I have been reading guides for a while now and so far have not found an exact solution to my problem.
I want a linux user (dave) to be able to switch to another account (patrol) without a password prompt, but dave must still be denied access to root. Patrol must also be denied root access.
In the sudoers file
Code:
User_Alias Patrol=dave,john
root ALL=(ALL) ALL
Patrol ALL=(patrol) NOPSSWD: ALL
[Code].....
So here's the problem. We've got the /etc/sudoers file set up so that users can run commands from /bin like "cat" or "mkdir" without entering a password. The problem is that the "su" command is also in /bin, so if they enter "sudo su", it gives them root access without a password. Here's the /etc/sudoers file:
Defaults targetpw
%users ALL=(ALL) ALL
root ALL=(ALL) ALL
support ALL=(ALL) NOPASSWD: /sbin/, /bin/, /opt/, /etc/init.d/, /elo/
support ALL=(ALL) NOPASSWD: /usr/bin/mysql
Is there a way I can deny /bin/su while still allowing the rest of the /bin commands?
A little while ago I moved to F14 from Ubuntu; I've been ok, but recently sudo has been causing me trouble :/It seems to hang, but eventually produces some output indicating that it has been waiting for me to input a password; but it hasn't prompted me for one.
$ sudo ls
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
I have written a script to run commands on remote servers, it is working fine. But when I am running "sudo commands" on the remote servers, it asks for me password after prompting for ssh password. I am unable to automate this password prompt (which is just after ssh password prompt). This is the function I am using to provide passwords
Code:
pass ()
{
cd $DIR/"$dt1"_"$dt"
/usr/bin/perl << 'EOF'
use strict;
[code]....
I want the same function to be used , when it expects for sudo passwords for any of the below lines:
Code:
[sudo] password for vikas: orPassword: This is my "cmd" file passed in pass () function.
Code:
ssh -t -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no 192.168.1.100 "bash rcmds"
This is my script output
Quote:
[vikas@box1 ~]$ ./rscript.sh
++ rm -rf /home/vikas/May_31
++ mkdir -p /home/vikas/May_31
++ set +x
[code]....
how to automate the password prompt required for sudo commands.
I'm creating a bash script to do some tasks for me. I would like the script to be run at a set time of everyday. My first question is if it is possible that if one of the commands in the script requires sudo, is there a way to get around it with out making sudo not require a password. Such as, is there a way to include the password in the script? If that is the case, I can always just set the file as read only by sudo. I've been looking for a way to do this, with no success. if I have a command that wants input, how do I give it to the program. For example, if I want to make a zip file that is encrypted, the command would go as:
Code:
zip -r example * -e
now how would I get the script to insert my wanted password.
Would it be safe to say that if I build a restricted user: "Desktop" or "unprivileged" user I will be ok? From what I understand - most scripts or applications cannot install without the 'sudo' prompt and user input.
View 8 Replies View Relatedmy secure log is flooding with these messages..
sudo: pam_limits(sudo:session): wrong limit value 'unlimited' for limit type 'hard'
Dec 28 22:42:29 yn54 sudo: pam_limits(sudo:session): wrong limit value 'unlimited' for limit type 'soft'
Dec 28 22:42:29 yn54 sudo: pam_limits(sudo:session): wrong limit value 'unlimited' for limit type 'hard'
I have a standard home set-up for my Ubuntu OS, and I would like to know whether its possible to cut out the repetitive prompts to enter the password, as when you connect to the internet or access files on a partition that's not home, or install new software.
View 1 Replies View RelatedI have a strange behaviour on a Slackware 13.1 box:
Code:
user@host$ su
su: Authentication failure
[code]...
I have a RHEL 5.5 system set up with two users in the sudoers file to run certain commands without a password prompt.I do not have "Defaults requiretty" in the sudoers file.However, for both users, when I issue: sudo -l, it prompts for a password and logs in /var/log/secure:sudo: userx: no tty present and no askpass program specified
View 2 Replies View Related We have a couple of clusters that are running Oracle. If you're familiar with Oracle you know that it basically has to be installed as root. Something I detest. anyway, when we are building out the box, we change the root pw and give it to the DBA team to do their installs and configs. When they are done, we change the root pw (and do not give it to them), and configure sudo to allow them the rights needed to manage Oracle and their databases.
