sudoer not allowing only ALL as commands to user on some systems
up vote
0
down vote
favorite
I am seeing a strange behavior related to sudo on a specific set of systems but not on others.
I am not sure If there is some specific configuration change required here, which is missing.
The sudoer configuration is to enable non root users (I have used testuser in below example)
to install and setup the product packages. The Operating system is SUSE 12.
Following is the behavior seen on problematic scenario:
1.) Initially when sudoers is not configured we get something like this:
# sudo -l -U testuser
User testuser is not allowed to run sudo on <node>.
2.) Next if we create the /etc/sudoers.d/prodtest_install file:
Cmnd_Alias PROD_NODEKITS = /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg1.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg2.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
Cmnd_Alias PROD_NODESETUP = /opt/org/prod/test/bin/prod-setup
testuser ALL=(root) NOPASSWD: PROD_NODEKITS
testuser ALL=(root) NOPASSWD: PROD_NODESETUP
Defaults!PROD_NODEKITS !requiretty
Defaults!PROD_NODESETUP !requiretty
Still we see something like:
# sudo -l -U testuser
User testuser is not allowed to run sudo on <node>.
testuser is also not able to use any of the above commands:
ie. say:
# sudo /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
will not work and asks for user passwords and even if we enter passwords the command does not go through.
3.) But, if we add 2 extra lines "testuser ALL=(root) NOPASSWD: ALL" and "testuser ALL=(ALL) ALL" to allow all commands in /etc/sudoers.d/prodtest_install:
Cmnd_Alias PROD_NODEKITS = /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg1.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg2.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
Cmnd_Alias PROD_NODESETUP = /opt/org/prod/test/bin/prod-setup
testuser ALL=(root) NOPASSWD: PROD_NODEKITS
testuser ALL=(root) NOPASSWD: ALL
testuser ALL=(ALL) ALL
testuser ALL=(root) NOPASSWD: PROD_NODESETUP
Defaults!PROD_NODEKITS !requiretty
Defaults!PROD_NODESETUP !requiretty
Then we see something like this:
# sudo -l -U testuser
Matching Defaults entries for testuser on <node>:
always_set_home, secure_path=/usr/sbin:/usr/bin:/sbin:/bin, env_reset, env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE",
!insults
Runas and Command-specific defaults for testuser:
Defaults!/opt/org/prod/test/bin/prod !requiretty
Defaults!/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm, /usr/bin/zypper --non-interactive
--repo local --no-gpg-checks install org_prod_pkg1.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install
org_prod_pkg2.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm !requiretty
Defaults!/opt/org/prod/test/bin/prod-setup !requiretty
User testuser may run the following commands on <node>:
(root) NOPASSWD: ALL
(ALL) ALL
I am not sure why specific commands are not getting listed as well as not working with sudo.
This system is also not having /etc/sudo.conf which might elimates a different sudo plugin being used.
However, If I do add the /etc/sudoers.d/prodtest_install as provided above on other local SUSE 12 test systems
there is no issue and I see the following extra lines listed on doing "sudo -l -U testuser":
User testuser may run the following commands on <local_node>:
(root) NOPASSWD: /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm, /usr/bin/zypper
--non-interactive --repo local --no-gpg-checks install org_prod_pkg1.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks
install org_prod_pkg2.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
(root) NOPASSWD: /opt/org/prod/test/bin/prod-setup
Is there anything that needs to be configured differently on the problematic system/ shoudl I check for something?
Thanks and warm regards,
Prasad
sudo suse
New contributor
add a comment |
up vote
0
down vote
favorite
I am seeing a strange behavior related to sudo on a specific set of systems but not on others.
I am not sure If there is some specific configuration change required here, which is missing.
The sudoer configuration is to enable non root users (I have used testuser in below example)
to install and setup the product packages. The Operating system is SUSE 12.
Following is the behavior seen on problematic scenario:
1.) Initially when sudoers is not configured we get something like this:
# sudo -l -U testuser
User testuser is not allowed to run sudo on <node>.
2.) Next if we create the /etc/sudoers.d/prodtest_install file:
Cmnd_Alias PROD_NODEKITS = /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg1.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg2.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
Cmnd_Alias PROD_NODESETUP = /opt/org/prod/test/bin/prod-setup
testuser ALL=(root) NOPASSWD: PROD_NODEKITS
testuser ALL=(root) NOPASSWD: PROD_NODESETUP
Defaults!PROD_NODEKITS !requiretty
Defaults!PROD_NODESETUP !requiretty
Still we see something like:
# sudo -l -U testuser
User testuser is not allowed to run sudo on <node>.
testuser is also not able to use any of the above commands:
ie. say:
# sudo /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
will not work and asks for user passwords and even if we enter passwords the command does not go through.
