#59: edora-cloud-base-vagrant image has incorrect sudo privs -----------------------------+--------------------- Reporter: semyers | Owner: kanarip Type: defect | Status: new Priority: major | Milestone: Component: kickstart pool | Keywords: vagrant Blocked By: | Blocking: -----------------------------+--------------------- = bug description = The fedora-cloud-base-vagrant image does not have the vagrant-recommended sudo privileges. The vagrant user is granted "ALL=NOPASSWD: ALL", but should be granted "vagrant ALL=(ALL) NOPASSWD: ALL" = bug analysis = In [https://git.fedorahosted.org/cgit/spin-kickstarts.git/tree/fedora- cloud-base-vagrant.ks?id=6b42371f723437214404c37366e7784004e12dc3#n45 the current state], the vagrant user cannot act as other users with sudo. Given passwordless sudo, the vagrant user easily has the ability to gain this functionality (this is my current workaround), so it should probably be the default anyway. Without the "(ALL)" in the sudoers line: {{{ [vagrant@dev ~]$ sudo -u nobody ls / [sudo] password for vagrant: Sorry, user vagrant is not allowed to execute '/bin/ls /' as nobody on dev. }}} With the "(ALL)" in the sudoers line: {{{ [vagrant@dev ~]$ sudo -u nobody ls / bin boot dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr vagrant var }}} = fix recommendation = In the fedora-cloud-base-vagrant kickstart, replace {{{ echo 'vagrant ALL=NOPASSWD: ALL' > /etc/sudoers.d/vagrant-nopasswd }}} with {{{ echo 'vagrant ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/vagrant-nopasswd }}} As described in the vagrant docs, under "Password-less sudo": https://docs.vagrantup.com/v2/boxes/base.html -- Ticket URL: <https://fedorahosted.org/spin-kickstarts/ticket/59> spin-kickstarts <https://fedorahosted.org/spin-kickstarts/> Kickstarts that the Spin SIG reviews, tests, maintains and releases (as a package).