Hi Masters,
I would like to execute a command using sudo and not have to provide a password. After much manpage time I added this:
mike ALL=(ALL) NOPASSWD: /usr/bin/lxc
In theory this allows mike, from any and all hosts, to execute <lxc> without a password.
Nonetheless, "mike" executing "lxc" gets passworded, so there must be an error in my rule.
Any helpers?
TIA, Mike Wright
Hi,
Mike Wright wrote:
I would like to execute a command using sudo and not have to provide a password. After much manpage time I added this:
mike ALL=(ALL) NOPASSWD: /usr/bin/lxc
In theory this allows mike, from any and all hosts, to execute <lxc> without a password.
Nonetheless, "mike" executing "lxc" gets passworded, so there must be an error in my rule.
The format of that rule looks fine to me. You might look in the logs (/var/log/secure if you've got syslog enabled, else use the journalctl command).
It may be that you're hitting another rule which supercedes the one you've got there (for example, if there's a rule matching a group you're in). Using `sudo -U mike -ll` might be helpful.
On Sun, 2020-02-02 at 23:27 -0500, Todd Zullinger wrote:
The format of that rule looks fine to me. You might look in
the logs (/var/log/secure if you've got syslog enabled, else
use the journalctl command).
It may be that you're hitting another rule which supercedes
the one you've got there (for example, if there's a rule
matching a group you're in). Using `sudo -U mike -ll` might
be helpful.
+1 for Todd's comments, I have added a couple of commands and I was able to access those commands without being prompt for the sudo passwod.
Earl
On 2/3/20 12:34 PM, Earl Ramirez wrote:
On Sun, 2020-02-02 at 23:27 -0500, Todd Zullinger wrote:
The format of that rule looks fine to me. You might look in the logs (/var/log/secure if you've got syslog enabled, else use the journalctl command).
It may be that you're hitting another rule which supercedes the one you've got there (for example, if there's a rule matching a group you're in). Using `sudo -U mike -ll` might be helpful.
+1 for Todd's comments, I have added a couple of commands and I was able to access those commands without being prompt for the sudo passwod.
Thanks, Todd and Earl.
I am befuddled. Here is my sudoers file:
Defaults env_reset Defaults mail_badpass Defaults secure_path=<clipped: some path>
Cmnd_Alias LXC=/usr/bin/lxc
root ALL=(ALL:ALL) ALL mike ALL=(ALL) NOPASSWD:LXC
%admin ALL=(ALL) ALL %sudo ALL=(ALL:ALL) ALL
As you can see, there is not much there. I added the Cmnd_Alias and the rule for mike. That's it.
I did try reordering ( and had to reboot "single" to fix it :/ )
Any ideas?
:m
On 20-02-03 16:23:07, Mike Wright wrote: ...
I am befuddled. Here is my sudoers file:
Defaults env_reset Defaults mail_badpass Defaults secure_path=<clipped: some path>
Cmnd_Alias LXC=/usr/bin/lxc
root ALL=(ALL:ALL) ALL mike ALL=(ALL) NOPASSWD:LXC
%admin ALL=(ALL) ALL %sudo ALL=(ALL:ALL) ALL
Is mike an admin? man sudoers has something about last matching rule. Might mike need to be after %admin?
Il 03/02/20 22:23, Mike Wright ha scritto:
On 2/3/20 12:34 PM, Earl Ramirez wrote:
On Sun, 2020-02-02 at 23:27 -0500, Todd Zullinger wrote:
The format of that rule looks fine to me. You might look in the logs (/var/log/secure if you've got syslog enabled, else use the journalctl command).
It may be that you're hitting another rule which supercedes the one you've got there (for example, if there's a rule matching a group you're in). Using `sudo -U mike -ll` might be helpful.
+1 for Todd's comments, I have added a couple of commands and I was able to access those commands without being prompt for the sudo passwod.
Thanks, Todd and Earl.
I am befuddled. Here is my sudoers file:
Defaults env_reset Defaults mail_badpass Defaults secure_path=<clipped: some path>
Cmnd_Alias LXC=/usr/bin/lxc
root ALL=(ALL:ALL) ALL mike ALL=(ALL) NOPASSWD:LXC
I'm not sure, but it could be (space required)
mike ALL=(ALL) NOPASSWD: LXC
Hi,
Mario Michele Macaluso wrote:
Il 03/02/20 22:23, Mike Wright ha scritto:
Cmnd_Alias LXC=/usr/bin/lxc
root ALL=(ALL:ALL) ALL mike ALL=(ALL) NOPASSWD:LXC
I'm not sure, but it could be (space required)
mike ALL=(ALL) NOPASSWD: LXC
White space is optional there, so that shouldn't have any effect.
