| View previous topic :: View next topic |
| Author |
Message |
grx
Apprentice
Joined: 19 Jan 2005
Posts: 173
Location: Maryland
|
 Posted: Mon Apr 17, 2006 4:51 am Post subject: sudo not allowing access [solved] |
 |
|
I've put these lines into /etc/sudoers:
| Code: | # User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Users in group www are allowed to edit httpd.conf and ftpd.conf
# using sudoedit, or sudo -e, without a password.
# %www ALL=(ALL) NOPASSWD: sudoedit /etc/httpd.conf, /etc/ftpd.conf
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
george localhost = /usr/libexec/xfsm-shutdown-helper
george localhost = /usr/bin/emerge
|
now if I try to run anything, it gives me this:
| Code: | sudo -l
Password:
Sorry, user george may not run sudo on washington.
|
/var/log/messages gets this line:
| Code: | Apr 16 22:46:12 washington sudo: george : command not allowed ; TTY=pts/0 ; PWD=/home/george ; USER=root ; COMMAND=list
|
What gives? Am I misunderstanding how to put the lines into the sudoers file?
Last edited by grx on Mon Apr 17, 2006 6:24 pm; edited 1 time in total |
|
| Back to top |
|
 |
phajdan.jr
Retired Dev
Joined: 23 Mar 2006
Posts: 1777
Location: Poland
|
| Posted: Mon Apr 17, 2006 6:52 am Post subject: |
|
|
| Change 'localhost' to 'ALL'. |
|
| Back to top |
|
|
grx
Apprentice
Joined: 19 Jan 2005
Posts: 173
Location: Maryland
|
| Posted: Mon Apr 17, 2006 2:18 pm Post subject: |
|
|
| That works, but I'd rather not make it possible to sudo remotely. What do I have to fix to get it to work that way? |
|
| Back to top |
|
|
phajdan.jr
Retired Dev
Joined: 23 Mar 2006
Posts: 1777
Location: Poland
|
| Posted: Mon Apr 17, 2006 5:40 pm Post subject: |
|
|
Well, it doesn't work like that. There is a 'host' entry because the same sudoers file can be used on several machines. Then each computer reads only 'his' entries... It's not a host you connect from, but a host you run command on.
I don't know how to setup it in the way you want. You could create another user, not allowed to connect remotely etc. But in my opinion there is nothing to worry about. Just give the user a strong password, block the account after say 3 failed login attempts, maybe with some combination with port knocking / one time passwords... It should be quite safe, really. |
|
| Back to top |
|
|
grx
Apprentice
Joined: 19 Jan 2005
Posts: 173
Location: Maryland
|
| Posted: Mon Apr 17, 2006 6:23 pm Post subject: |
|
|
| Actually, I just discovered that the problem is the "localhost". It needs the actual host name, so when I change it to "washington", it works fine. Thinking about it, I decided to keep the ALL anyway. Thanks all! |
|
| Back to top |
|
|
|
Networking & Security