3.) But, if we add 2 extra lines "testuser ALL=(root) NOPASSWD: ALL" and "testuser ALL=(ALL) ALL" to allow all commands in /etc/sudoers.d/prodtest_install:
Cmnd_Alias PROD_NODEKITS = /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg1.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg2.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
Cmnd_Alias PROD_NODESETUP = /opt/org/prod/test/bin/prod-setup
testuser ALL=(root) NOPASSWD: PROD_NODEKITS
testuser ALL=(root) NOPASSWD: ALL
testuser ALL=(ALL) ALL
testuser ALL=(root) NOPASSWD: PROD_NODESETUP
Defaults!PROD_NODEKITS !requiretty
Defaults!PROD_NODESETUP !requiretty
Then we see something like this:
# sudo -l -U testuser
Matching Defaults entries for testuser on <node>:
always_set_home, secure_path=/usr/sbin:/usr/bin:/sbin:/bin, env_reset, env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE",
!insults
Runas and Command-specific defaults for testuser:
Defaults!/opt/org/prod/test/bin/prod !requiretty
Defaults!/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm, /usr/bin/zypper --non-interactive
--repo local --no-gpg-checks install org_prod_pkg1.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install
org_prod_pkg2.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm !requiretty
Defaults!/opt/org/prod/test/bin/prod-setup !requiretty
User testuser may run the following commands on <node>:
(root) NOPASSWD: ALL
(ALL) ALL
I am not sure why specific commands are not getting listed as well as not working with sudo.
This system is also not having /etc/sudo.conf which might elimates a different sudo plugin being used.
However, If I do add the /etc/sudoers.d/prodtest_install as provided above on other local SUSE 12 test systems
there is no issue and I see the following extra lines listed on doing "sudo -l -U testuser":
User testuser may run the following commands on <local_node>:
(root) NOPASSWD: /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm, /usr/bin/zypper
--non-interactive --repo local --no-gpg-checks install org_prod_pkg1.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks
install org_prod_pkg2.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
(root) NOPASSWD: /opt/org/prod/test/bin/prod-setup
Is there anything that needs to be configured differently on the problematic system/ shoudl I check for something?
Thanks and warm regards,
Prasad
sudo suse
New contributor
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I am seeing a strange behavior related to sudo on a specific set of systems but not on others.
I am not sure If there is some specific configuration change required here, which is missing.
The sudoer configuration is to enable non root users (I have used testuser in below example)
to install and setup the product packages. The Operating system is SUSE 12.
Following is the behavior seen on problematic scenario:
1.) Initially when sudoers is not configured we get something like this:
# sudo -l -U testuser
User testuser is not allowed to run sudo on <node>.
2.) Next if we create the /etc/sudoers.d/prodtest_install file:
Cmnd_Alias PROD_NODEKITS = /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg1.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg2.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
Cmnd_Alias PROD_NODESETUP = /opt/org/prod/test/bin/prod-setup
testuser ALL=(root) NOPASSWD: PROD_NODEKITS
testuser ALL=(root) NOPASSWD: PROD_NODESETUP
Defaults!PROD_NODEKITS !requiretty
Defaults!PROD_NODESETUP !requiretty
Still we see something like:
# sudo -l -U testuser
User testuser is not allowed to run sudo on <node>.
testuser is also not able to use any of the above commands:
ie. say:
# sudo /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
will not work and asks for user passwords and even if we enter passwords the command does not go through.
3.) But, if we add 2 extra lines "testuser ALL=(root) NOPASSWD: ALL" and "testuser ALL=(ALL) ALL" to allow all commands in /etc/sudoers.d/prodtest_install:
Cmnd_Alias PROD_NODEKITS = /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg1.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg2.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
Cmnd_Alias PROD_NODESETUP = /opt/org/prod/test/bin/prod-setup
testuser ALL=(root) NOPASSWD: PROD_NODEKITS
testuser ALL=(root) NOPASSWD: ALL
testuser ALL=(ALL) ALL
testuser ALL=(root) NOPASSWD: PROD_NODESETUP
Defaults!PROD_NODEKITS !requiretty
Defaults!PROD_NODESETUP !requiretty
Then we see something like this:
# sudo -l -U testuser
Matching Defaults entries for testuser on <node>:
always_set_home, secure_path=/usr/sbin:/usr/bin:/sbin:/bin, env_reset, env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE",
!insults
Runas and Command-specific defaults for testuser:
Defaults!/opt/org/prod/test/bin/prod !requiretty
Defaults!/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm, /usr/bin/zypper --non-interactive
--repo local --no-gpg-checks install org_prod_pkg1.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install
org_prod_pkg2.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm !requiretty
Defaults!/opt/org/prod/test/bin/prod-setup !requiretty
User testuser may run the following commands on <node>:
(root) NOPASSWD: ALL
(ALL) ALL
I am not sure why specific commands are not getting listed as well as not working with sudo.
