[Freeipa-users] sudo rules do not seem to work
Pavel Březina
pbrezina at redhat.com
Wed Oct 7 09:19:02 UTC 2015
On 10/07/2015 10:03 AM, Jakub Hrozek wrote:
> On Tue, Oct 06, 2015 at 06:28:14PM +0200, Karl Forner wrote:
>> Hello,
>>
>> I had assumed sudo rules worked because I have an "allow_all for admins"
>> sudo rule that seemed to work, but I wonder if there is an implicit rule
>> for the special group admins ?
>>
>>
>> Because I have tried to replicate this allow_all rule for for other user
>> groups, and it does not seem to work at all.
>> What's strange is that "sudo -l" report the appropriate rules, but they do
>> not work.
>>
>> For instance, some users have: (ALL) ALL listed with sudo -l, but they can
>> not use sudo.
>>
>> My user has:
>> (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
>> (ALL) ALL
>> (root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *, /bin/chmod
>> -R g[+-]* *
>> (ALL) NOPASSWD: /usr/bin/less
>> (ALL) ALL
>>
>> but I'm prompted a password when doing "sudo /usr/bin/less".
>>
>> How can I debug this ?
>
> Pavel (CC) has a nice sudo debug howto, maybe it would be helpful?
Hi,
you are prompted for password because (ALL) ALL rule is applied because
of last-match rule. See:
http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.
More information about the Freeipa-users
mailing list