[augeas-devel] sudoers parsing issue

Aaron Blew aaronblew at gmail.com
Fri Sep 17 16:37:10 UTC 2010 

Hi all,
I'm trying to remove an element from my sudoers file on a CentOS 5.5 machine
running augeas 0.7.3.

augtool> rm /files/etc/sudoers/Defaults[1]/requiretty
rm : /files/etc/sudoers/Defaults[1]/requiretty 1
augtool> save
Saving failed
augtool> print /augeas//error
/augeas/files/etc/sudoers/error = "put_failed"
/augeas/files/etc/sudoers/error/path =
"/files/etc/sudoers/Defaults"
/augeas/files/etc/sudoers/error/lens =
"/usr/share/augeas/lenses/dist/sudoers.aug:398.17-399.41:"
/augeas/files/etc/sudoers/error/message = "Failed to match \n    { /type/ =
/[:>@][^\\001-\\004\\t\\n \\\\]+/ }?({
/always_set_home|authenticate|env_editor|env_reset|fqdn|ignore_dot|ignore_local_sudoers|insults|log_host|log_year|long_otp_prompt|mail_always|mail_badpass|mail_no_host|mail_no_perms|mail_no_user|noexec|path_info|passprompt_override|preserve_groups|requiretty|root_sudo|rootpw|runaspw|set_home|set_logname|setenv|shell_noargs|stay_setuid|targetpw|tty_tickets/
} | { /passwd_tries/ = /[0-9]+/ } | {
/((loglinelen|passwd_timeout|timestamp_timeout|umask))|((loglinelen|passwd_timeout|timestamp_timeout|umask))/
= /(([0-9]+))/ } | {
/badpass_message|editor|mailsub|noexec_file|passprompt|runas_default|syslog_badpri|syslog_goodpri|timestampdir|timestampowner|secure_path/
= /[^\\001-\\004\\t\\n \\\"#,=\\\\]+/ } | {
/((exempt_group|lecture|lecture_file|listpw|logfile|mailerflags|mailerpath|mailto|exempt_group|syslog|verifypw|logfile|mailerflags|mailerpath|mailto|syslog|verifypw))|((exempt_group|lecture|lecture_file|listpw|logfile|mailerflags|mailerpath|mailto|exempt_group|syslog|verifypw|logfile|mailerflags|mailerpath|mailto|syslog|verifypw))/
= /(([^\\001-\\004\\t\\n \\\"#,=\\\\]+))/ } | {
/((env_check|env_delete|env_keep))|((env_check|env_delete|env_keep))/ })({
/always_set_home|authenticate|env_editor|env_reset|fqdn|ignore_dot|ignore_local_sudoers|insults|log_host|log_year|long_otp_prompt|mail_always|mail_badpass|mail_no_host|mail_no_perms|mail_no_user|noexec|path_info|passprompt_override|preserve_groups|requiretty|root_sudo|rootpw|runaspw|set_home|set_logname|setenv|shell_noargs|stay_setuid|targetpw|tty_tickets/
} | { /passwd_tries/ = /[0-9]+/ } | {
/((loglinelen|passwd_timeout|timestamp_timeout|umask))|((loglinelen|passwd_timeout|timestamp_timeout|umask))/
= /(([0-9]+))/ } | {
/badpass_message|editor|mailsub|noexec_file|passprompt|runas_default|syslog_badpri|syslog_goodpri|timestampdir|timestampowner|secure_path/
= /[^\\001-\\004\\t\\n \\\"#,=\\\\]+/ } | {
/((exempt_group|lecture|lecture_file|listpw|logfile|mailerflags|mailerpath|mailto|exempt_group|syslog|verifypw|logfile|mailerflags|mailerpath|mailto|syslog|verifypw))|((exempt_group|lecture|lecture_file|listpw|logfile|mailerflags|mailerpath|mailto|exempt_group|syslog|verifypw|logfile|mailerflags|mailerpath|mailto|syslog|verifypw))/
= /(([^\\001-\\004\\t\\n \\\"#,=\\\\]+))/ } | {
/((env_check|env_delete|env_keep))|((env_check|env_delete|env_keep))/ })*\n
 with tree\n   "


Below are the contents of my sudoers file (which is basically the default
CentOS sudoers file except the lines at the end).  Thanks for reading!


## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhap using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping,
/sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm,
/usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted,
/sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod,
/bin/chgrp

## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in
clear.
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty

Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME
LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE
LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES,
LOCATE, DRIVERS

## Allows people in group wheel to run all commands
#%wheel ALL=(ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now
hudson  ALL=(ALL) NOPASSWD: SOFTWARE,NOPASSWD: SERVICES,NOPASSWD:
/usr/sbin/httpd
%wheel ALL = (ALL) ALL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/augeas-devel/attachments/20100917/a8a07cf4/attachment.htm>

More information about the augeas-devel mailing list