Sudo without password Solaris 11.2

akame · October 27, 2014, 5:58pm

Hi guys,

I have the strangest issue... might be a huge oversight.. who knows!!

I am trying to configure a user to use sudo with no password, here is my sudoers configuration file

root@isha:~# egrep -v "^$|^#" /etc/sudoers
root ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: ALL
root@isha:~#

I login with user "kenneth", which is on the wheel group, but it requires password...

kenneth@isha:~$ id -a 
uid=100(kenneth) gid=10(staff) groups=10(staff),100(wheel)
kenneth@isha:~$ roles
root
kenneth@isha:~$ sudo -n su -
sudo: a password is required

so I check creating a new user called "ragnor", adding it to wheel as well, I added it to the root role too just in case, (I thought that was the cause at some point) but it works flawlessly..

ragnor@isha:~$ id -a 
uid=101(ragnor) gid=10(staff) groups=10(staff),100(wheel)
ragnor@isha:~$ roles
root
ragnor@isha:~$ sudo su - 
Oracle Corporation      SunOS 5.11      11.2    June 2014
You have new mail.
root@isha:~#

I also tried commenting out the "root ALL=(ALL) ALL" on sudoers, same results.

Any ideas?

Thanks.

vbe · October 28, 2014, 5:44am

What is that -n you used when passing the command for kenneth?

akame · October 28, 2014, 6:10am

It is basically a way of showing the error

     -n          The -n (non-interactive) option prevents sudo
                 from prompting the user for a password.  If a
                 password is required for the command to run,
                 sudo will display an error message and exit.

Without the -n this would be the result

kenneth@isha:~$ sudo su - 
Password:

MadeInGermany · October 28, 2014, 6:41pm

I think your /etc/sudoers should work.
Check that your sudo command really opens /etc/sudoers:

truss -f -t open sudo -l

(need to run this as root)

akame · October 28, 2014, 8:41pm

Hi,

I can't truss sudo -- edit: (you did say run this as root :)m, as root it did open /etc/sudoers )

kenneth@isha:~$ truss -f -t open sudo -l
truss: cannot trace set-id or unreadable object file: /usr/bin/sudo

However if it was not using /etc/sudoers it would not work for "ragnor".
There is an easy way of showing it is indeed reading the /etc/sudoers config file

root@isha:~# egrep -v "^$|^#" /etc/sudoers
root ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: ALL
kenneth ALL=(ALL) NOPASSWD: /usr/bin/su
root@isha:~# exit
logout
kenneth@isha:~$ sudo -l 
User kenneth may run the following commands on this host:
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: /usr/bin/su
    (ALL) ALL
kenneth@isha:~$

This must have something to do with RBAC.... root being a role and not a user.. not sure.

---------- Post updated at 01:41 AM ---------- Previous update was at 01:32 AM ----------

Ok found it...

When a user is specified during installation a few things happen, it gets the "root" role and so on, but it also creates the following file

root@isha:/# cat /etc/sudoers.d/svc-system-config-user
kenneth ALL=(ALL) ALL

So sudo was hitting this rule before hitting the NOPASSWD one.., removing that file did the magic.. funny one.

Thanks for you help guys.

MadeInGermany · October 29, 2014, 6:57am

AFAIK the roles belong to RBAC, and sudo works without RBAC.
That means sudo should work even without the root role.
--
BTW positive logic is shorter:

grep '^[^#]' /etc/sudoers