[Freeipa-users] sudo rules do not seem to work
Jakub Hrozek
jhrozek at redhat.com
Wed Oct 7 09:45:44 UTC 2015
On Wed, Oct 07, 2015 at 11:19:02AM +0200, Pavel Březina wrote:
> On 10/07/2015 10:03 AM, Jakub Hrozek wrote:
> >On Tue, Oct 06, 2015 at 06:28:14PM +0200, Karl Forner wrote:
> >>Hello,
> >>
> >>I had assumed sudo rules worked because I have an "allow_all for admins"
> >>sudo rule that seemed to work, but I wonder if there is an implicit rule
> >>for the special group admins ?
> >>
> >>
> >>Because I have tried to replicate this allow_all rule for for other user
> >>groups, and it does not seem to work at all.
> >>What's strange is that "sudo -l" report the appropriate rules, but they do
> >>not work.
> >>
> >>For instance, some users have: (ALL) ALL listed with sudo -l, but they can
> >>not use sudo.
> >>
> >>My user has:
> >> (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
> >> (ALL) ALL
> >> (root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *, /bin/chmod
> >>-R g[+-]* *
> >> (ALL) NOPASSWD: /usr/bin/less
> >> (ALL) ALL
> >>
> >>but I'm prompted a password when doing "sudo /usr/bin/less".
> >>
> >>How can I debug this ?
> >
> >Pavel (CC) has a nice sudo debug howto, maybe it would be helpful?
>
> Hi,
> you are prompted for password because (ALL) ALL rule is applied because of
> last-match rule. See: http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html
> sudoOrder.
This might be a nice addition to your howto :)
More information about the Freeipa-users
mailing list