The sudoers(5) man page says:
White space between elements in a list as well as special syntactic characters in a User Specification (‘=’, ‘:’, ‘(’, ‘)’) is optional.
And FWIW, I have working rules with and without spaces¹.
My bet is on another rule interfering, due to user mike being in group admin or sudo. I've run into that myself.
¹ Because the rules were added at different times by different people, not because I like to have messy white space. ;)
On Tue, Feb 4, 2020 at 12:49 PM Todd Zullinger tmz@pobox.com wrote:
Hi,
Mario Michele Macaluso wrote:
Il 03/02/20 22:23, Mike Wright ha scritto:
Cmnd_Alias LXC=/usr/bin/lxc
root ALL=(ALL:ALL) ALL mike ALL=(ALL) NOPASSWD:LXC
I'm not sure, but it could be (space required)
mike ALL=(ALL) NOPASSWD: LXC
White space is optional there, so that shouldn't have any effect.
The sudoers(5) man page says:
White space between elements in a list as well as special syntactic characters in a User Specification (‘=’, ‘:’, ‘(’, ‘)’) is optional.And FWIW, I have working rules with and without spaces¹.
My bet is on another rule interfering, due to user mike being in group admin or sudo. I've run into that myself.
¹ Because the rules were added at different times by different people, not because I like to have messy white space. ;)
It is possible the sudoers file behaves in a "last line wins" fashion. Move your lxc line to the end of the file and try again.
-- Todd _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 2/4/20 10:01 AM, Mauricio Tavares wrote:
On Tue, Feb 4, 2020 at 12:49 PM Todd Zullinger tmz@pobox.com wrote:
Hi,
Mario Michele Macaluso wrote:
Il 03/02/20 22:23, Mike Wright ha scritto:
Cmnd_Alias LXC=/usr/bin/lxc
root ALL=(ALL:ALL) ALL mike ALL=(ALL) NOPASSWD:LXC
I'm not sure, but it could be (space required)
mike ALL=(ALL) NOPASSWD: LXC
White space is optional there, so that shouldn't have any effect.
The sudoers(5) man page says:
White space between elements in a list as well as special syntactic characters in a User Specification (‘=’, ‘:’, ‘(’, ‘)’) is optional.And FWIW, I have working rules with and without spaces¹.
My bet is on another rule interfering, due to user mike being in group admin or sudo. I've run into that myself.
¹ Because the rules were added at different times by different people, not because I like to have messy white space. ;)
It is possible the sudoers file behaves in a "last line wins"fashion. Move your lxc line to the end of the file and try again.
Defaults env_reset Defaults mail_badpass Defaults secure_path="some_path"
# Cmnd alias specification Cmnd_Alias LXC=/usr/bin/lxc
# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
# User privilege specification root ALL=(ALL:ALL) ALL mike ALL=(ALL) NOPASSWD:LXC
----
sudoers.d is empty
launching an xterm from the cli then entering in the new xterm:
lxc list
and I get a password prompt. Absolutely no clue.
On Tue, 2020-02-04 at 12:25 -0800, Mike Wright wrote:
# Cmnd alias specification Cmnd_Alias LXC=/usr/bin/lxc
# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
# User privilege specification root ALL=(ALL:ALL) ALL mike ALL=(ALL) NOPASSWD:LXC
What is the output of sudo -l when you are logged in as mike, I configured sudoers with the same as what you have here with the exceptions of the commands and it works as expected.
On Tue, 4 Feb 2020 12:25:39 -0800 Mike Wright nobody@nospam.hostisimo.com wrote:
Defaults env_reset Defaults mail_badpass Defaults secure_path="some_path"
# Cmnd alias specification Cmnd_Alias LXC=/usr/bin/lxc
# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
# User privilege specification root ALL=(ALL:ALL) ALL mike ALL=(ALL) NOPASSWD:LXC
sudoers.d is empty
launching an xterm from the cli then entering in the new xterm:
lxc listand I get a password prompt. Absolutely no clue.
I'm not familiar with all this, but when I looked at the /usr/bin/ directory, there isn't an lxc in there.
