[Freeipa-users] sudo rules do not seem to work

Jakub Hrozek jhrozek at redhat.com
Wed Oct 7 08:03:13 UTC 2015


On Tue, Oct 06, 2015 at 06:28:14PM +0200, Karl Forner wrote:
> Hello,
> 
> I had assumed sudo rules worked because I have an "allow_all for admins"
> sudo rule that seemed to work, but I wonder if there is an implicit rule
> for the special group admins ?
> 
> 
> Because I have tried to replicate this allow_all rule for for other user
> groups, and it does not seem to work at all.
> What's strange is that "sudo -l"  report the appropriate rules, but they do
> not work.
> 
> For instance, some users have: (ALL) ALL listed with sudo -l, but they can
> not use sudo.
> 
> My user has:
>     (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
>     (ALL) ALL
>     (root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *, /bin/chmod
> -R g[+-]* *
>     (ALL) NOPASSWD: /usr/bin/less
>     (ALL) ALL
> 
> but I'm prompted a password when doing "sudo /usr/bin/less".
> 
> How can I debug this ?

Pavel (CC) has a nice sudo debug howto, maybe it would be helpful?




More information about the Freeipa-users mailing list