sudoers configuration problem

xcoldfyrex · 05-03-2010, 12:39 PM

Is it possible to allow a group/user to execute a command, where one of the parameters of the command is a group as well?

example that does not work as intended:

Code:

Cmnd_alias SU=/bin/su -l %group1

This example works sortof, it treats the "%group1" literally.
I know I can list out the "/bin/su -l <eachuser>", but as you can imagine that is impractical. In this example, I want people in group2(not shown for brevity sake) to be able to su to someone in group1

vikas027 · 05-03-2010, 02:03 PM

Hi,

As far as I know you need to create a User Alias first. For example,

Code:

User_Alias	ABC = %group_name

and then you need to create command aliases.

xcoldfyrex · 05-03-2010, 03:19 PM

Here is exactly what I currently have:

Code:

User_Alias	SCRIPTS = %scripts
Cmnd_Alias	SU=/bin/su -l SCRIPTS
%eng            ALL=SU

Let's say eng is everyone, the scripts group are misc users of which blah is a member of.
As a user in the eng group:

Code:

-bash-3.2$ sudo su -l SCRIPTS
Password: 
su: user SCRIPTS does not exist
-bash-3.2$ sudo su -l blah
Sorry, user dummy is not allowed to execute '/bin/su -l blah' as root on localhost.localdomain.

sudo is still treating the parameter for su as a literal string

vikas027 · 05-04-2010, 01:50 PM

Hi,

Now, I have two questions in mind.

1) How are you editing /etc/sudoers file. I recommend using visudo and then try. It will check for any syntax errors.

2) Secondly, as per my knowledge there should be a script group in your system.
Please paste output of

Code:

grep -i scripts /etc/group

Scottish-Stephanie · 06-05-2010, 07:10 PM

Hi everyone.

I am having a sudoers configuration problem. I have come from Ubuntu and I am now using Fedora 12. I want to write Bash shell scripts so I need to add 'Stephanie' to the sudoers list. I have type visudo but I don't know where to add my name to the sudoers list.
Typing grep -i scripts /etc/group produces no output just a return to the shell prompt.

[Stephanie@laptop ~]$ grep -i scripts /etc/group
[Stephanie@laptop ~]$

Karl Godt · 06-06-2010, 04:34 PM

I am not sure but most know editors like vi, vim, ed, nano + leafpad, geany, gedit, kate
in such cases installer (root) previleges might be needded with sudo
passwords are sometimes in files that are called "siesta"
try sudo grep

Quote:

[Stephanie@laptop ~]$ grep -i scripts /etc/group

the $ is used to indicate sudo while # root (suse and grub use > for example)

Code:

# grep -i scripts /etc
# cat /etc
cat: /etc: Is a directory
# cat /etc/group
root:x:0:
daemon:x:1:
tty:x:2:
ppp:x:200:
users:x:500:
nobody:x:65534:
guest:x:501:
spot:x:502:spot
bin::2:root,bin,daemon
audio::17:
503:x:503:messagebus
ftp:x:1000:
dip:x:30:
uucp::10:
lpadmin::112:root,spot,nobody,guest
netdev::113:
haldaemon::119:
sshd::33:sshd
webgroup:x:504:
#

Code:

# less /etc/group




root:x:0:
daemon:x:1:
tty:x:2:
ppp:x:200:
users:x:500:
nobody:x:65534:
guest:x:501:
spot:x:502:spot
bin::2:root,bin,daemon
audio::17:
503:x:503:messagebus
ftp:x:1000:
dip:x:30:
uucp::10:
lpadmin::112:root,spot,nobody,guest
netdev::113:
haldaemon::119:
sshd::33:sshd
webgroup:x:504:
~

Code:

# cd /etc
# ls -a
.                   inittabPREV1       profile.d
..                  inputrc            protocols
axelrc              issue              protocols-OLD
ayttmrc             keymap             Puppybackgroundpicture
cdrecord.conf       ld.so.cache        puppyversion
codepage            ld.so.conf         ramdiskfssize
cups                localtime          ramdisksize
default             mailcap            rc.d
desktop_icon_theme  mime.types         README.txt
dhcpcd.sh           mke2fs.conf        resolv.conf
DISTRO_SPECS        modprobe.conf      sane.d
eventmanager        modprobe_includes  securetelnetrc
fdprm               modules            services
floppy              modules.conf       shadow
fontmap             mousebuttons       smb.conf
fonts               mousedevice        ssl
foomatic            mtab               udev
fstab               NETWORKING         usb_modeswitch.conf
gadmin-rsync        networkmodules     videomode
group               networks           wgetrc
gshadow             network-wizard     windowmanager
gtk-2.0             nscd.conf          wpa_supplicant.conf
gxine               nsswitch.conf      wvdial.conf
hiawatha            oldmousedevice     wvdial_options
host.conf           opt                X11
hostname            pango              xdg
hosts               passwd             xextraoptions
hosts.allow         pcmcia             .XLOADED
hosts.deny          ppp                xorgoverrides
init.d              printcap
inittab             profile
#

