Re: localhost in sudoers
Matthew Seaman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris Whitehouse wrote: I'm not sure what you mean. This computer is on a local network behind a nat box and doesn't have a dns entry. %host 192.168.1.71 71.1.168.192.in-addr.arpa domain name pointer eco.config. %host localhost localhost has address 127.0.0.1 I think my question really is why doesn't sudoers recognise localhost or 127.0.0.1? Confusion between the IPv6ish ::1 rather than the IPv4ish 127.0.0.1 perhaps? You can just put the hostname of your machine in the sudoers file and sudo will query the IP addresses of its interfaces at runtime This pointed me in the right direction. I had put my hostname against 127.0.0.1 in /etc/hosts while messing around with trying to get it to work and forgot to take it out again - so when I put the hostname in sudoers it didn't work. Thanks Chris - -- or simply don't use the host based limiting stuff at all: that syntax is predicated on having the same sudoers file distributed over a number of machines, which is great for a large site with dozens of servers, but for a home user it's possibly easier to maintain an individual sudoers file on each machine you have. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHksri8Mjk52CukIwRCPfHAJ9m98pQb76ID8leqKRhyHKrzmJnFwCfaVXA n1hIg4OKpiursIKyu12ICE8= =jGzw -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: localhost in sudoers
Ashish Shukla आशीष शुक्ल wrote: On Sat, 19 Jan 2008 23:40:35 +, Chris Whitehouse [EMAIL PROTECTED] said: Chris I think my question really is why doesn't sudoers recognise localhost Chris or 127.0.0.1? And, BtW, while enumerating network interfaces, it skips those interfaces which're DOWN or LOOPBACK. If you've more questions, the quickest way is to checkout source code :) . Well once you had put the code snippet in front of me I was just about able to follow it but unfortunately my coding skills are just about zero, so thanks to all the people who answer questions on this list. Chris HTH ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
localhost in sudoers
Hi, If I put my computers ip address in sudoers a command runs successfully. If I put localhost I am prompted for a password. Check I can't run it normally: %/root/testsudo /root/testsudo: Permission denied. Entry in sudoers: chrisw 192.168.1.71=NOPASSWD:/root/testsudo %sudo /root/testsudo hello Entry in sudoers: chrisw localhost=NOPASSWD:/root/testsudo %sudo /root/testsudo Password: chrisw is not allowed to run sudo on eco. This incident will be reported. %ping localhost PING localhost (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.034 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.021 ms ^C /var/log/messages says 'user NOT authorized on host' The problem is this machine gets its ip address by dhcp so I shouldn't enter an ip in sudoers. Is there a neat way round this? Thanks Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: localhost in sudoers
Chris Whitehouse writes: Chris The problem is this machine gets its ip address by dhcp so I shouldn't Chris enter an ip in sudoers. Is there a neat way round this? Why not use hostname from DNS, instead, hmm...? HTH -- Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/ ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- pgpvamBqslnNw.pgp Description: PGP signature
Re: localhost in sudoers
Ashish Shukla आशीष शुक्ल wrote: Chris Whitehouse writes: Chris The problem is this machine gets its ip address by dhcp so I shouldn't Chris enter an ip in sudoers. Is there a neat way round this? Why not use hostname from DNS, instead, hmm...? HTH I'm not sure what you mean. This computer is on a local network behind a nat box and doesn't have a dns entry. %host 192.168.1.71 71.1.168.192.in-addr.arpa domain name pointer eco.config. %host localhost localhost has address 127.0.0.1 I think my question really is why doesn't sudoers recognise localhost or 127.0.0.1? Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: localhost in sudoers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris Whitehouse wrote: I'm not sure what you mean. This computer is on a local network behind a nat box and doesn't have a dns entry. %host 192.168.1.71 71.1.168.192.in-addr.arpa domain name pointer eco.config. %host localhost localhost has address 127.0.0.1 I think my question really is why doesn't sudoers recognise localhost or 127.0.0.1? Confusion between the IPv6ish ::1 rather than the IPv4ish 127.0.0.1 perhaps? You can just put the hostname of your machine in the sudoers file and sudo will query the IP addresses of its interfaces at runtime - -- or simply don't use the host based limiting stuff at all: that syntax is predicated on having the same sudoers file distributed over a number of machines, which is great for a large site with dozens of servers, but for a home user it's possibly easier to maintain an individual sudoers file on each machine you have. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHksri8Mjk52CukIwRCPfHAJ9m98pQb76ID8leqKRhyHKrzmJnFwCfaVXA n1hIg4OKpiursIKyu12ICE8= =jGzw -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: localhost in sudoers
On Sat, 19 Jan 2008 23:40:35 +, Chris Whitehouse [EMAIL PROTECTED]
said:
Chris I think my question really is why doesn't sudoers recognise localhost
Chris or 127.0.0.1?
Quoting from sudo.c of sudo-1.6.8p12 in init_vars(int) routine:
88
/*
* We avoid gethostbyname() if possible since we don't want
* sudo to block if DNS or NIS is hosed.
* host is the (possibly fully-qualified) hostname and
* shost is the unqualified form of the hostname.
*/
sudo_user.host_fqdn_queried = FALSE;
nohostname = gethostname(thost, sizeof(thost));
if (nohostname)
user_host = user_shost = localhost;
else {
user_host = estrdup(thost);
if ((p = strchr(user_host, '.'))) {
*p = '\0';
user_shost = estrdup(user_host);
*p = '.';
} else {
user_shost = user_host;
}
}
88
As you can see, it uses gethostname() to return the hostname. So, your
host won't be 'localhost' unless its not able to retrieve hostname or
your hostname is set to 'localhost'.
Why they did this probably because any entry for 'localhost' is valid
for execution on all machines, ;) .
HTH
--
Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/
·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
pgpC4l1H0tJTj.pgp
Description: PGP signature
Re: localhost in sudoers
On Sat, 19 Jan 2008 23:40:35 +, Chris Whitehouse [EMAIL PROTECTED] said: Chris I think my question really is why doesn't sudoers recognise localhost Chris or 127.0.0.1? And, BtW, while enumerating network interfaces, it skips those interfaces which're DOWN or LOOPBACK. If you've more questions, the quickest way is to checkout source code :) . HTH -- Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/ ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- pgpWaI2EgQLWr.pgp Description: PGP signature
