[Freeipa-users] Sudo rule processing order
Martin Kosek
mkosek at redhat.com
Fri Jan 10 14:59:24 UTC 2014
On 01/10/2014 11:52 AM, Fred van Zwieten wrote:
> Hi,
>
> I have a sudo rule in IPA that has the !authenticate option added to enable
> admins to execute certain programs as root without authentication.
>
> It doesn't work. There is another rule for the admins that allow all
> commands as long as they give their password.
>
> In a sudoers file, you can solve this by specifing the nopasswd rule as
> last.
>
> sudo -l from an IPA-client gives me this:
>
> *******@svr001 ~]$ sudo -l
> Matching Defaults entries for ******* on this host:
> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>
> User ******** may run the following commands on this host:
> (root) NOPASSWD: ALL
> (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, /bin/more,
> /usr/bin/less, !/bin/su
> (root) NOPASSWD: /usr/bin/cobbler
> (root) !/bin/su
>
> I want the cobbler command to run without password authentication. What am
> I doing wrong?
>
Would setting SUDO rule order help?
# ipa sudorule-mod -h
...
--order=INT integer to order the Sudo rules
...
Martin
More information about the Freeipa-users
mailing list