[olug] /etc/sudoers notes for entries with multiple "tags".

Dan Linder dan at linder.org
Wed Aug 20 18:53:45 UTC 2008


I'm trying to setup a single user account ("myuser") so that they can
execute a program (ex: /usr/bin/vi) as root without a password.  To
achieve just that I need to use the NOPASSWD Tag_Spec, here's the
simple entry in /etc/sudoers:

  myuser ALL = (root) NOPASSWD: /usr/bin/vi

Additionally, I don't want them to be able to shell out (:shell) and
get a root prompt.  The NOEXEC stanza for sudoers turns this off:

  myuser ALL = (root) NOEXEC: /usr/bin/vi

This setup now requires that "user" know his password before
/usr/bin/vi is executed, but shelling out of VI returns a "Cannot
execute shell" error message.

What I needed was the ability to use both NOPASSWD and NOEXEC on the
same line.  I tried multiple incarnations of the line, and this is the
one that finally worked:

  myuser ALL = (root) NOPASSWD:NOEXEC: /usr/bin/vim
(NOTE: The tags are colon separated, no commas or spaces)

The fine man page for sudoers states "A command may have zero or more
tags associated with it"... but all of the examples it gives are of a
single tag.

Hope this helps others and/or I find this e-mail in Google the next
time I'm trying to do this.

Dan

Just for the record, I tried these combinations:

  myuser ALL = (root) NOPASSWD,NOEXEC: /usr/bin/vi --> NOPASSWD ignored
  myuser ALL = (root) NOEXEC,NOPASSWD: /usr/bin/vi --> NOEXEC ignored
  myuser ALL = (root) NOPASSWD, NOEXEC: /usr/bin/vi  --> Can't remember result
  myuser ALL = (root) NOPASSWD: NOEXEC: /usr/bin/vi  --> Can't remember result

-- 
"Quis custodiet ipsos custodes?" (Who can watch the watchmen?) -- from
the Satires of Juvenal
"I do not fear computers, I fear the lack of them." -- Isaac Asimov (Author)
** *** ***** ******* *********** *************



More information about the OLUG mailing list