Now however, we have a different situation. The DBAs need access to uninstall and reinstall components and make modifications on an ongoing basis. Since we only support OS and hardware, not app, they are requesting permanent root access. I promptly told them no, and the politics ensued. Their manager went to their director, who went to my director, and suddenly an exception is given for his good golfing buddy. So here I am, forced to turn lose DBAs on my clusters with full root access/pw. I need a way to allow specific users (or perhaps a specific user group) the ability to become root WITHOUT sharing the root pw with them.
Everything was working well between my Windows 7 shares and all three of my Ubuntu machines. I just replaced my buggy belkin router with a Netgear one and now none of the Ubuntu machines can open my windows box through Nautilus. All three (one 10.04, 2 10.10) can see the Windows box but when I click on it I get the never ending password prompts. My Mac can access the Windows 7 machine fine, and all three Ubuntu boxes can access the shares with CIFS/autofs. I just can't browse the available shares using Places->Network. I'm lead to believe something on Win 7 reset when I changed the router but after two days I'm at a loss as to what it could be.
View 3 Replies View Relatedwhy when I type sudo su in a terminal there's no need to enter my password, I just go straight into root
View 5 Replies View RelatedStumped on this one. I'm trying to set up limited sudo authority on a desktop with some sensitive user data, and as an extra precaution I wanted to configure sudo to use a password other than the user's or the root's. I'm not sure how to do this. From the manual, we have a few options, such as "runaspw" or "targetpw", but none seem quite what I'm looking for.For instance, "runaspw" could be used if I created a user for nothing other than sudo(ing) purposes, but it requires you set "runas_default", which means that said user would have to have authority to execute said commands in the first place. This is workable, but seems like a lot of extra configuration for each specific command that I want to run, as well as creating some issues with simply commands such as "shutdown" or "reboot". Also, "targetpw" can be used in conjunction with a sudo(ing)-only user if I set an alias, but, again, this isn't quite what I am looking for.
Ultimately, what I am really concerned about in this situation are keystroke loggers, so I would prefer to avoid repeated entering the user or root password when performing administrative tasks. Also, I would prefer not having to create a sudo(ing)-only user as mentioned above to prevent a comprimised password resulting in an attacker being able to log into my system.
This might sound really stupid, so you'll all have to excuse my lacking knowledge. I read that USB attacks get more and more common, like putting in an USB stick with a malicious autorun script on it, and it's game over. Can AppArmor protect devices and limit their access to the file system?
View 5 Replies View RelatedI'm trying to limit access to port 8443 on our server to 2 specific IP addresses. For some reason, access is still being allowed even though I drop all packets that aren't from the named IP addresses. The default policy is ACCEPT on the INPUT chain and this is how we want to keep it for various reasons I wont get into here. Here's the output from iptables -vnL
[Code]...
Note the actual IP we are using is masked here with 123.123.123.123. Until I can get everything working properly, we're only allowing access from 1 IP instead of 2. We can add the other one once it all works right. I haven't worked with iptables very much. So I'm quite confused about why packets matching the DROP criteria are still being allowed.
I've set up a user account for friends & colleagues that does NOT require a login password. Unfortunately, in this OS some things don't work unless you login -- sudo Must regular users have AND use Root's password?
View 9 Replies View RelatedHow do I set up a server to where it does not give a password prompt to access a shared folder?
View 1 Replies View RelatedI am trying to get a non-root account on one of our servers to run a script with sudo capability. To that end, I went into the /etc/sudoers file, and added the following syntax:
Code:
## Enable the nagios user to run the check_iptables.sh script as root
nagios ALL=NOPASSWD: /usr/local/nrpe/libexec/check_iptables.sh, /sbin/iptables
I restarted the nagios service, and tested the results. The results were the user account still could not run the script due to the user, nagios, not having permission to run the iptables binary.
