On Sat, 2021-10-02 at 22:46 +0200, Kees van Vloten wrote:> On 02-10-2021 22:16, Rowland Penny via samba wrote: > > On Sat, 2021-10-02 at 22:05 +0200, Kees van Vloten via samba wrote: > > > On 02-10-2021 21:58, Rowland Penny via samba wrote: > > > > On Sat, 2021-10-02 at 21:51 +0200, Kees van Vloten via samba > > > > wrote: > > > > > I don't know what you have in /etc/sudoers or /etc/sudoers.d. > > > > I have already shown that my name is not in /etc/sudoers and > > > > /etc/sudoers.d/ is virtually empty: > > > > > > > > rowland at devstation:~$ ls /etc/sudoers.d > > > > README > > > > > > > > But I can use sudo. > > > > > > > > Rowland > > > > > > > > > > > > > > > Indeed you did, but you did not show the /etc/sudoers file. I > > > would > > > expect it to contain a line that allows a group you are member of > > > to > > > provide you root access. > > Believe me it doesn't > > > > > > > > > If you want to see sudo-rules that are matching for your user you > > > can > > > do > > > sudo -l from your user. > > Here you are: > > > > rowland at devstation:~$ sudo -l > > [sudo] password for rowland: > > Matching Defaults entries for rowland on devstation: > > !env_reset, mail_badpass, > > secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/ > > sbin > > \:/bin, env_reset, mail_badpass, > > secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/b > > in\:/ > > sbin\:/bin > > > > User rowland may run the following commands on devstation: > > (ALL : ALL) ALL > > > > Would it help if I told you that I do this on all my Unix domain > > members and DC's without modifying any sudo files ? > > > > Rowland > > > > > > > The one thing I see here is that there is indeed a sudo-rule that > allows > you full root access given you enter your password. > The output does not show on what basis you get this rule "(ALL : > ALL) > ALL" assigned. > I am certain that I do not see that on my machines when I am not in > the > group "sudo". > > The sudo -l output on for my user (which is member of group sudo) is: > > kvv at bach:~$ sudo -l > [sudo] wachtwoord voor kvv: > Overeenkomende standaarditems voor kvv op bach: > env_reset, mail_badpass, > secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sb > in\:/bin > > Gebruiker kvv mag de volgende opdrachten uitvoeren op bach: > (ALL : ALL) ALL > > When comparing the output, I noticed in yours "matching default > items" > are listed twice. Again no clue how it got there.Yes I noticed that, but it doesn't affect sudo-ldap hint hint I must log a sudo bug Rowland
On 02-10-2021 22:50, Rowland Penny via samba wrote:> On Sat, 2021-10-02 at 22:46 +0200, Kees van Vloten wrote: >> On 02-10-2021 22:16, Rowland Penny via samba wrote: >>> On Sat, 2021-10-02 at 22:05 +0200, Kees van Vloten via samba wrote: >>>> On 02-10-2021 21:58, Rowland Penny via samba wrote: >>>>> On Sat, 2021-10-02 at 21:51 +0200, Kees van Vloten via samba >>>>> wrote: >>>>>> I don't know what you have in /etc/sudoers or /etc/sudoers.d. >>>>> I have already shown that my name is not in /etc/sudoers and >>>>> /etc/sudoers.d/ is virtually empty: >>>>> >>>>> rowland at devstation:~$ ls /etc/sudoers.d >>>>> README >>>>> >>>>> But I can use sudo. >>>>> >>>>> Rowland >>>>> >>>>> >>>>> >>>> Indeed you did, but you did not show the /etc/sudoers file. I >>>> would >>>> expect it to contain a line that allows a group you are member of >>>> to >>>> provide you root access. >>> Believe me it doesn't >>> >>> >>> >>>> If you want to see sudo-rules that are matching for your user you >>>> can >>>> do >>>> sudo -l from your user. >>> Here you are: >>> >>> rowland at devstation:~$ sudo -l >>> [sudo] password for rowland: >>> Matching Defaults entries for rowland on devstation: >>> !env_reset, mail_badpass, >>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/ >>> sbin >>> \:/bin, env_reset, mail_badpass, >>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/b >>> in\:/ >>> sbin\:/bin >>> >>> User rowland may run the following commands on devstation: >>> (ALL : ALL) ALL >>> >>> Would it help if I told you that I do this on all my Unix domain >>> members and DC's without modifying any sudo files ? >>> >>> Rowland >>> >>> >>> >> The one thing I see here is that there is indeed a sudo-rule that >> allows >> you full root access given you enter your password. >> The output does not show on what basis you get this rule "(ALL : >> ALL) >> ALL" assigned. >> I am certain that I do not see that on my machines when I am not in >> the >> group "sudo". >> >> The sudo -l output on for my user (which is member of group sudo) is: >> >> kvv at bach:~$ sudo -l >> [sudo] wachtwoord