Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
|
04-09-2011, 12:56 PM
|
#1
|
|
Member
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172
Rep: 
|
After modifying /etc/sudoers file, new users can not run specified commands
Hello:
This is an ubuntu 10.10 notebook edition.
After modifying /etc/sudoers file, new users can not run specified commands.
Code:
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Host alias specification
# User alias specification
User_Alias SUDOMODIFIERS = bob, scott
# Cmnd alias specification
Cmnd_Alias SUDOCMDS = /sbin/shutdown, /etc/passwd, /etc/group
# User privilege specification
root ALL=(ALL) ALL
SUDOMODIFIERS All= SUDOCMDS
#USERS All = SHUTDOWN_CMDS
# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
bob and scott can not shut down, nor can they open /etc/passwd or /etc/group files.
mansour |
|
|
|
|
04-09-2011, 06:06 PM
|
#2
|
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Debian, FreeBSD, Ubuntu (desktop)
Posts: 3,859
Rep: 
|
Thoughts: - SUDOCMDS looks incorrect to me. You've specified that SUDOMODIFIERS can execute /etc/passwd and /etc/group.
- Are you editing /etc/sudoers directly, or are you using visudo(8)? You should only be doing the latter.
- Are you sure you want these users to be able to modify /etc/passwd and /etc/group? If so, they should be doing so using vipw(8) and vigr(8), not editing them directly. Also, if so: you are effectively handing over root access to a mischievous user.
|
|
|
|
|
04-09-2011, 06:55 PM
|
#3
|
|
Member
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172
Original Poster
Rep:
|
Quote:
Originally Posted by anomie
Thoughts: - SUDOCMDS looks incorrect to me. You've specified that SUDOMODIFIERS can execute /etc/passwd and /etc/group.
- Are you editing /etc/sudoers directly, or are you using visudo(8)? You should only be doing the latter.
- Are you sure you want these users to be able to modify /etc/passwd and /etc/group? If so, they should be doing so using vipw(8) and vigr(8), not editing them directly. Also, if so: you are effectively handing over root access to a mischievous user.
|
Hello anomie:
You said SUDOCMDS looks incorrect. How do you mean? what is incorrect?
I am using sudo visudo command actually.
By the way, I am just trying to learn how to do this modification properly, these users aren't real people, and there isn't any critical data here.
mansour |
|
|
|
|
04-09-2011, 07:03 PM
|
#4
|
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Debian, FreeBSD, Ubuntu (desktop)
Posts: 3,859
Rep:
|
The way you've configured sudoers(5), you are saying you want certain users to be able to execute /etc/passwd and /etc/group. That doesn't make sense - neither of those is a script or binary (i.e. executing them is not possible, or even desirable).
Even if you were to give them access to an editor to edit only those two files (by way of a wrapper script), locking this down is still an extremely difficult proposition.
For the sake of learning (on a non-'net connected test system), you might give them access to /usr/sbin/vipw and /usr/sbin/vigr. But I'd advise you to never do this on a production system.
|
|
|
|
|
04-09-2011, 08:33 PM
|
#5
|
|
Member
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172
Original Poster
Rep:
|
Quote:
Originally Posted by anomie
The way you've configured sudoers(5), you are saying you want certain users to be able to execute /etc/passwd and /etc/group. That doesn't make sense - neither of those is a script or binary (i.e. executing them is not possible, or even desirable).
Even if you were to give them access to an editor to edit only those two files (by way of a wrapper script), locking this down is still an extremely difficult proposition.
For the sake of learning (on a non-'net connected test system), you might give them access to /usr/sbin/vipw and /usr/sbin/vigr. But I'd advise you to never do this on a production system.
|
Actually I picked that up on an Internet site about sudoers file. The /etc/passwd and /etc/group I mean. But why is it that these users can not shut down from command line?
mansour |
|
|
|
|
04-09-2011, 09:31 PM
|
#6
|
|
Guru
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian
Posts: 5,347
|
I think the correct syntax for the shutdown command would be something like
Code:
[username] ALL=[path]
as in
Code:
[username] ALL=/sbin/shutdown
Check where "shutdown" is located in your distro. |
|
|
|
|
04-10-2011, 12:04 PM
|
#7
|
|
Member
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172
Original Poster
Rep:
|
Quote:
Originally Posted by frankbell
I think the correct syntax for the shutdown command would be something like
Code:
[username] ALL=[path]
as in
Code:
[username] ALL=/sbin/shutdown
Check where "shutdown" is located in your distro. |
Actually here it is,
# All the shutdown commands
Cmnd_Alias SHUTDOWN_CMDS = /sbin/shutdown, /sbin/reboot, /sbin/halt
Based on this Ubuntu community Guide:
https://help.ubuntu.com/community/Sudoers
mansour |
|
|
1 members found this post helpful.
|
|
04-10-2011, 01:47 PM
|
#8
|
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Debian, FreeBSD, Ubuntu (desktop)
Posts: 3,859
Rep:
|
Quote:
|
Originally Posted by mansour
Actually I picked that up on an Internet site about sudoers file. The /etc/passwd and /etc/group I mean. But why is it that these users can not shut down from command line?
|
That's the problem with 'net tutorials. Take them with a grain of salt, and be careful about deploying them without properly testing first (which is what you're doing now).