This system is also not having /etc/sudo.conf which might elimates a different sudo plugin being used.
However, If I do add the /etc/sudoers.d/prodtest_install as provided above on other local SUSE 12 test systems
there is no issue and I see the following extra lines listed on doing "sudo -l -U testuser":
User testuser may run the following commands on <local_node>:
(root) NOPASSWD: /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm, /usr/bin/zypper
--non-interactive --repo local --no-gpg-checks install org_prod_pkg1.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks
install org_prod_pkg2.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
(root) NOPASSWD: /opt/org/prod/test/bin/prod-setup
Is there anything that needs to be configured differently on the problematic system/ shoudl I check for something?
Thanks and warm regards,
Prasad
sudo suse
New contributor
I am seeing a strange behavior related to sudo on a specific set of systems but not on others.
I am not sure If there is some specific configuration change required here, which is missing.
The sudoer configuration is to enable non root users (I have used testuser in below example)
to install and setup the product packages. The Operating system is SUSE 12.
Following is the behavior seen on problematic scenario:
1.) Initially when sudoers is not configured we get something like this:
# sudo -l -U testuser
User testuser is not allowed to run sudo on <node>.
2.) Next if we create the /etc/sudoers.d/prodtest_install file:
Cmnd_Alias PROD_NODEKITS = /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg1.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg2.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
Cmnd_Alias PROD_NODESETUP = /opt/org/prod/test/bin/prod-setup
testuser ALL=(root) NOPASSWD: PROD_NODEKITS
testuser ALL=(root) NOPASSWD: PROD_NODESETUP
Defaults!PROD_NODEKITS !requiretty
Defaults!PROD_NODESETUP !requiretty
Still we see something like:
# sudo -l -U testuser
User testuser is not allowed to run sudo on <node>.
testuser is also not able to use any of the above commands:
ie. say:
# sudo /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
will not work and asks for user passwords and even if we enter passwords the command does not go through.
3.) But, if we add 2 extra lines "testuser ALL=(root) NOPASSWD: ALL" and "testuser ALL=(ALL) ALL" to allow all commands in /etc/sudoers.d/prodtest_install:
Cmnd_Alias PROD_NODEKITS = /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg1.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_pkg2.rpm,
/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
Cmnd_Alias PROD_NODESETUP = /opt/org/prod/test/bin/prod-setup
testuser ALL=(root) NOPASSWD: PROD_NODEKITS
testuser ALL=(root) NOPASSWD: ALL
testuser ALL=(ALL) ALL
testuser ALL=(root) NOPASSWD: PROD_NODESETUP
Defaults!PROD_NODEKITS !requiretty
Defaults!PROD_NODESETUP !requiretty
Then we see something like this:
# sudo -l -U testuser
Matching Defaults entries for testuser on <node>:
always_set_home, secure_path=/usr/sbin:/usr/bin:/sbin:/bin, env_reset, env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE",
!insults
Runas and Command-specific defaults for testuser:
Defaults!/opt/org/prod/test/bin/prod !requiretty
Defaults!/usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm, /usr/bin/zypper --non-interactive
--repo local --no-gpg-checks install org_prod_pkg1.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install
org_prod_pkg2.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm !requiretty
Defaults!/opt/org/prod/test/bin/prod-setup !requiretty
User testuser may run the following commands on <node>:
(root) NOPASSWD: ALL
(ALL) ALL
I am not sure why specific commands are not getting listed as well as not working with sudo.
This system is also not having /etc/sudo.conf which might elimates a different sudo plugin being used.
However, If I do add the /etc/sudoers.d/prodtest_install as provided above on other local SUSE 12 test systems
there is no issue and I see the following extra lines listed on doing "sudo -l -U testuser":
User testuser may run the following commands on <local_node>:
(root) NOPASSWD: /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install org_prod_test.rpm, /usr/bin/zypper
--non-interactive --repo local --no-gpg-checks install org_prod_pkg1.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks
install org_prod_pkg2.rpm, /usr/bin/zypper --non-interactive --repo local --no-gpg-checks install pkg3.rpm
(root) NOPASSWD: /opt/org/prod/test/bin/prod-setup
Is there anything that needs to be configured differently on the problematic system/ shoudl I check for something?
Thanks and warm regards,
Prasad
sudo suse
sudo suse
New contributor
New contributor
New contributor
asked Nov 18 at 7:27
SG Prasad
11
11
New contributor
New contributor
add a comment |
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
SG Prasad is a new contributor. Be nice, and check out our Code of Conduct.
SG Prasad is a new contributor. Be nice, and check out our Code of Conduct.
SG Prasad is a new contributor. Be nice, and check out our Code of Conduct.
SG Prasad is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482486%2fsudoer-not-allowing-only-all-as-commands-to-user-on-some-systems%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown