/etc/sudoers syntax problems with %groupname

dthacker · 02-01-2010, 02:48 PM

My goal: I want to give users in the group "rtkprd" the ability to elevate their privileges and run a restricted shell script by using sudo. The full path to the shell script is /usr/local/bin/only_rtkprd.sh
The syntax of /etc/sudoers is giving me fits, to I've reduced my sudoers to a single log directive and a single line to enable the rtkprd group.

Code:

Defaults logfile=/var/log/sudo

%rtkprd ALL = (rtkprd)          /usr/local/bin/only_rtkprd.sh

I'm a member of group rtkprd, here's my test:

Code:

/home/dthacker> id
uid=516(thackerd) gid=1(staff) groups=206(rtkprd)

When I attempt to run the script I get the "nag" screen and then this error:

Code:

Sorry, user thackerd is not allowed to execute '/usr/local/bin/only_rtkprd.sh' as root on rtkdev.mydomain.local.

I'm not sure what's wrong in the syntax, and I don't understand why sudo thinks I'm trying to run as root.

Please give me some pointers!
Thanks in Advance
Dave

ofaring · 02-01-2010, 03:48 PM

Hey,

Sudo is a means of granting root privileges. So when a command fails, it tells you that you aren't allowed to have root access to the command, because that is exactly what a properly configured /etc/sudoers file will give you. I believe that with the way your file is setup, you are trying to run root commands except with the permissions of group rtkprd. That's not going to work.

Here are some snippets from my Debian sudoers file.

Code:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL
%operator ALL=(root) NOPASSWD: /sbin/ifup
%operator ALL=(root) NOPASSWD: /sbin/ifdown

Hope that helps.

chrism01 · 02-01-2010, 10:21 PM

Quote:

%rtkprd ALL = (rtkprd) /usr/local/bin/only_rtkprd.sh

This '(rtkprd)' means you authorise the user to run the prog as the rtkprd user.

EG:

Quote:

steve CSNETS = (operator) /usr/local/op_commands/

The user steve may run any command in the directory /usr/local/op_commands/ but only as user operator.

http://linux.die.net/man/5/sudoers

dthacker · 02-02-2010, 10:47 AM

My problem was not calling the user out.

Code:

sudo -u rtkprd /usr/local/bin/only_rtkprd.sh

That did the trick. Thanks to both of you for getting me on the right track.

Dave