Bug 591 – full path sudoedit command alias in sudoers will always lead to "not allowed to execute 'sudoedit'" error message

Bug 591 - full path sudoedit command alias in sudoers will always lead to "not allowed to execute 'sudoedit'" error message


Summary:	full path sudoedit command alias in sudoers will always lead to "not allowed ...

Status:	RESOLVED INVALID

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.7.2
Hardware:	HP Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-02-20 03:47 MST by Amos
Modified:	2013-02-20 07:28 MST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Amos 2013-02-20 03:47:56 MST

Hi, With the following full path sudoedit definition in sudoers file:

Cmnd_Alias CMDS_SUDOEDIT=/usr/bin/sudoedit /opt/tmp/something.txt
+usergroup ALL=(root) CMDS_SUDOEDIT

We always get this:
-bash-3.2$ /usr/bin/sudoedit /opt/tmp/something.txt
[sudo] password for user1:
Sorry, user user1 is not allowed to execute 'sudoedit /opt/tmp/something.txt' as root on server1.

The sudo.log is always telling me:
Feb 20 17:20:49 : user1: command not allowed ; TTY=pts/0 ;
    PWD=/home/user1; USER=root ; COMMAND=sudoedit /opt/tmp/something.txt

However, if I change "/usr/bin/sudoedit" to "sudoedit", it works just fine.  Or granting user1 in netgroup root_usergroup also works (i.e. +root_usergroup ALL=ALL in sudoers)

Thanks and appreciate your help.


Regards,
Amos

Comment 1 Todd C. Miller 2013-02-20 07:28:13 MST

sudoedit is just another way of saying "sudo -e".  It is an internal command which is why you need to specify it without the path.