Bug 120

Summary: problem configuring sudo 1.6.6, 1.6.7 for NOPASSWD on debian linux
Product: Sudo Reporter: Paul Shields <pauls>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: high    
Priority: normal    
Version: 1.6.7   
Hardware: Other   
OS: Linux   

Description Paul Shields 2003-08-28 09:59:14 MDT 
I am attempting to configure sudo for NOPASSWD on a debian linux host 
('transdb1'); the behaviour seen is: for a particular user it seems to have 
worked once, then never again.

[By the way, this works correctly on a mandrake 9.0 linux host ('coda') for the 
same version of sudo; there were no substantial differences in their respective 
config, with possible exception that coda is using PAM authentication, transdb1 
is 'passwd' authentication but I've included details below]. 

Tried both sudo 1.6.6 and 1.6.7p5 

pauls@transdb1:/$ uname -a
Linux transdb1 2.4.20 #2 SMP Thu May 22 15:33:01 EDT 2003 i686 unknown

==/etc/sudoers==
User_Alias      WWW1 = www,pauls,wen,prosuper 
WWW1 ALL=NOPASSWD: /home/prosuper/bin/prosuperwrapper 

----------------
pauls$ sudo -u prosuper /home/prosuper/bin/prosuperwrapper 

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

        #1) Respect the privacy of others.
        #2) Think before you type.

Password:

----------------


transdb1# sudo -V 
Sudo version 1.6.6

Authentication methods: 'passwd' 
 Syslog facility if syslog is being used for logging: local2 
 Syslog priority to use when user authenticates successfully: notice 
 Syslog priority to use when user authenticates unsuccessfully: alert 
 Send mail if the user is not in sudoers 
 Lecture user the first time they run sudo 
 Require users to authenticate by default 
 Root may run sudo 
 Allow some information gathering to give useful error messages 
 Set the LOGNAME and USER environment variables 
 Length at which to wrap log file lines (0 for no wrap): 80 
 Authentication timestamp timeout: 5 minutes 
 Password prompt timeout: 5 minutes 
 Number of tries to enter a password: 3 
 Umask to use or 0777 to use user's: 022 
 Path to mail program: /usr/sbin/sendmail 
 Flags for mail program: -t 
 Address to send mail to: root 
 Subject line for mail messages: *** SECURITY information for %h *** 
 Incorrect password message: Sorry, try again. 
 Path to authentication timestamp dir: /var/run/sudo 
 Default password prompt: Password: 
 Default user to run commands as: root 
 Path to the editor for use by visudo: /usr/bin/vi 
 Environment variables to check for sanity: 
         LANGUAGE 
         LANG 
         LC_* 
 Environment variables to remove: 
         BASH_ENV 
         ENV 
         TERMCAP 
         TERMPATH 
         TERMINFO_DIRS 
         TERMINFO 
         _RLD* 
         LD_* 
         PATH_LOCALE 
         NLSPATH 
         HOSTALIASES 
         RES_OPTIONS 
         LOCALDOMAIN 
         IFS 
 When to require a password for 'list' pseudocommand: any 
 When to require a password for 'verify' pseudocommand: all 
 Local IP address and netmask pairs: 
         216.130.199.92 / 0xfffffc00 
 Default table of environment variables to clear 
         BASH_ENV 
         ENV 
         TERMCAP 
         TERMPATH 
         TERMINFO_DIRS 
         TERMINFO 
         _RLD* 
         LD_* 
         PATH_LOCALE 
         NLSPATH 
         HOSTALIASES 
         RES_OPTIONS 
         LOCALDOMAIN 
         IFS 
 Default table of environment variables to sanity check 
         LANGUAGE 
         LANG 
         LC_*



----------------
[root@coda tmp]# sudo -V
Sudo version 1.6.6

Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: local2
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Log the hostname in the (non-syslog) log file
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5 minutes
Password prompt timeout: 5 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to log file: /var/log/sudo.log
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: Password:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
Environment variables to check for sanity:
        LANGUAGE
        LANG
        LC_*
Environment variables to remove:
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        IFS
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
Local IP address and netmask pairs:
        192.168.123.1 / 0xffffff00
Default table of environment variables to clear
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        IFS
Default table of environment variables to sanity check
        LANGUAGE
        LANG
        LC_*
Comment 1 Todd C. Miller 2004-01-09 01:40:50 MST 
You didn't give WWW1 permission to run commands as prosuper, only as root.  To 
allow WWW1 to run that command prosuper, you want something like:

WWW1 ALL=(prosuper) NOPASSWD: /home/prosuper/bin/prosuperwrapper