Hello,

I have a user named lfc added in /etc/sudoers file as follows -


The lfc user was able to execute commands via sudo without being prompted for a password. Then I added a sudoerswheel file at /etc/sudoers.d/sudoerswheel, content as follows -

I added this so that the admin user should be prompted for a password everytime the user executes a command via sudo.

The problem I'm observing is that now user lfc is also prompted for a password, which I don't want.

Any idea why this is happening? I cannot delete the sudoerswheel file as that was a recommendation from the security team.

If I add the settings for user lfc again in sudoerswheel file, then things return back to normal, but do I need to make the duplicate entry?

OS - CentOS 6.9 (Final)

Thanks
Bhushan Pathak

Sudo parses all sudoer instructions in order, so that later instructions override earlier ones. From your post it seems that instructions in separate files in sudoers.d are processed last. Try commenting out the lfc instruction in the main sudoers file and just leave the one in the sudoers.d/wheel file.

Note for the future: when you specify in /etc/sudoers that files in /etc/sudoers.d are to be accessed, make sure that there is always a syntactically correct file in that directory. For example, if you decide at some point to delete your extra wheel file, edit /etc/sudoers first to comment out the line that looks for it. Otherwise it creates a syntax error and sudo will stop working altogether.

I will try that out, but one more question that I have is that in the wheel file, I have added entry only for admin user. Why is it overriding settings for lfc user?

Is lfc a member of the wheel group?

No, lfc is not a member of wheel group, admin is.

Any thing I need to try out?