Are you invoking shutdown(8) using the FQ path?
Code:
$ sudo /sbin/shutdown -h now
|
|
|
|
|
04-10-2011, 01:57 PM
|
#9
|
|
Senior Member
Registered: Mar 2010
Location: Oakland,Ca
Distribution: DebianSqueeze, winsxp, wins7, Debian wheezy, LFS 7.2
Posts: 4,135
|
You have shutdown commands commented out.
remove " #"
Quote:
# User privilege specification
root ALL=(ALL) ALL
SUDOMODIFIERS All= SUDOCMDS
#USERS All = SHUTDOWN_CMDS#
Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
|
|
|
|
|
|
04-10-2011, 04:02 PM
|
#10
|
|
Member
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172
Original Poster
Rep:
|
Quote:
Originally Posted by anomie
That's the problem with 'net tutorials. Take them with a grain of salt, and be careful about deploying them without properly testing first (which is what you're doing now).
Are you invoking shutdown(8) using the FQ path?
Code:
$ sudo /sbin/shutdown -h now
|
No I wasn't, but then I tested the FQ path after seeing your post, and still didn't work.
$ sudo /sbin/shutdown -h now
mansour |
|
|
|
|
04-10-2011, 04:08 PM
|
#11
|
|
Member
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172
Original Poster
Rep:
|
Quote:
Originally Posted by EDDY1
You have shutdown commands commented out.
remove "#"
|
No that was a different set of commands I commented out.
Code:
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Host alias specification
# User alias specification
# User_Alias SUDOMODIFIERS = mdav
User_Alias USERS = scott, bob
# Cmnd alias specification
# Cmnd_Alias SUDOCMDS = /sbin/shutdown
Cmnd_Alias SHUTDOWN_CMDS = /sbin/shutdown, /sbin/reboot, /sbin/halt
# User privilege specification
root ALL=(ALL) ALL
# SUDOMODIFIERS All= SUDOCMDS
USERS All = SHUTDOWN_CMDS
#USERS All = SHUTDOWN_CMDS
# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
mansour |
|
|
|
|
04-11-2011, 04:27 PM
|
#12
|
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Debian, FreeBSD, Ubuntu (desktop)
Posts: 3,859
Rep:
|
Quote:
|
Originally Posted by mansour
No I wasn't, but then I tested the FQ path after seeing your post, and still didn't work.
|
How's that? Error message? |
|
|
|
|
04-11-2011, 08:44 PM
|
#13
|
|
Guru
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian
Posts: 5,347
|
Quote:
Originally Posted by mansour
# All the shutdown commands
Cmnd_Alias SHUTDOWN_CMDS = /sbin/shutdown, /sbin/reboot, /sbin/halt
|
Thanks. |
|
|
|
|
04-12-2011, 09:41 PM
|
#14
|
|
Member
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172
Original Poster
Rep:
|
Quote:
Originally Posted by anomie
How's that? Error message?
|
"new user (bob) does not have sudo powers, incident will be reported", this is the message I am getting.
And he can not shut down from command line, or even soft shut down.
mansour
Last edited by mansour; 04-12-2011 at 09:49 PM.
|
|
|
|
|
04-13-2011, 09:05 AM
|
#15
|
|
Member
Registered: Feb 2011
Location: LA, US
Distribution: SLES
Posts: 375
Rep:
|
Apparently you're not using visudo to edit this. The syntax of your statement "SUDOMODIFIERS All= SUDOCMDS" looks strange, because the spaces are off around the = sign and the "All" is mixed case. So I opened my sudoers file in visudo, and while it didn't mind the spacing, it did mind the mixed case. When I changed "All" to all caps, it was fine. Try making that fix yourself and see how it works out. Also, use visudo to edit it, instead of vi/vim.
As mentioned before, you can't use sudo to control access to individual files, because sudo only focuses on rights to execute programs, so the references to /etc/passwd and /etc/group can be removed. That means that all you're trying to accomplish here is to grant two users access to the shutdown command, which can be accomplished a lot simpler. Just create a user group (for the purposes of this example, we'll call it "shutdown"), and add this line to the user privilege section:
Code:
# User privilege specification
root ALL=(ALL) ALL
%shutdown ALL = /sbin/shutdown
The Cmnd Alias specifications are all well and good when you need to grant users access to long lists of commands, but since you're only doing one here, it's overkill. |
|
|
2 members found this post helpful.
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 08:57 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
