sudo NOPASSED option not working

Hi all,

On a new SLES11sp3 box, I’m trying to give one user the rights to sudo run the iptables command. I’ve modified the sudoers file with the following entry:

jsmith ALL = (root) NOPASSWD: /usr/sbin/iptables

Yet with the user runs ‘sudo iptables’, it is still prompting them for the root password.

What is wrong with my syntax?

jg

What are the other uncommented lines in there? Could something be
preventing this one from being applicable?

What happens if they properly call the command with an absolute path
rather than trying to find whatever is in the PATH? If they have an alias
under ~/bin or /usr/local/bin or /usr/bin that is being found, the sudoers
file is not authorizing access to those.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

Hi
The (root) bit… and assuming your using visudo :wink:

jsmith ALL = NOPASSWD: /usr/sbin/iptables


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.39-47-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

On 06/03/2015 01:24 PM, jgosney wrote:[color=blue]

Hi all,

On a new SLES11sp3 box, I’m trying to give one user the rights to sudo
run the iptables command. I’ve modified the sudoers file with the
following entry:

jsmith ALL = (root) NOPASSWD: /usr/sbin/iptables

Yet with the user runs ‘sudo iptables’, it is still prompting them for
the root password.

What is wrong with my syntax?[/color]

Try:

sudo /usr/sbin/iptables

We’ve discovered that the user can simply run /usr/sbin/iptables and access command. Checking the command, the rights on it is 777. Does this seem right? This seems like a very powerful command for everyone to be able to access it if they know the explicit path to it.

You’re ignoring the first part of that file’s ‘ls -l’ output which
indicates that it is a symlink, and symlinks always have 777 set (you
cannot change it):

lrwxrwxrwx 1 root root 14 May  1  2014 /usr/sbin/iptables -> iptables-multi

Further, explicit rights to run a file does not imply that the user has
rights to do anything power when using that file. Sure, you can run it as
any user, and no it doesn’t do anything unless you actually have
privileges (via sudo or other). The actual file looks like this:

-rwxr-xr-x 1 root root 57592 Jan 13  2012 /usr/sbin/iptables-multi

Real binaries like this should never be world-writable, but even if they
were that would not let somebody do bad things unless they could both
modify the file AND somehow run it with privileges… Having both barriers
is always smart.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

Great explanation Ab! I did notice the link and that the rights on iptables-multi was 744. I assumed since the ‘x’ bit was set, they could run the command and thus do anything the command would normally allow. So your explanation is reassuring. But I’m still back to the NOPASSWD part not working. I’ve tried all the suggestions given above and nothing seems to work. Obviously, I don’t want to give JSMITH the root password (that would invalidate the entire SUDO concept) so I’m kinda stuck as to why this option is not working correctly. I’ve also opened an SR with Novell and am waiting to see if they can give me any advice.

The following worked for me on my SLES 11 SP3 system:

ab     ALL = (root)  NOPASSWD:  /usr/sbin/iptables

Is your user’s username EXACTLY ‘jsmith’ (vs. something with silly capital
letters like ‘Jsmith’ or ‘JSMITH’)? Are there any other characters on the
relevant lines? Care to post the entire file’s contents?

grep -v -e '^$' -e '^#' /etc/sudoers


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…