How do you get your computer to make you a sandwich? Sudo!
Let’s say you have a special high-privilege user account that you allow to run a few commands without passwords.
Your devops deployment job requires
sudo whoami. Your sudo configuration is:
deployer ALL=(ALL) NOPASSWD: /usr/bin/whoami
Let’s give it a try
$ sudo /usr/bin/whoami [sudo] password for deployer:
That’s a problem. You don’t want a password prompt here!
Sudo, Y U No?
Do not despair! Sudo includes a command line option to tell you your privileges.
$ sudo -l Matching Defaults entries for deployer on ubuntu-bionic: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin User deployer may run the following commands on ubuntu-bionic: (ALL) NOPASSWD: /usr/bin/whoami (ALL) /usr/bin/whoami
Specifically look at those two
/usr/bin/whoami entries. The bottom one wins! That means sudo thinks that
deployer should give it a password. Thanks, sudo!
Where are the configurations for those two entries?
# grep -r deployer /etc/sudoers* /etc/sudoers.d/00deployer:deployer ALL=(ALL) NOPASSWD: /usr/bin/whoami /etc/sudoers.d/deployer:deployer ALL=(ALL) /usr/bin/whoami
We have found the problem: two overlapping sudoers files.
I’ll Fix It
You can either remove the redundant
deployer file, or re-order both files. Sudo is reading them in “lexical” order, so
00deployer comes before
deployer. Counter-intuitively, that means
I have removed the second file with
rm /etc/sudoers.d/deployer, and I am trying again.
$ sudo /usr/bin/whoami root