PDA

View Full Version : SLES 11 SP3 sudo command still asks for password



ecanmaster
04-Dec-2015, 16:51
I have granted one user a couple of permissions to other acccounts. I am running SLES 11 sp1 .
This I have done with yast (just to be sure) and afterwards also with /etc/sudoers file.
Now when I run a command it is asking for password, but I have used the option NOPASSWD.
When running sudo -l , it shows all the correct permissions
this is puzzling, why is it asking for a password, even when it's configured not to use is

sudoer file:



Defaults always_set_home
Defaults env_reset
Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
Defaults targetpw
ALL ALL = (ALL) ALL
root ALL = (ALL) ALL
ki ALL = (test1) NOPASSWD:ALL
ki ALL = (test2) NOPASSWD:ALL
ki All = (test3) NOPASSWD:ALL
ki ALL = (test4) NOPASSWD:ALL


sudo - l command on the user ki:


sudo -l
Matching Defaults entries for ki on this host:
always_set_home, env_reset, env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES
LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE", targetpw

User bi may run the following commands on this host:
(ALL) ALL
(test1) NOPASSWD: ALL
(test2) NOPASSWD: ALL
(test3) NOPASSWD: ALL
(test4) NOPASSWD: ALL

ab
04-Dec-2015, 18:17
You didn't post the sudo command that you're trying which prompts you for
the password. Be sure you're specifying the target user, or else it
assumes root, which is not one of your options for NOPASSWD. I think the
syntax is "-u test1" for the sudo command.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

smflood
04-Dec-2015, 18:40
On 04/12/2015 15:54, ecanmaster wrote:

> I have granted one user a couple of permissions to other acccounts. I am
> running SLES 11 sp1 .
> This I have done with yast (just to be sure) and afterwards also with
> /etc/sudoers file.
> Now when I run a command it is asking for password, but I have used the
> option NOPASSWD.
> When running sudo -l , it shows all the correct permissions
> this is puzzling, why is it asking for a password, even when it's
> configured not to use is
>
> sudoer file:
>
> Code:
> --------------------
>
>
> Defaults always_set_home
> Defaults env_reset
> Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
> Defaults targetpw
> ALL ALL = (ALL) ALL
> root ALL = (ALL) ALL
> ki ALL = (test1) NOPASSWD:ALL
> ki ALL = (test2) NOPASSWD:ALL
> ki All = (test3) NOPASSWD:ALL
> ki ALL = (test4) NOPASSWD:ALL
>
> --------------------
>
>
> sudo - l command on the user ki:
>
> Code:
> --------------------
>
> sudo -l
> Matching Defaults entries for ki on this host:
> always_set_home, env_reset, env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES
> LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE", targetpw
>
> User bi may run the following commands on this host:
> (ALL) ALL
> (test1) NOPASSWD: ALL
> (test2) NOPASSWD: ALL
> (test3) NOPASSWD: ALL
> (test4) NOPASSWD: ALL
> --------------------

The output you've posted suggests that whilst your sudoers file
references user ki, the sudo -l output mentions bi ...

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

ecanmaster
08-Dec-2015, 13:25
sorry guys for the late reply, because of the weekend , I completely forgot
did do a lot of googling, but this is an interesting problem,
this looks like a conflict with permissions, but I couldn't find any
here is the error:



ki@server1:~>cd /Home/Data/tesuser1/
-bash: cd: /Home/Data/tesuser1/ : Permission denied

ki@server1:~>sudo cd /Home/Data/tesuser1/
root's password:

ab
08-Dec-2015, 14:15
You are STILL not specifying the target user, so your test is still
invalid. See my previous response.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

ecanmaster
08-Dec-2015, 14:38
the command "-u test1" doesnt work,
it doesnt recognize the -u option
do you mean "sudo -u test 'command' "?
thx

ab
08-Dec-2015, 15:02
On 12/08/2015 06:44 AM, ecanmaster wrote:
>
> the command "-u test1" doesnt work,

Well, that was not the whole command. This is meant to be an argument to
'sudo' to tell it the target user to use (instead of the default, 'root').

> it doesnt recognize the -u option
> do you mean "sudo -u test 'command' "?

Yes, exactly. Also, do not test with bash builtins ('cd') as they are no
likely never going to work. 'ls' would be a valid option for you perhaps,
since that is a real command which probably does not work now for your
current user (due to permissions) but would with the appropriate target user.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

ecanmaster
08-Dec-2015, 15:17
wooow... it did work

I did "sudo -u test ls " instead of cd


The issue could be that the user has sudo permission to different account and because it doesnt know which account to select it uses root account,
could this be the case?
probably if this user had sudo permissions to one account, it wouldnt have this issue

is there a way to make things easier, instead of using the "-u user " ?
or what is the best practice for this situations?
anyway, thx for your help so far , learned something new :)

ab
08-Dec-2015, 15:38
On 12/08/2015 07:24 AM, ecanmaster wrote:
>
> I did "sudo -u test ls " instead of cd

Glad to hear that.

> The issue could be that the user has sudo permission to different
> account and because it doesnt know which account to select it uses root
> could this be the case?

I would bet this is highly unlikely. 'sudo' simply defaults to 'root', so
no matter how many definitions you have (comment out the others if you
want to test this in about one second), it defaults to 'root', which is
not the correct target user for your specific case, but is the proper
target user for about 99.9% of every case out there.

> probably if this user had sudo permissions to one account, it wouldnt
> have this issue

Again, highly doubt it.

> is there a way to make things easier, instead of using the "-u user " ?
> or what is the best practice for the situations?

Create an alias for the users, perhaps.

Look in the 'sudoers' manpage about Defaults to see if anything in there
works for you. Perhaps you can set the defaults to be one of the users,
but since you have multiples, that seems to only be decreasing your issue
by a relatively-small percentage (as would an alias as mentioned above).


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

ecanmaster
08-Dec-2015, 16:04
'sudo' simply defaults to 'root'


Most of the time I have been using sudo for the root account and that explains the sudo command
however, in the sudoers file you can specify which command users can run and even permissions for a given account
in the yast menu this is defined clearly and I can add users account permissions ,
hope you know what I mean, so it seems this should be possible
take a look at the yast sudo menu

134

ecanmaster
09-Dec-2015, 10:31
In order to run as a different user without asking for password, I am now using this command:

sudo -u "user" -i

the permissions on the system , I haven't changed and this command does the trick,
switch user without password

ab
09-Dec-2015, 14:04
Exactly; the -i option is the one I usually use to become 'root' as well,
as it is less-redundant than other things people do like 'sudo su -' which
is basically the same thing, but with more typing. Since -i just means
make the session interactive, it lets you in, but instead of '-i' you
could put any command (as you tested successfully earlier) for better
logging of what happens next.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...