SOLVED! Question: sudoers file syntax and function
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
SOLVED! Question: sudoers file syntax and function
I need to have a sudoers file entry that allows any userid, coming from anywhere, to execute a single command as root, without requiring a password, with or without a command line parameter.
Here is what I have, but I am still be prompted for a password:
ALL ALL=NOPASSWD: /usr/local/sbin/banssh
I need to be able to execute "banssh" either as simply "banssh" or as "banssh 198.162.0.1" (not for that specific IP address every time, the actual ip address varies, this is just an example)
Not that I think it matters, but "banssh" is a script I wrote, and have been using for many many years, that dynamically adds ip address to the hosts.allow file (using a syntax that bans the ip). If someone unsuccessfully tries to login three times, their ip address gets banned (via an entry like "ALL : 192.168.0.1 : DENY" in hosts.allow). This all works fine, except incoming ssh connections are asked for their password to run sudo. I don't remember this password request ever happening on other servers where I have installed banssh, but it is happening on this one older Ubuntu server I am working on now (I think this Ubuntu server is running Intrepid Ibex, but possibly it's Hardy Heron).
Here is how banssh is called in my application:
1st, from /etc/hosts.allow like this:
sshd : ALL : spawn (/usr/local/sbin/banssh %a)&
2nd, from /etc/ssh/sshrc like this:
sudo /usr/local/sbin/banssh
Why am I being prompted for a password to do the sudo?
I need to have a sudoers file entry that allows any userid, coming from anywhere, to execute a single command as root, without requiring a password, with or without a command line parameter. Here is what I have, but I am still be prompted for a password:
ALL ALL=NOPASSWD: /usr/local/sbin/banssh
I need to be able to execute "banssh" either as simply "banssh" or as "banssh 198.162.0.1" (not for that specific IP address every time, the actual ip address varies, this is just an example)
Not that I think it matters, but "banssh" is a script I wrote, and have been using for many many years, that dynamically adds ip address to the hosts.allow file (using a syntax that bans the ip). If someone unsuccessfully tries to login three times, their ip address gets banned (via an entry like "ALL : 192.168.0.1 : DENY" in hosts.allow). This all works fine, except incoming ssh connections are asked for their password to run sudo. I don't remember this password request ever happening on other servers where I have installed banssh, but it is happening on this one older Ubuntu server I am working on now (I think this Ubuntu server is running Intrepid Ibex, but possibly it's Hardy Heron).
Here is how banssh is called in my application:
1st, from /etc/hosts.allow like this:
sshd : ALL : spawn (/usr/local/sbin/banssh %a)&
2nd, from /etc/ssh/sshrc like this:
sudo /usr/local/sbin/banssh
Why am I being prompted for a password to do the sudo?
Thanks!
If that's the exact line you're using, I don't think the syntax is right. Try:
Stupid me. It was an order-dependent thing in the sudoers file. The problem was that there were multiple matches in the sudoers file for the userid I was using, and sudo will always use the LAST match (not the MOST SPECIFIC match, but the LAST match - big difference there). And since I am in the "admin" group, the rule for %admin was overriding the specific rule for banssh.
What I had was this:
Code:
root ALL=(ALL) ALL
ALL ALL=NOPASSWD: /usr/local/sbin/banssh
%admin ALL=(ALL) ALL
What I needed was this:
Code:
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
ALL ALL=NOPASSWD: /usr/local/sbin/banssh
I did not see that %admin line in the sudoers file initially because it was at the bottom of the file below a bunch of comment lines (I removed those comment lines for clarity in the cut-n-paste above).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.