$ ls /usr/bin/lxc* /usr/bin/lxc-attach /usr/bin/lxc-checkconfig /usr/bin/lxc-console /usr/bin/lxc-destroy /usr/bin/lxc-freeze /usr/bin/lxc-monitor /usr/bin/lxc-stop /usr/bin/lxc-unshare /usr/bin/lxc-wait /usr/bin/lxc-autostart /usr/bin/lxc-checkpoint /usr/bin/lxc-copy /usr/bin/lxc-device /usr/bin/lxc-info /usr/bin/lxc-snapshot /usr/bin/lxc-top /usr/bin/lxc-update-config /usr/bin/lxc-cgroup /usr/bin/lxc-config /usr/bin/lxc-create /usr/bin/lxc-execute /usr/bin/lxc-ls /usr/bin/lxc-start /usr/bin/lxc-unfreeze /usr/bin/lxc-usernsexec
Could that be why it isn't working?
On 2/4/20 1:13 PM, stan via users wrote:
On Tue, 4 Feb 2020 12:25:39 -0800 Mike Wright nobody@nospam.hostisimo.com wrote:
Defaults env_reset Defaults mail_badpass Defaults secure_path="some_path"
# Cmnd alias specification Cmnd_Alias LXC=/usr/bin/lxc
# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
# User privilege specification root ALL=(ALL:ALL) ALL mike ALL=(ALL) NOPASSWD:LXC
sudoers.d is empty
launching an xterm from the cli then entering in the new xterm:
lxc listand I get a password prompt. Absolutely no clue.
I'm not familiar with all this, but when I looked at the /usr/bin/ directory, there isn't an lxc in there.
$ ls /usr/bin/lxc* /usr/bin/lxc-attach /usr/bin/lxc-checkconfig /usr/bin/lxc-console /usr/bin/lxc-destroy /usr/bin/lxc-freeze /usr/bin/lxc-monitor /usr/bin/lxc-stop /usr/bin/lxc-unshare /usr/bin/lxc-wait /usr/bin/lxc-autostart /usr/bin/lxc-checkpoint /usr/bin/lxc-copy /usr/bin/lxc-device /usr/bin/lxc-info /usr/bin/lxc-snapshot /usr/bin/lxc-top /usr/bin/lxc-update-config /usr/bin/lxc-cgroup /usr/bin/lxc-config /usr/bin/lxc-create /usr/bin/lxc-execute /usr/bin/lxc-ls /usr/bin/lxc-start /usr/bin/lxc-unfreeze /usr/bin/lxc-usernsexec
Could that be why it isn't working?
lxc-* files are from the original LXC. lxc is the base command for LXD which is based on LXC.
Thanks
On 2/4/20 1:10 PM, Earl Ramirez wrote:
On Tue, 2020-02-04 at 12:25 -0800, Mike Wright wrote:
# Cmnd alias specification Cmnd_Alias LXC=/usr/bin/lxc
# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
# User privilege specification root ALL=(ALL:ALL) ALL mike ALL=(ALL) NOPASSWD:LXC
What is the output of sudo -l when you are logged in as mike, I configured sudoers with the same as what you have here with the exceptions of the commands and it works as expected.
User mike may run the following commands on basto: (ALL : ALL) ALL (ALL) NOPASSWD: /usr/bin/lxc
And that says I SHOULD be able to execute without authentication.
At this point I have to think that I'm not dealing with a sudo problem. Pure speculation but it seems the application itself may have some built-in restrictions that I'm unaware of.
I know I can add myself to the application's group and execute "lxc": it complies but always throws some errors first. If I use sudo it doesn't throw the error. Sudoers seemed like the way to avoid that.
I can't give any more time to this problem. As an alternate route I'm going to extend my sudo password timeout setting and will have to live with that.
Thanks to everybody that helped.
Mike Wright
On Tue, 4 Feb 2020 14:57:31 -0800 Mike Wright nobody@nospam.hostisimo.com wrote:
lxc-* files are from the original LXC. lxc is the base command for LXD which is based on LXC.
So, a naive guess that was wrong. :-) Thanks for the info.
Hi.
On Tue, 04 Feb 2020 12:25:39 -0800 Mike Wright wrote:
launching an xterm from the cli then entering in the new xterm:
lxc list
and I get a password prompt. Absolutely no clue.
I think you should call:
sudo lxc list
or there is some magic to call sudo in your context.
-
Earl Ramirez -
Francis.Montagnac@inria.fr -
Mario Michele Macaluso -
Mauricio Tavares -
Mike Wright -
stan -
Todd Zullinger -
Tony Nelson