[Bug 617710] New: sudoers file / visudo doesn't work as intended - still prompts for password when commands are executed with sudo
http://bugzilla.novell.com/show_bug.cgi?id=617710 http://bugzilla.novell.com/show_bug.cgi?id=617710#c0 Summary: sudoers file / visudo doesn't work as intended - still prompts for password when commands are executed with sudo Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: x86-64 OS/Version: openSUSE 11.2 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: novell.xq0@gishpuppy.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.1.9) Gecko/20100317 SUSE/3.5.9-0.1.1 Firefox/3.5.9 Normally, statements can be added /etc/sudoers (using visudo) so that the command(s) can be executed with sudo, without being prompted for the password. However, this is not the case as one still gets prompted for the password. Specifically, this only affects programs present in /sbin or /usr/sbin, provided, "ALL" is used instead of "localhost". Taking the example in the default sudoers file, the line: %users localhost=/sbin/shutdown -h now should result in the local user being able to execute the "shutdown -h now" command, using sudo, without being prompted for the password. However, this doesn't happen. Some users report that changing the "localhost" to "ALL" works: %users ALL=/sbin/shutdown -h now However, this only works when the program is not located in /sbin or /usr/sbin Also, the other variations which I tried don't work either, are: %users ALL=NOPASSWD: /sbin/shutdown -h now %users ALL=(ALL) NOPASSWD: /sbin/shutdown -h now username ALL=NOPASSWD: /sbin/shutdown -h now username ALL=(ALL) NOPASSWD: /sbin/shutdown -h now So to summarise, two issues here: 1) Programs in /sbin and /usr/sbin cannot be sudo'ed without being prompted for the password 2) Programs located outside of the above paths can be sudo'ed without the password, IF and only if the "localhost" property is replaced with ALL (or similar) Reproducible: Always Steps to Reproduce: 1. As a root user, edit /etc/sudoers and uncomment the example statement "%users localhost=/sbin/shutdown -h now" 2. Save and exit 3. As a non root user, execute the statement "sudo /sbin/shutdown -h now" Actual Results: The user is prompted for the root's password. Expected Results: The program should have been executed without being prompted for the password. Tested on OpenSUSE 11.2 KDE4 x86_64 with all standard updates. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c
yang xiaoyu
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c
Petr Uzel
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c1
Petr Uzel
Some users report that changing the "localhost" to "ALL" works:
%users ALL=/sbin/shutdown -h now
"localhost" in sudoers won't work (I'll fix this in default sudoers file in Factory). Either use 'real' hostname (output of hostname(1)) or ALL. Anything else than ALL might make sense only if the sudoers file is shared across multiple computers. See http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-01/msg01081.h... for more details.
Also, the other variations which I tried don't work either, are:
%users ALL=NOPASSWD: /sbin/shutdown -h now
This ^^^ works for me (it does not require password). Could you please check it once again? Tips: - is the user in users group? - remember to save and _exit_ the editor after running visudo and doing changes (saving without exit is not enough) - verify with 'sudo -l' (as user) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c3
Petr Uzel
This ^^^ works for me (it does not require password). Could you please check it once again?
Some One: ping ^^^ -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c4
Stephan Kleine
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c5
Petr Uzel
"$my_login ALL = NOPASSWD: /usr/bin/build" works for me.
If I got the docs right "localhost" should work too and differentiate between locally logged in users and e.g. those logged in via ssh.
Where exactly do you read that "localhost" in /etc/suoders differentiates between locally logged users and others? I can't find any mention about it in official sudo documentation, however it seems that it is common misunderstanding (e.g. http://www.gentoo.org/doc/en/sudo-guide.xml [or is it gentoo-specific patch?]). I admit I'm not completely sure about this, so I'll ask on upstream mailing list and link the reply here. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c6
Stephan Kleine
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c7
--- Comment #7 from Some One
(In reply to comment #1)
This ^^^ works for me (it does not require password). Could you please check it once again?
Some One: ping ^^^
Sorry, it doesn't work, even with the $my_login example above. Note that it doesn't work for "/sbin/shutdown -h now" but "/usr/sbin/parted" for example works fine. On the other hand, "/sbin/fdisk -l" doesn't work. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c8
--- Comment #8 from Petr Uzel
I admit I'm not completely sure about this, so I'll ask on upstream mailing list and link the reply here.
http://www.sudo.ws/pipermail/sudo-users/2010-July/004439.html
Sorry, it doesn't work, even with the $my_login example above. Note that it doesn't work for "/sbin/shutdown -h now" but "/usr/sbin/parted" for example works fine. On the other hand, "/sbin/fdisk -l" doesn't work.
I'll check again. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c9
Petr Uzel
Sorry, it doesn't work, even with the $my_login example above. Note that it doesn't work for "/sbin/shutdown -h now" but "/usr/sbin/parted" for example works fine. On the other hand, "/sbin/fdisk -l" doesn't work.
OK, I tried once again. 1/ test ALL = NOPASSWD: /sbin/fdisk This allows user 'test' to run ~> sudo /sbin/fdisk with whatever fdisk arguments. Password is not required. 2/ test ALL = NOPASSWD: /sbin/fdisk -l This allows user 'test' to run ~> sudo /sbin/fdisk -l without being prompted for password. Note that e.g. ~> sudo /sbin/fdisk -l /dev/sda will require the password. To quote sudoers(5): ----- If a Cmnd has associated command line arguments, then the arguments in the Cmnd must match exactly those given by the user on the command line (or match the wildcards if there are any). ----- 3/ test ALL = NOPASSWD: /sbin/shutdown -h now ~> /sbin/shutdown -h now shuts down the system without having to type in the password. If it still does not work for you, then please reopen this bug and attach your /etc/sudoers (or send it to me via email: puzel@suse.cz). Thanks -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c10
--- Comment #10 from Some One
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c11
Some One
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c12
Petr Uzel
Created an attachment (id=377747) --> (http://bugzilla.novell.com/attachment.cgi?id=377747) [details] My sudoers file.
Works fine here (with s/dexter/mylogin)
The examples in the last comment don't work for me. And for some reason, the commands that worked for me earlier (eg: parted) no longer work!
Something weird is happening there. What are the _exact_ commands (whole cmdline please) that fail? (with the sudoers file you posted). Please provide: 1/ rpm -q sudo 2/ output of 'sudo -l' (as user dexter) 3/ /var/log/messages (after sudo wants you to type passwd when it should not want to). Thanks -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c13
--- Comment #13 from Petr Uzel
3/ test ALL = NOPASSWD: /sbin/shutdown -h now
~> /sbin/shutdown -h now
Of course this should read "sudo /sbin/shutdown -h now".
shuts down the system without having to type in the password.
-- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c14
Some One
http://bugzilla.novell.com/show_bug.cgi?id=617710
http://bugzilla.novell.com/show_bug.cgi?id=617710#c15
Petr Uzel
That explains it! I was actually typing just the name of the binary, never knew that the whole path has to be specified!
Yes, full path is needed if the binary is in a directory which is not in your $PATH.
So I think the only actual bug is that "localhost" doesn't work.
As explained in the link in comment #8: this is not a bug, but a common misunderstanding about how "localhost" in sudoers works (or rather does not work). 1. Upstream developer added short note to sudoers(5) that should help to avoid this confusion. 2. After all, I'm not going to fix default /etc/sudoers in 11.[23] (not severe enough for maintenance update). Will be fixed in 11.4.
Thanks for your patience in clearing up this confusion.
I'm glad it helped. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com