Tuesday, December 6, 2011

Funny things with Sudo

Sudo, that ever important, pervasive and pita tool that we use to run root commands on our systems. I learned something new about it yesterday - other than how easy it is to incorrectly configure it. It turns out that sudo has a nice facility for testing and showing you what user classes you match in the sudoers file. This turned out to be the key to figuring out why a neat shortcut wasn't working for me. I was trying to configure sudo with the NOPASSWD option so that I didn't have to type in the password every time I wanted to fire up a root command. Something like the following:
This line allows the ivan user to run any command, as any user, on any system, WITHOUT having to type in ivan's password. The problem is that for some reason the system still asked for ivan's password. After a bit of digging, I discovered that the following can be used to figure out which user lines you match in the sudoers file:
sudo -l
Which provides output like the following:
User ivan may run the following commands on this host:
It turns out, there's a line in /etc/sudoers that allows anyone in the wheel group the ability to run commands, as any user, on any system, PROVIDED they type in their password correctly. And that's exactly what we see above, there are two lines that this user matches, since ivan is in the wheel group. To correct this, either allow the wheel group to run with NOPASSWD (not ideal), remove NOPASSWD from ivan's entry (ideal), or remove ivan from the wheel group. Fun!


Unknown said...

Or move ivan's line after the wheel line. From man sudoers: "When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match)."

izaac said...

Yep, Josh said it first, try that it should work.

Hiisi said...

Recently I've asked the same thing on fedora users list. By the way, this article is on the start page of fedora project.