From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5 Description of problem: Whilst developing a single large multi host, multi user sudoers for all our RHEL AS 2.x, 3.x and 4 hosts, it became clear that the sudoers on RHEL AS 4 would not allow users to execute commands where HOST was defined. When host := ALL there was no issue. After hand checking changes and verifying it should work, I installed the script onto a RHEL AS 3 Update 5 box and verified the sudoers was indeed correct. The sudo binary from a RHEL 3 machine, package sudo-1.6.7p5-1, results in successful operation. Please see below for a specially crafted version of our sudoers which reproduces this issue. Here's a test with sudo-1.6.7p5-30.1.3 (moved to sudo.o): nlfiel$ sudo.o less /var/log/messages Password: nlfiel is not allowed to run sudo on XXXXXX. This incident will be reported. Here's a test with the sudo binary from sudo-1.6.7p5-1 on the same machine: nlfiel$ sudo less /var/log/messages <snip messages output> Version-Release number of selected component (if applicable): sudo-1.6.7p5-30.1.3 How reproducible: Always Steps to Reproduce: 1. See sudoers below, install into /etc/sudoers 2. using a user specified attempt to sudo and execute a command 3. note failure and replace ALLSVR with ALL to use the builtin Alias 4. note success 5. take sudo binary from RPM sudo-1.6.7p5-1 6. repeat with ALLSVR specified 7. note success Actual Results: user is not allowed to run sudo on <hostname> /var/log/messages: Aug 1 15:20:17 HOSTNAME sudo: nlfiel : user NOT authorized on host ; TTY=pts/2 ; PWD=/home/nlfiel ; USER=root ; COMMAND=/usr/bin/less /var/log/messages Expected Results: In this example, the user specified (nlfiel) in the ACL should be able to access commands (less /var/log/messages) when the host matches those defined by ALLSVR. Additional info: #TEST SCRIPT FOR sudo-1.6.7p5-30.1.3 User_Alias MANAGER = %manager,nlfiel Host_Alias SVR_DEV_AS = 10.1.1.109 Host_Alias SVR_DEV_DS = 10.1.1.111 Host_Alias SVR_DEV_BO = 10.1.1.103 Host_Alias SVR_DEV = SVR_DEV_AS, SVR_DEV_DS, SVR_DEV_BO Host_Alias ALLSVR = hosta, hostb, hostc,\ SVR_DEV # service aliases Cmnd_Alias CMD_SVCE = /sbin/service * Cmnd_Alias CMD_LOG = /usr/bin/less /var/log/messages Defaults syslog=auth Defaults:MANAGER !lecture MANAGER ALLSVR = (ALL) PASSWD: CMD_SVCE, CMD_LOG #END
I can't reproduce it with same sudoers. Only change I made is that I had added host vepro. :-( # cat /etc/sudoers # Host alias specification Host_Alias SVR_DEV_AS = 10.1.1.109 Host_Alias SVR_DEV_DS = 10.1.1.111 Host_Alias SVR_DEV_BO = 10.1.1.103 Host_Alias SVR_DEV = SVR_DEV_AS, SVR_DEV_DS, SVR_DEV_BO Host_Alias ALLSVR = hosta, hostb, hostc,\ SVR_DEV, vepro # User alias specification User_Alias MANAGER = %manager,nlfiel # Cmnd alias specification Cmnd_Alias CMD_SVCE = /sbin/service * Cmnd_Alias CMD_LOG = /usr/bin/less /var/log/messages Defaults syslog=auth Defaults:MANAGER !lecture # User privilege specification root ALL=(ALL) ALL MANAGER ALLSVR = (ALL) PASSWD: CMD_SVCE, CMD_LOG # rpm -q sudo sudo-1.6.7p5-30.1.3 # su - nlfiel [nlfiel@vepro ~]$ sudo less /var/log/messages Password: <messages output>
The sudo command in RHEL4 doesn't support work with hosts/ip. It's limitation of selinux patch. This problem will be fixed in RHEL5 (and has been fixed in FC5 and FC6). See also bug #170023.
*** This bug has been marked as a duplicate of 170023 ***