FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 12-07-2011, 07:17 AM
Craig White
 
Default sudoers nopasswd screwiness

Can't really explain this behavior.

Don't have the actual contents of the file (I am at home and this
concerns work) but it's /etc/sudoers.d/user and it has something like

Cmnd_Alias SYNC /usr/bin/rsync
user ALL:=NOPASSWD(ALL) SYNC

(this may not be the exact contents)

Anyway, I use puppet on these systems and all of the systems under
puppet control have this exact setup (/etc/sudoers
& /etc/sudoers.d/user) and for that matter, also common-passwd,
common-session, common-auth in /etc/pam.d and the user (like all but the
system users) comes from LDAP. Also, /etc/ldap.conf, /etc/nsswitch.conf
are all handled by puppet and thus are exactly the same from computer to
computer.

On 2 computers, this user is asked for his password in order to run the
rsync command but on other computers, this same user is not. The user is
not included in local groups but rather only in LDAP groups.

/etc/sudoers & /etc/sudoers.d/user are indeed 0440 (again managed by
puppet) so it's not a permission issue on these files.

What else could possibly be at play?

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 12-07-2011, 03:28 PM
"compdoc"
 
Default sudoers nopasswd screwiness

> Don't have the actual contents of the file (I am at home and this concerns
work) but it's /etc/sudoers.d/user

I add my username to the /etc/sudoers file and it works, although some stuff
like the Update Manager still asks for a password. But, I think all commands
in the term window work without asking.

username ALL=(ALL:ALL) NOPASSWD:ALL

I've never changed /etc/sudoers.d/user - maybe that's a requirement of
puppet.

With rsync, I want the command to run with the user's permissions and not
with elevated permissions. In any case, rsync should run for anyone without
sudo...







--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 12-09-2011, 02:15 AM
Craig White
 
Default sudoers nopasswd screwiness

On Wed, 2011-12-07 at 09:28 -0700, compdoc wrote:
> > Don't have the actual contents of the file (I am at home and this concerns
> work) but it's /etc/sudoers.d/user
>
> I add my username to the /etc/sudoers file and it works, although some stuff
> like the Update Manager still asks for a password. But, I think all commands
> in the term window work without asking.
>
> username ALL=(ALL:ALL) NOPASSWD:ALL
>
> I've never changed /etc/sudoers.d/user - maybe that's a requirement of
> puppet.
>
> With rsync, I want the command to run with the user's permissions and not
> with elevated permissions. In any case, rsync should run for anyone without
> sudo...
----
sorry - no - but thanks for answering but it seems clear that your
understanding of sudoers/sudoers.d is far short of mine.

of course rsync runs without sudo but can't touch files that are
root:root 0640 and since I am trying to back up configuration files with
this script, this is frequent. I don't really want to run this script as
root for many reasons but this is the same script I use on many other
servers without issue.

It's just 2 particular Ubuntu 10.04 that exhibit this problem though I
am running many others (Ubuntu 10.04) whose LDAP/NSS/PAM are all
completely identical which is assured by puppet. Since /etc/sudoers
and /etc/sudoers.d are also propagated by puppet, I know that they're
identical (not that I didn't check by copying them to a working server
and running diff on them as well as the entire /etc/pam.d directory).

I'm gathering that there's not many sysadmins using LDAP
and /etc/sudoers.d monitoring the list

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 12-09-2011, 11:06 AM
Marius Gedminas
 
Default sudoers nopasswd screwiness

On Thu, Dec 08, 2011 at 08:15:59PM -0700, Craig White wrote:
> It's just 2 particular Ubuntu 10.04 that exhibit this problem though I
> am running many others (Ubuntu 10.04) whose LDAP/NSS/PAM are all
> completely identical which is assured by puppet. Since /etc/sudoers
> and /etc/sudoers.d are also propagated by puppet, I know that they're
> identical (not that I didn't check by copying them to a working server
> and running diff on them as well as the entire /etc/pam.d directory).

Can you check the permissions of the files and directories
like /etc/sudoers.d as well?

Is the version of sudo the same on all machines?

(Just scraping the bottom of the barrel for suggestions, since I've no
idea why the same sudoers configuration would act differently on
different machines.)

Marius Gedminas
--
"Nuclear war can ruin your whole compile."
-- Karl Lehenbauer
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 12-09-2011, 11:27 AM
Avi Greenbury
 
Default sudoers nopasswd screwiness

Craig White wrote:

> I'm gathering that there's not many sysadmins using LDAP
> and /etc/sudoers.d monitoring the list
>

It certainly looks that way I'm afraid. There is a ubuntu-server list,
which has more chance of containing people with that sort of
experience, though it's incredibly low on traffic so might not prove
any more useful. Worth a shot, though. I'd imagine.

