LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-03-2005, 01:27 PM   #1
mikemrh9
Member
 
Registered: Nov 2003
Distribution: Arch
Posts: 136

Rep: Reputation: 21
sudo and sudoers syntax


Hi.

I'm trying to get my head around the sudo command, but am having teething troubles.

I've created a simple script, /home/user1/script.sh, owned by root, and have used chmod to set the permissions to 0700, so that only root has permission to run it.

In the sudoers file, I have placed the following entries, ignoring command and user aliases for simplicity:

user1 ALL=NOPASSWD: /home/user1/script.sh
user2 localhost=/home/user1/script.sh

If I log in as user1 and run:
sudo /home/user1/script.sh
the script runs with no problems.

If I log in as user2 and run:
sudo /home/user1/script.sh
I am prompted for a password as expected, BUT: user2's password doesn't work, whereas root's password does.

Surely this is the wrong way round, and it should be user2's password that needs to be entered?
 
Old 06-04-2005, 06:15 AM   #2
perfect_circle
Senior Member
 
Registered: Oct 2004
Location: Athens, Greece
Distribution: Slackware, arch
Posts: 1,783

Rep: Reputation: 52
Re: sudo and sudoers syntax

Quote:
Originally posted by mikemrh9
Hi.

I'm trying to get my head around the sudo command, but am having teething troubles.

I've created a simple script, /home/user1/script.sh, owned by root, and have used chmod to set the permissions to 0700, so that only root has permission to run it.

In the sudoers file, I have placed the following entries, ignoring command and user aliases for simplicity:

user1 ALL=NOPASSWD: /home/user1/script.sh
user2 localhost=/home/user1/script.sh

If I log in as user1 and run:
sudo /home/user1/script.sh
the script runs with no problems.

If I log in as user2 and run:
sudo /home/user1/script.sh
I am prompted for a password as expected, BUT: user2's password doesn't work, whereas root's password does.

Surely this is the wrong way round, and it should be user2's password that needs to be entered?
first of all, the home directory of a user is not the right place to have scripts that more that 1 users use. better try /usr/local/bin.

Second, The behavior you just described is the correct one. You want to run something as root, if you ask for a password then the roots password is what you need. It's pointless to authenticate an already authenticated user...
 
Old 06-04-2005, 08:25 AM   #3
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,785
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
Second, The behavior you just described is the correct one. You want to run something as root, if you ask for a password then the roots password is what you need. It's pointless to authenticate an already authenticated user...
I'm going to agree with mikemrh9 on this. The whole idea behind sudo is that a system admin can give permission to run specific commands as root without giving out the root password. If the user has root's password, they could just su to root and avoid any restrictions sudo may place on them. If I understand sudo correctly, it is supposed to respond to the users password, not roots. Yes, that seems strange that an already authenticated user needs to re-authenticate, but the concept seems to be "OK, you are about to run a command as root. Prove to me again you are who you say you are". Again, my understanding is that sudo evolved in multi-user environments where someone walking away from a keyboard without logging off is a real threat.

Quote:
user2 localhost=/home/user1/script.sh
I don't know if this is typical, but I frequently run into weird things with sudo when I use localhost as the name. If your computer has a different name, you might try that.
 
Old 06-04-2005, 08:31 AM   #4
perfect_circle
Senior Member
 
Registered: Oct 2004
Location: Athens, Greece
Distribution: Slackware, arch
Posts: 1,783

Rep: Reputation: 52
Now that I recall, I also had problems with localhost in slackware were the default domain is darkstar.
I had to alias localhost with darkstar. What is the domain name of your machine?
in some distros like redhat/fedora it's localhost, but i don't know about suse.
 
Old 06-04-2005, 03:13 PM   #5
mikemrh9
Member
 
Registered: Nov 2003
Distribution: Arch
Posts: 136

Original Poster
Rep: Reputation: 21
Thanks for the suggestion concerning the hostname, but no luck.

I have tried the following two entries (seperately) in the sudoers file:

user2 server1= /home/user1/script.sh
user2 ALL= /home/user1/script.sh

both with and without the whitespace after the '=' sign, but the script still only runs if I enter the root password.
 
Old 06-04-2005, 05:45 PM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,785
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Do other commands normally reserved for root behave like this as well (something like shutdown)?
Also, like perfect circle suggested you may want to move the script file. Having it live in user1's home directory may be causing some odd problem with permissions.
 
Old 06-04-2005, 06:36 PM   #7
ahh
Member
 
Registered: May 2004
Location: UK
Distribution: Gentoo
Posts: 293

Rep: Reputation: 31
This is in fact normal behaviour for sudo if targetpw is set.

A snippet from the sudoers man page:-
Code:
targetpw    If set, sudo will prompt for the password of the user specified by the -u flag (defaults to root) instead of the password of the invoking user.
If you dont want this behaviour look for a line similar to
Code:
Defaults     targetpw
in your sudoers file and comment it out. That _should_ cure it.

For the exact syntax look at man sudoers.
 
Old 06-04-2005, 07:54 PM   #8
mikemrh9
Member
 
Registered: Nov 2003
Distribution: Arch
Posts: 136

Original Poster
Rep: Reputation: 21
Ahh...

What an apt name you have!

Thanks very much.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Restricting Editing in Sudo (Advanced Sudo Question) LinuxGeek Linux - Software 4 11-04-2006 03:20 PM
I deleted /etc/sudoers and creates a new file call sudoers but now it doesnt for visu abefroman Linux - Software 1 11-10-2005 05:03 PM
Regarding SUDOERS hinetvenkat Linux - Networking 1 09-02-2005 01:47 PM
sudoers usa1234 Linux - General 1 10-24-2004 03:07 PM
help with /etc/sudoers keevitaja Linux - Newbie 5 08-17-2002 01:00 PM


All times are GMT -5. The time now is 03:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration