Re: [Freeipa-users] Sudo rule processing order

Fri, 10 Jan 2014 07:57:37 -0800 

Yes, you would expect that to help, wouldn't you :-)

Didn't even know this existed. Thanks for that.

User has 3 sudo rules. I have set the allow_all rule to 1, the second rule
to 2 and the cobbler (with the "!authenticate" option) rule to 99:

User ******** may run the following commands on this host:
    (root) ALL
    (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, /bin/more,
/usr/bin/less, !/bin/su
    (root) NOPASSWD: /usr/bin/cobbler
    (root) !/bin/su

Nope. Didn't help.

Fred

On Fri, Jan 10, 2014 at 3:59 PM, Martin Kosek <mko...@redhat.com> wrote:

> On 01/10/2014 11:52 AM, Fred van Zwieten wrote:
> > Hi,
> >
> > I have a sudo rule in IPA that has the !authenticate option added to
> enable
> > admins to execute certain programs as root without authentication.
> >
> > It doesn't work. There is another rule for the admins that allow all
> > commands as long as they give their password.
> >
> > In a sudoers file, you can solve this by specifing the nopasswd rule as
> > last.
> >
> > sudo -l from an IPA-client gives me this:
> >
> > *******@svr001 ~]$ sudo -l
> > Matching Defaults entries for ******* on this host:
> >     requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
> >     DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL
> PS1
> >     PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
> >     LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
> >     LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
> >     LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
> >     secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
> >
> > User ******** may run the following commands on this host:
> >     (root) NOPASSWD: ALL
> >     (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls,
> /bin/more,
> >     /usr/bin/less, !/bin/su
> >     (root) NOPASSWD: /usr/bin/cobbler
> >     (root) !/bin/su
> >
> > I want the cobbler command to run without password authentication. What
> am
> > I doing wrong?
> >
>
> Would setting SUDO rule order help?
>
> # ipa sudorule-mod -h
> ...
>   --order=INT           integer to order the Sudo rules
> ...
>
> Martin
>
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to