[Freeipa-users] sudo !requiretty !authenticate
Martin Kosek
mkosek at redhat.com
Thu Jan 8 12:30:13 UTC 2015
On 01/08/2015 10:45 AM, Pavel Březina wrote:
> On 01/07/2015 06:32 PM, Craig White wrote:
>> Still struggling with this...
>>
>> $ sudo /sbin/service pe-puppet restart
>> [sudo] password for rundeck:
>> Stopping puppet: [ OK ]
>> Starting puppet: [ OK ]
>>
>> So it asks for the password even though, via FreeIPA it isn't required...
>>
>> $ sudo -l
>> Matching Defaults entries for rundeck on this host:
>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>>
>> User rundeck may run the following commands on this host:
>> (root) ALL
>> (ALL) NOPASSWD: ALL
>
> Hi,
> thank you, I was just going to ask you for sudo -l. I believe that the problem
> is that (root) ALL rule takes precedence. Or to be more precise, the first rule
> that matches is always applied, unless sudoOrder attribute is present (but that
> is not supported by IPA, is it?).
JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream ticket
https://fedorahosted.org/freeipa/ticket/4107).
Martin
More information about the Freeipa-users
mailing list