Karl Godt · 06-07-2010, 10:18 AM

just want to add that
sudo nano /etc/group

Cont+x
Y
ENTER

works at X-Ubuntu 9.10 liveCD
but
nano /etc/group

ENTER
permission denied

for the moment I have deleted /etc/group
using tee comand
and now I am asked for a password

RockDoctor · 06-07-2010, 11:51 AM

Quote:

Originally Posted by Scottish-Stephanie

Hi everyone.

I am having a sudoers configuration problem. I have come from Ubuntu and I am now using Fedora 12. I want to write Bash shell scripts so I need to add 'Stephanie' to the sudoers list. I have type visudo but I don't know where to add my name to the sudoers list.
Typing grep -i scripts /etc/group produces no output just a return to the shell prompt.

[Stephanie@laptop ~]$ grep -i scripts /etc/group
[Stephanie@laptop ~]$

From my Fedora Rawhide /etc/sudoers file:

Code:

## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL
rockdoctor      ALL=(ALL)       ALL

I just ran visudo as root and added the line you see above for user rockdoctor. Didn't mess with groups (the % sign in front of wheel indicates a group).

Karl Godt · 06-07-2010, 06:32 PM

Quote:

[root@fedora ~]# cat >> create-linux-file.txt
this is the line appends to create-linux-file.txt
this is an example on using redirection to appends text

http://www.labtestproject.com/linuxcmd/cat_command.html

Code:

ubuntu@ubuntu:~$ sudo nano /etc/shadow
ubuntu@ubuntu:~$ sudo nano /etc/passwd
ubuntu@ubuntu:~$ sudo nano /etc/sudoers
ubuntu@ubuntu:~$ cat >>/etc/group
bash: /etc/group: Permission denied
ubuntu@ubuntu:~$ sudo cat>>/etc/group
bash: /etc/group: Permission denied  
ubuntu@ubuntu:~$ sudo bash           
root@ubuntu:~# cat >>/etc/groupENTER
STEPHANE:x:987:ENTER,Cont+d              
root@ubuntu:~# cat /etc/group  
root:x:0:                      
daemon:x:1:                    
bin:x:2:                       
sys:x:3:                       
adm:x:4:ubuntu                 
tty:x:5:                       
disk:x:6:                      
lp:x:7:                        
mail:x:8:                      
news:x:9:                      
uucp:x:10:                     
man:x:12:                      
proxy:x:13:                    
kmem:x:15:                     
dialout:x:20:ubuntu            
fax:x:21:                      
voice:x:22:                    
cdrom:x:24:ubuntu              
floppy:x:25:                   
tape:x:26:                     
sudo:x:27:                     
audio:x:29:                    
dip:x:30:                      
www-data:x:33:                 
backup:x:34:                   
operator:x:37:                 
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:ubuntu
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
syslog:x:102:
klog:x:103:
scanner:x:104:
nvram:x:105:
fuse:x:106:
ssl-cert:x:107:
crontab:x:108:
mlocate:x:109:
ssh:x:110:
avahi-autoipd:x:111:
lpadmin:x:112:ubuntu
netdev:x:113:
saned:x:114:
messagebus:x:115:
avahi:x:116:
polkituser:x:117:
haldaemon:x:118:
admin:x:119:ubuntu
ubuntu:x:999:
sambashare:x:120:ubuntu
STEPHANE:x:987:
root@ubuntu:~#

found me kubuntu 8.10 live umts working

Scottish-Stephanie · 06-08-2010, 05:31 PM

Quote:

Originally Posted by RockDoctor

From my Fedora Rawhide /etc/sudoers file:

Code:

## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL
rockdoctor      ALL=(ALL)       ALL

I just ran visudo as root and added the line you see above for user rockdoctor. Didn't mess with groups (the % sign in front of wheel indicates a group).

Rockdoctor, I added 'Stephanie' to the 'run all commands' section, but in vim when I do the following ':wq sudoers', I get the following 'E13: File exists (add ! to override)', I then enter :wq! sudoers and vim exits, but when I check the sudoers file in Nano all my changes have disappeared. Editing the sudoers list is no problem it is getting vim to write and exit that is now the problem.

chrism01 · 06-09-2010, 04:47 AM

If you open a file in vim, there's no need to specify the filename at exit. Also, :wq is the long version (write+quit). Just use :x (eXit with save), so

vim sudoers

<now do edits...>

<now exit with save>
:x