesn't work, check the SELinux context of your users.
    Code:
    /usr/sbin/semanage login -l
    id -Z pre
    id -Z mtpre
    To be able to use sudo, both users should be unconfined_u and belong to the unconfined_t domain. If they are in the staff_t domain, you can still allow them to sudo by adjusting the settings in /etc/sudoers accordingly.
    Last edited by schragge; March 31st, 2013 at 01:38 PM.

  3. #3
    Join Date
    Apr 2007
    Beans
    891
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Peculiar case of sudoers, it seems to be ignored by the system.

    Thanks for the reply.

    I tried using the two lines you provided for the sudo and the result was some conflicts because the visudo didnt let me save the content. Then I changed it to the following and I managed to save it.

    Code:
    Defaults always_set_home
    pre,mtpre ALL=(ALL) NOPASSWD: ALL
    I foundout that SELinux was disabled so I enabled SELinux as explained here: https://access.redhat.com/knowledge/...g_SELinux.html

    and then tried executing your suggested commands:

    Code:
    bash-4.1$ /usr/sbin/semanage login -l
    /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed.
    bash-4.1$ id -Z
    unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    The id -Z reruns the same output for both users.

    The problem still exist and I cannot do something like the following:

    Code:
    [pre@machine1 ~]$ sudo cat /etc/sudoers
    Sorry, user pre is not allowed to execute '/bin/cat /etc/sudoers' as root on machine1.

    Any idea what else can I try to findout what is the problem?

    Thanks.
    Ubuntu 10.04
    ATI 3470
    4 GB RAM.

  4. #4
    Join Date
    Jul 2007
    Location
    Magic City of the Plains
    Beans
    Hidden!
    Distro
    Xubuntu 15.04 Vivid Vervet

    Re: Peculiar case of sudoers, it seems to be ignored by the system.

    Moved to Other OS/Distro Talk.

  5. #5
    Join Date
    Feb 2013
    Beans
    100

    Re: Peculiar case of sudoers, it seems to be ignored by the system.

    Would you not also have to "usermod -a -G wheel" pre and mtpre in addition to what you've put in the sudoers file?

  6. #6
    Join Date
    Feb 2013
    Beans
    Hidden!

    Re: Peculiar case of sudoers, it seems to be ignored by the system.

    @iamkuriouspurpleoranj I guess this would make more sense if /etc/sudoers contained
    Code:
    %wheel        ALL=(ALL)       NOPASSWD: ALL
    @legolas_w Hmm, strange. Try this
    Code:
    Defaults always_set_home
    root ALL=(ALL) ALL
    pre, mtpre ALL=(root) TYPE=unconfined_t ROLE=unconfined_r NOPASSWD: ALL
    It explicitly states that users pre and mtpre should be able to run ALL command on ALL hosts as root, but they won't be able to assume other users' identities. I also added the root user, and specified SELinux type and role, just in case.

    Also, look at the output of sudo -l for your users:
    Code:
    sudo -U pre -l
    Are there any sudo-related messages in /var/log/messages?
    Last edited by schragge; March 31st, 2013 at 09:17 PM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •