[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lmi] sudo make root a sandwich
|
From: |
Vadim Zeitlin |
|
Subject: |
Re: [lmi] sudo make root a sandwich |
|
Date: |
Mon, 18 May 2020 21:01:09 +0200 |
On Mon, 18 May 2020 18:32:08 +0000 Greg Chicares <address@hidden> wrote:
GC> Vadim--On our corporate RHEL-7 server, we've been doing this:
GC>
GC> $ cd /opt/lmi/src/lmi
GC> $ sudo ./install_redhat.sh > ~/rhlog_$(date -u +'%Y%m%dT%H%MZ') 2>&1
GC>
GC> successfully for months, until today--but now it's failing thus:
GC>
GC> sudo --user="${NORMAL_USER}" ./lmi_setup_30.sh
GC> root is not in the sudoers file. This incident will be reported.
Note that this is just a stock sudo error message, it doesn't actually
mean that it's going to be reported anywhere and IME in most cases it isn't
because nobody bothered setting up sudo to do it. But it still might, of
course.
GC> We run the main script as su, but use 'sudo' to run one sub-script
GC> as a normal user. The apparent reason why this now fails is that
GC> ten hours ago /etc/sudoers was changed, and now it contains this
GC> line (among about a thousand rules), where the '#' is a comment
GC> symbol and not a root prompt:
GC>
GC> #root ALL = (ALL) ALL
If this has been done intentionally, it seems stupid. But I guess this
doesn't mean it's more likely to be undone.
GC> I suppose this is just a silly mistake, but corporate mistakes
GC> cannot be fixed.
Could they perhaps be reported to at least ask whether it is a mistake or
not? Because if it isn't a mistake, it seems quite likely that they're
going to remove the ability to use "su" too next, because it just doesn't
make sense to forbid sudo while allowing su.
GC> I might just replace the offending line to run the sub-script
GC> with excessive privileges:
GC>
GC> - sudo --user="${NORMAL_USER}" ./lmi_setup_30.sh
GC> + ./lmi_setup_30.sh
GC>
GC> because that's expedient; but is there a "proper" workaround?
Sorry if I'm forgetting something, but can't you just use "su" instead? I
remember that you couldn't create new users on this machine, but are you
also prevented from su'ing to the existing ones?
GC> 'doas' has apparently been ported from BSD, but it doesn't
GC> seem to be in RHEL.
You could always compile it from source (and when you will be forbidden to
use the compiler, you could still compile it on another system and enter
hexadecimal bytes using shell escapes...), but it would seem to be simpler
to use "su" instead, if it works.
GC> And
GC> chmod 7777 lmi_setup_30.sh
GC> just seems baneful.
Yes, indeed.
Regards,
VZ
pgpozmWWH5hpR.pgp
Description: PGP signature