TransWikia.com

fine grain sudo permission not working

Unix & Linux Asked on December 12, 2021

I have make a configuration to sudo so that I can run a command without password, but only when I am in a specific group. However it is still asking for a password.

I try it out

#↳ sudo --group docker-user -s
#↳ sudo -k #drop sudo credentials
#↳ groups
docker-user sudo …
#↳ sudo --group docker /usr/bin/docker images
[sudo] password for bob

I am not expecting a password. The docker.sudo was meant to allow group docker-user, to run docker as group docker, with no password.

What have I done wrong? What is stopping it from working.

Let us look at the configuration

#↳ sudo cat /etc/sudoers.d/docker.sudo
Cmnd_Alias DOCKER = /usr/bin/docker
%docker-user ALL = (:docker) NOPASSWD : DOCKER

#↳ sudo cat /etc/sudoers #comments removed
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

#includedir /etc/sudoers.d

More tests

#↳ groups
docker_user sudo …
#↳ sudo -ll
Matching Defaults entries for richard on delor-1:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User richard may run the following commands on delor-1:

Sudoers entry:
    RunAsUsers: ALL
    RunAsGroups: ALL
    Commands:
        ALL
sudo

2 Answers

To expand upon the answer by @ctrl-alt-delor, the sudoers man page mentions the processing rules for the auxiliary rules found in /etc/sudoers.d, under the section Including other files from within sudoers (sudo version 1.9.1)

sudo will suspend processing of the current file and read each file in /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’ character to avoid causing problems with package manager or editor temporary/backup files.

However, the first sentence of this section of the manual mentions that a machine local sudoers file in /etc/sudoers.local (containing a .) can be included directly via @include /etc/sudoers.local, which leads me to believe that the . is only problematic for those files included via @includedir. So, I would suspect that if the original /etc/sudoers file had the following

@include /etc/sudoers.d/docker.sudo

the problem would not have been present (but of course the point of the /etc/sudoers.d directory is to use @includedir...)

Answered by einfeyn496 on December 12, 2021

I have found the problem: For some reason if the auxiliary file in (/etc/sudoers.d) contains a dot in its name, then it is not included.

The solution

(
  cd /etc/sudoers.d
  sudo mv docker.sudo docker_sudo
)

Answered by ctrl-alt-delor on December 12, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP