[SOLVED] Help needed fix /etc/sudoers, logical error or file not being read correctly?

nguyeng · 10-19-2011, 09:10 PM

To keep the story short, my goal behind all of the following actions was to allow all users in the group 'serveradmins' to be able to run screen as the user 'theserver' which is currently running a nogui gameserver in a detached screen.

To do this I edited /etc/sudoers the improper way without using visudo because I did not know about visudo at the time. I added the line

Code:

%serveradmins ALL= (theserver) NOPASSWD: /usr/bin/screen

The Problem: When issuing the command

Code:

sudo -u theserver -i screen -r

it makes me enter a password (although I specified no password in /etc/sudoers) after entering the password I get

Code:

Sorry, user foo is not allowed to execute '/bin/bash -c screen -r' as theserver on HOMESERVER

After realizing that this was not working I tried doing

Code:

visudo -f /etc/sudoers

commented the line I added and uncommenting

Code:

%wheel ALL= (ALL) ALL

to help debug. The login user is in the 'wheel' group. The scary part is that I get the same error messages and still need to enter password. Am I doing something wrong? Or is my /etc/sudoers file toast?

acummings · 10-19-2011, 10:54 PM

FWIW, below inside code tags, works on my 12.2 Slackware. I just need for user "al". And it on a home LAN ie security level not needed to be high. BTW I do not use visudo. As root I cp the sudoers thus

root@P5Q:~# cp /etc/sudoers /home/al/sudoers.txt

root@P5Q:~# chmod -w /home/al/sudoers.txt

root@P5Q:~# chown al.users /home/al/sudoers.txt

Then, as user al, I edit sudoers.txt with the kate editor. Once edited to my liking, as root, I then do

root@P5Q:~# cp /home/al/sudoers.txt /etc/sudoers

And the file permissions on it auto revert to what they formerly were (no write permissions and etc.)

Code:

root@P5Q:~# cat /etc/sudoers
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification
User_Alias     TRUSTED = al

# Cmnd alias specification
Cmnd_Alias     SRVC = /usr/sbin/apachectl,/sbin/arp,/usr/bin/slrnpull,/sbin/halt,/sbin/reboot
Cmnd_Alias     TOOLS = /sbin/mount,/sbin/umount,/home/al/bin/cdrecordeasy,/usr/local/bin/samba_do
Cmnd_Alias     FIREW = /usr/local/bin/firehol, /usr/local/bin/rc.vmware
Cmnd_Alias     PRNT = /usr/local/bin/cups.sh,/usr/bin/ethereal,/usr/local/bin/kqemu_do

# Defaults specification
Defaults:TRUSTED    !lecture
Defaults:al       !authenticate

# Runas alias specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now
TRUSTED   ALL = NOPASSWD:SRVC,TOOLS,FIREW,PRNT
root@P5Q:~#

acummings · 10-19-2011, 11:09 PM

Oop, add write permission. So the corrected (+w) is the 2nd line

root@P5Q:~# chmod -w /home/al/sudoers.txt

root@P5Q:~# chmod +w /home/al/sudoers.txt

And, might need to, 1st, cd (change dir) to ~ or al

and then (from al as the current working directory), do

root@P5Q:~# chmod +w sudoers.txt

acummings · 10-19-2011, 11:28 PM

BTW, a command sample(s) of using sudo as user "al":

al@P5Q:~$ sudo /sbin/mount -t ext3 /dev/sda8 /mnt/big8

al@P5Q:~$ sudo /sbin/umount /mnt/big8

(from the command alias TOOLS, these [mount, umount] are listed there in the sudoers)

acummings · 10-19-2011, 11:40 PM

Code:

al@P5Q:~$ alias
alias ahalt='sudo /sbin/halt'
alias ethrl='sudo /usr/bin/ethereal'
alias firew='sudo /usr/local/bin/firehol'

al@P5Q:~$ firew stop

al@P5Q:~$ firew start

al@P5Q:~$ ahalt

(BTW, bye bye, my computer just shut down :-)

nguyeng · 10-20-2011, 03:12 PM

Thanks for the info. It was nice to see an example of a sudoers file because the man file was a bit confusing. I think I got everything sorted out. I would post how I solved it but I honestly don't know, I just retried everything I did earlier and it decided to work today.