--
Avi

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 12-10-2011, 01:08 AM
Craig White
 
Default sudoers nopasswd screwiness

On Fri, 2011-12-09 at 14:06 +0200, Marius Gedminas wrote:
> On Thu, Dec 08, 2011 at 08:15:59PM -0700, Craig White wrote:
> > It's just 2 particular Ubuntu 10.04 that exhibit this problem though I
> > am running many others (Ubuntu 10.04) whose LDAP/NSS/PAM are all
> > completely identical which is assured by puppet. Since /etc/sudoers
> > and /etc/sudoers.d are also propagated by puppet, I know that they're
> > identical (not that I didn't check by copying them to a working server
> > and running diff on them as well as the entire /etc/pam.d directory).
>
> Can you check the permissions of the files and directories
> like /etc/sudoers.d as well?
----
I did before I checked the list but puppet asserts the permissions
of /etc/sudoers & /etc/sudoers.d/user and they are indeed 0440
----
>
> Is the version of sudo the same on all machines?
---
it is - they are all 10.04 and the same pkg version
----
> (Just scraping the bottom of the barrel for suggestions, since I've no
> idea why the same sudoers configuration would act differently on
> different machines.)
----
sort of where I am at this point and in the meantime, I've copied the
lines from /etc/sudoers.d/user into /etc/sudoers and commented them
in /etc/sudoers.d/user (apparently sudo is very unhappy to have
identical rules) and I'm at least function but still scratching my head.

Thanks

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 12-10-2011, 01:09 AM
Craig White
 
Default sudoers nopasswd screwiness

On Fri, 2011-12-09 at 12:27 +0000, Avi Greenbury wrote:
> Craig White wrote:
>
> > I'm gathering that there's not many sysadmins using LDAP
> > and /etc/sudoers.d monitoring the list
> >
>
> It certainly looks that way I'm afraid. There is a ubuntu-server list,
> which has more chance of containing people with that sort of
> experience, though it's incredibly low on traffic so might not prove
> any more useful. Worth a shot, though. I'd imagine.
----
I did just that (subscribe to the list and asked them)

I'll see if anyone has something I haven't checked on Monday.

Thanks

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 12-10-2011, 01:47 PM
"compdoc"
 
Default sudoers nopasswd screwiness

> sort of where I am at this point and in the meantime, I've copied the
lines from
>/etc/sudoers.d/user into /etc/sudoers and commented them in
/etc/sudoers.d/user
>(apparently sudo is very unhappy to have identical rules) and I'm at least
function
>but still scratching my head.

Funny how that worked out...


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 12-10-2011, 05:09 PM
Craig White
 
Default sudoers nopasswd screwiness

On Sat, 2011-12-10 at 07:47 -0700, compdoc wrote:
> > sort of where I am at this point and in the meantime, I've copied the
> lines from
> >/etc/sudoers.d/user into /etc/sudoers and commented them in
> /etc/sudoers.d/user
> >(apparently sudo is very unhappy to have identical rules) and I'm at least
> function
> >but still scratching my head.
>
> Funny how that worked out...
----
not really because this forces me to put this 'rule' into all the
systems.

not really because this occurred only on 2 specific servers while other
servers worked fine with the same 'rule' in /etc/sudoers.d/user

not really because the whole notion of idempotence
http://en.wikipedia.org/wiki/Idempotence
and considering that these servers all have a base install with just
openssh-server package added and the rest of the packages installed from
the same puppet manifests, it makes me wonder about the consistency of
Ubuntu.

so while you are trying to score some victory over useless advice such
as putting this rule in /etc/sudoers where it's clear from the man page
that entries in /etc/sudoers.d/some_file should equally function and
actually **sometimes** does and **sometimes** doesn't is clearly a bug
and is indicative of a larger issue at hand. Not to mention your
suggestion of giving sudo privileges "ALL=(ALL:ALL) NOPASSWD:ALL" which
is the kind of thing that you do on a single user system and would be
incredibly foolish on a series of network servers. Not to mention your
suggestion that rsync doesn't need sudo privileges which of course
ignores the obvious problem that sudo is invoked because the user isn't
capable of accessing some of the files/folders without it so I guess
that the only other useless advice you didn't offer is why didn't I just
run the script as root instead.

Thanks

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 03:13 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org