RedHatSudoFix

How to fix a misbehaving sudo under Red Hat and Centos

Ah, sudo, the bane (and the best friend!) of sysadmins everywhere.

Let's face it: sudo is a great way to allow normal users to perform just a very very tiny slice of system operations. But it's also very tough to configure correctly.

First of all, a word of warning: always use the visudo command to edit the /etc/sudoers configuration file. While not perfect, visudo at least provides a few checks that can catch problems in the configuration.

Now, another way to check a user has been correctly configured is to use the -l -U options of sudo:

root#  sudo -l -U vega
Matching Defaults entries for vega on this host:
    requiretty, !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

User vega may run the following commands on this host:
root#

OK, what's wrong? User vega has no commands displayed, following the message User vega may run the following commands on this host:. And, of course, commands are configured for this user!

What is even more scary is that you cannot even try to use sudo with this user!

root# su - vega
vega$ sudo /mdev/reset_env
Sorry, user vega may not run sudo on localhost.
vega$

Oh boy... Actually, this is fairly simple to solve: just add the proper hostname in the sudo configuration. Here, I have added it to the "Alias" named MACHINE in /etc/sudoers:

root# hostname
galactus.mdev.net
root# grep MACHINE /etc/sudoers
Host_Alias     MACHINE = galactus.mdev.net, localhost
XVEGA   MACHINE = (root)        NOPASSWD: PURGE

Let's detail this a little bit:

• First, we check the output of the hostname command, and we get: galactus.mdev.net.
• Next, using visudo, that name has been added to the MACHINE alias (actually Host_Alias)in /etc/sudoers.
• The line starting with XVEGA contains:
  • the XVEGA user alias,
  • the MACHINE alias,
  • (root) which is the user executing the commands,
  • NOPASSWD to allow all users defined in XVEGA to execute commands without entering a password,
  • PURGE which is the alias for all the commands allowed.

In other words, you should always define the following aliases in /etc/sudoers:

root#  grep _Alias /etc/sudoers | grep -v ^#
Host_Alias     MACHINE = galactus.mdev.net, localhost
User_Alias XVEGA = john, patrick, peggy, vega
Cmnd_Alias PURGE = /mdev/reset_env, /mdev/deploy_mdev.sh, /etc/init.d/mdev3

In the example shown above, we therefore have 4 users (John, Patrick, Peggy and "Vega") which can run 3 commands on the host galactus.

And the command at the beginning is now working correctly:

root#  sudo -l -U vega
Matching Defaults entries for vega on this host:
    requiretty, !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

User vega may run the following commands on this host:
    (root) NOPASSWD: /mdev/reset_env, /mdev/deploy_mdev.sh, /etc/init.d/mdev3

Much better - I hope this helps!

See Also:

• The answer on the Ars Technica forum