Is there another step(s) that I need to take in order to get the sudo access available to the user account?
I have a log server that collects logs from all the cisco devices on our network.he company policy states that any logs should only be accessible by root. So I have the following permissions set on the directory, as well as everything inside the directory where the cisco logs are kept.
Code:
drwx------ 65 root root 4096 Apr 29 7:38 rsyslog
The cisco folks are requesting access to these logs, which is allowed by company policy.
[code]...
I made a Desktop User account. When I went on that account, it allowed me to execute sudo as if I was an administrator. I don't know what might be causing this. I do have ufw set up and blocking incoming connections. Do you guys know what might be at the root of this?Also, when I used sudo from the user account (which I shouldn't have been able to do), I provided the password for my admin account.
View 9 Replies View Relatedpam_auth_radius - Change the "Password:" prompt.Im currently working on getting a two-factor supplier working with my servers.Ive installed the pam_auth_radius.so and it works fine.HOWEVER.When I SSH to the server , I get this:
warning: Need basic cursor movement capability, using vt100
Keyboard-interactive:
Password:
[code]....
I have a dual boot machine and recently did a fresh install of 10.4. It no longer asks for a password to access the Windows partition and I full access to it. This seems insecure to me and was wondering if someone else came across this. I thought I saw this topic discussed before but I can not seem to find it now. Is this a bug or a new unpleasant feature?I don't think it makes a difference but I do have a separate encrypted home partition on this fresh install. I have also done two fresh installs. (Well three...once testing out KDE but didn't try the Win partition. )
View 9 Replies View RelatedI was wondering if there is any way in Linux in general and Fedora 13 in particular to configure system so that any service that needs access to internet will have to ask for password/permission to do so. So that I can
View 3 Replies View RelatedI would like to use a wireless network, I type in the correct password but suddenly a new window pops up saying: 'an application wants to access to the keyring 'Vorgabe', but its is locked password:'
But I don't know what password it's talking about
I went to Password and Encryption keys, there are two folders
'password: vorgabe'
'Password: login'
host always ask password on 1st remote desktop (VNC) access Desktop version... how can I disable this?
View 2 Replies View RelatedI have tried to not allow root access and have created a wheel user.
Now I can not logged in as root.
Its okay but when am logging as wheel user and trying to access root then it says:
Code:
A day ago I finally got around to upgrading the PackageKit installation that had been sitting for a week and a half, so I found a new upgrade for sudo available - the one that gives the sudoreplay command, I forget which version number it is exactly. When I try to use the sudo command I get this notice in my terminal:Code:Can't open /var/db/sudo/me/1: Permission deniedI didn't get it before. What do I have to do to make it open? I'm using SELinux in enforcing mode if that helps.
View 1 Replies View RelatedI am new to using Ubuntu 10.10 that was installed by a friend of mine, but he didn't give me a password for administrator and now when I try to install VLC I am blocked by a password prompt. To make things worse I can't use F1 key, esc key, tab key, 1key (I copy and paste 1 from other pages when I need it). I am at a loss here and all I want is to change the administrator password without validating the current password first.
View 2 Replies View RelatedI needed to use Synaptic Package Manager to install an app, but the dialog box ("enter the Administrative Password") that pops up before you can use Synaptic doesn't recognize my password ("incorrect password). I tried typing it into a text editor and it's spelled right, caps lock not turned on or anything.
In Terminal, sudo recognizes it, and it is recognized when I log into Ubuntu. I'm the sole user, I have admin privileges, I've been doing admin things.
I just now did System > Administration > Users and Groups and got a dialog box saying
"Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See [URL] for information. (Details - 1: Server ping error: IDLmg.org/CORBA/COMM_FAILURE:1.0)"
Moving past that, I changed my user password, and Ubuntu authenticated it.
How do you launch Synaptic Package Manager from the command line?