[opensuse] sudo /etc/sudoers.d/* files being ignored?
Hi, the following works on all (Leap 42.3 and Leap 15.1) installations, but not on a Leap 42.2 (don't know if version causing the problem). sudo doesn't seem to respect files in /etc/sudoers.d/ # ssh -t sysupdateuser@422machine.swabian.net 'sudo zypper ref' We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. root's password: on all other machines, I do not get prompted for password. do I miss anything? thank you for any tip Regards, Paul Here's the configuration, which is the same on all servers: # grep "^\s*[^#\;].*" /etc/sudoers Defaults always_set_home Defaults env_reset Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" Defaults !insults Defaults targetpw # ask for the password of the target user i.e. root ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! root ALL=(ALL) ALL ([...] other entries not matching sysupdateuser) # tail -n 3 /etc/sudoers ## Read drop-in files from /etc/sudoers.d ### (the '#' here does not indicate a comment) #includedir /etc/sudoers.d # cat /etc/sudoers.d/sysupdateuser sysupdateuser ALL = (root) NOPASSWD: /usr/bin/zypper ref -n, /usr/bin/zypper ref, /usr/bin/zypper -n --non-interactive-include-reboot-patches, \ /usr/bin/zypper up -n, /usr/bin/zypper up, /usr/bin/zypper -n --non-interactive-include-reboot-patches, \ /usr/bin/zypper patch --with-optional -n, /usr/bin/zypper patch --with-optional, /usr/bin/zypper --with-optional -n --non-interactive-include-reboot-patches, \ /usr/bin/zypper up -n --with-interactive, /usr/bin/zypper up -n --with-interactive --non-interactive-include-reboot-patches, \ /usr/bin/zypper patch --with-optional -n --with-interactive, /usr/bin/zypper patch --with-optional -n --with-interactive --non-interactive-include-reboot-patches # ls -la /etc/sudoers /etc/sudoers.d/ -r--r----- 1 root root 3688 Apr 7 20:20 /etc/sudoers /etc/sudoers.d/: total 44 drwxr-x--- 2 root root 4096 Apr 7 20:22 . drwxr-xr-x 259 root root 24576 Apr 7 20:20 .. -r--r----- 1 root root 45 Oct 29 2016 check_smart_attributes -r--r----- 1 root root 146 Oct 29 2016 monitoring-plugins-smart -r--r----- 1 root root 837 Mar 22 10:42 sysupdateuser -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
07.04.2018 21:38, Paul Neuwirth пишет:
Hi, the following works on all (Leap 42.3 and Leap 15.1) installations, but not on a Leap 42.2 (don't know if version causing the problem). sudo doesn't seem to respect files in /etc/sudoers.d/
# ssh -t sysupdateuser@422machine.swabian.net 'sudo zypper ref'
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.
root's password:
on all other machines, I do not get prompted for password. do I miss anything? thank you for any tip
Regards, Paul
Here's the configuration, which is the same on all servers:
# grep "^\s*[^#\;].*" /etc/sudoers Defaults always_set_home Defaults env_reset Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" Defaults !insults Defaults targetpw # ask for the password of the target user i.e. root ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! root ALL=(ALL) ALL ([...] other entries not matching sysupdateuser) # tail -n 3 /etc/sudoers ## Read drop-in files from /etc/sudoers.d ### (the '#' here does not indicate a comment) #includedir /etc/sudoers.d
# cat /etc/sudoers.d/sysupdateuser sysupdateuser ALL = (root) NOPASSWD: /usr/bin/zypper ref -n, /usr/bin/zypper ref, /usr/bin/zypper -n
zypper not in /usr/bin? Local alias, script whatever? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, the following works on all (Leap 42.3 and Leap 15.1) installations, but not on a Leap 42.2 (don't know if version causing the problem). sudo doesn't seem to respect files in /etc/sudoers.d/
# ssh -t sysupdateuser@422machine.swabian.net 'sudo zypper ref'
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.
root's password:
on all other machines, I do not get prompted for password. do I miss anything? thank you for any tip
Regards, Paul
Here's the configuration, which is the same on all servers:
# grep "^\s*[^#\;].*" /etc/sudoers Defaults always_set_home Defaults env_reset Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" Defaults !insults Defaults targetpw # ask for the password of the target user i.e. root ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! root ALL=(ALL) ALL ([...] other entries not matching sysupdateuser) # tail -n 3 /etc/sudoers ## Read drop-in files from /etc/sudoers.d ### (the '#' here does not indicate a comment) #includedir /etc/sudoers.d
# cat /etc/sudoers.d/sysupdateuser sysupdateuser ALL = (root) NOPASSWD: /usr/bin/zypper ref -n, /usr/bin/zypper ref, /usr/bin/zypper -n
zypper not in /usr/bin? Local alias, script whatever?
checked (grep -r zypper /etc/; grep -r zypper /home/sysupdateuser/; which zypper; file /usr/bin/zypper;) without success. But topic is wrong, as another file in /etc/sudoers.d (nagios' smartctl ...) works. I now tried 'sudo /usr/bin/zypper ref' - and this does work. weird. on other servers I do not need full path. Doing 'sudo /usr/bin/which zypper' also shows /usr/bin/zypper Issue solved. But still curious why. Paul -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Andrei Borzenkov -
Paul Neuwirth