voor kvv: >> Overeenkomende standaarditems voor kvv op bach: >> env_reset, mail_badpass, >> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sb >> in\:/bin >> >> Gebruiker kvv mag de volgende opdrachten uitvoeren op bach: >> (ALL : ALL) ALL >> >> When comparing the output, I noticed in yours "matching default >> items" >> are listed twice. Again no clue how it got there. > Yes I noticed that, but it doesn't affect sudo-ldap hint hint > > I must log a sudo bug > > Rowland > > >Are you using sudo-ldap? Then I guess the matching rule comes from ldap. Indeed if ldap supplies sudo-rules then membership of the local-group "sudo" is not necessary. Did you extend the AD-schema to make sudo-ldap working with Samba? Or what did you configure? - Kees
On 02-10-2021 22:50, Rowland Penny via samba wrote:> On Sat, 2021-10-02 at 22:46 +0200, Kees van Vloten wrote: >> On 02-10-2021 22:16, Rowland Penny via samba wrote: >>> On Sat, 2021-10-02 at 22:05 +0200, Kees van Vloten via samba wrote: >>>> On 02-10-2021 21:58, Rowland Penny via samba wrote: >>>>> On Sat, 2021-10-02 at 21:51 +0200, Kees van Vloten via samba >>>>> wrote: >>>>>> I don't know what you have in /etc/sudoers or /etc/sudoers.d. >>>>> I have already shown that my name is not in /etc/sudoers and >>>>> /etc/sudoers.d/ is virtually empty: >>>>> >>>>> rowland at devstation:~$ ls /etc/sudoers.d >>>>> README >>>>> >>>>> But I can use sudo. >>>>> >>>>> Rowland >>>>> >>>>> >>>>> >>>> Indeed you did, but you did not show the /etc/sudoers file. I >>>> would >>>> expect it to contain a line that allows a group you are member of >>>> to >>>> provide you root access. >>> Believe me it doesn't >>> >>> >>> >>>> If you want to see sudo-rules that are matching for your user you >>>> can >>>> do >>>> sudo -l from your user. >>> Here you are: >>> >>> rowland at devstation:~$ sudo -l >>> [sudo] password for rowland: >>> Matching Defaults entries for rowland on devstation: >>> !env_reset, mail_badpass, >>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/ >>> sbin >>> \:/bin, env_reset, mail_badpass, >>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/b >>> in\:/ >>> sbin\:/bin >>> >>> User rowland may run the following commands on devstation: >>> (ALL : ALL) ALL >>> >>> Would it help if I told you that I do this on all my Unix domain >>> members and DC's without modifying any sudo files ? >>> >>> Rowland >>> >>> >>> >> The one thing I see here is that there is indeed a sudo-rule that >> allows >> you full root access given you enter your password. >> The output does not show on what basis you get this rule "(ALL : >> ALL) >> ALL" assigned. >> I am certain that I do not see that on my machines when I am not in >> the >> group "sudo". >> >> The sudo -l output on for my user (which is member of group sudo) is: >> >> kvv at bach:~$ sudo -l >> [sudo] wachtwoord voor kvv: >> Overeenkomende standaarditems voor kvv op bach: >> env_reset, mail_badpass, >> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sb >> in\:/bin >> >> Gebruiker kvv mag de volgende opdrachten uitvoeren op bach: >> (ALL : ALL) ALL >> >> When comparing the output, I noticed in yours "matching default >> items" >> are listed twice. Again no clue how it got there. > Yes I noticed that, but it doesn't affect sudo-ldap hint hint > > I must log a sudo bug > > Rowland > > >Hi Rowland, Usually you are quick and acurate in your responses, which I really appreciate. In the last few messages you are playing hide and seek with me. You did not show the crucial part of your configuration (/etc/sudoers) and until the last message you did not talk about the fact you are using sudo-ldap. Why is this necessary, are we not here to help each other? I have no doubts that there are more ways to solve a problem and all of them have their specific pros and cons. The reason I am using pam_script is because it provides me with a generic solution for all applications that can work with local authorization groups. One solution for many applications is a big time saver. The next reason is that it also works in offline or off-network logins, i.e. when ldap/samba-dc is not reachable. Although that could probably be overcome with nscd or lscd, again more than one solution to get it done. Still I am interested to learn how you did the sudo-ldap setup, perhaps there are advantages that I overlooked. Then again what about other applications authorization groups? I used the example of libvirtd but pam_scripts also manages wireshark, sshd, kvm, docker, audio,video, dialout, cdrom, floppy, lpadmin, plugdev, bluetooth, netdev, pulse-access, users on my machines? - Kees