Sudon’t
How do you get your computer to make you a sandwich? Sudo!
Let’s say you have a special high-privilege user account that you allow to run a few commands without passwords.
Example
Your devops deployment job requires sudo whoami
. Your sudo configuration is:
deployer ALL=(ALL) NOPASSWD: /usr/bin/whoami
Let’s give it a try
$ sudo /usr/bin/whoami [sudo] password for deployer:
That’s a problem. You don’t want a password prompt here!
Sudo, Y U No?
Do not despair! Sudo includes a command line option to tell you your privileges.
$ sudo -l Matching Defaults entries for deployer on ubuntu-bionic: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin User deployer may run the following commands on ubuntu-bionic: (ALL) NOPASSWD: /usr/bin/whoami (ALL) /usr/bin/whoami
Specifically look at those two /usr/bin/whoami
entries. The bottom one wins! That means sudo thinks that deployer
should give it a password. Thanks, sudo!
Where are the configurations for those two entries?
# grep -r deployer /etc/sudoers* /etc/sudoers.d/00deployer:deployer ALL=(ALL) NOPASSWD: /usr/bin/whoami /etc/sudoers.d/deployer:deployer ALL=(ALL) /usr/bin/whoami
We have found the problem: two overlapping sudoers files.
I’ll Fix It
You can either remove the redundant deployer
file, or re-order both files. Sudo is reading them in “lexical” order, so 00deployer
comes before deployer
. Counter-intuitively, that means deployer
wins!
I have removed the second file with rm /etc/sudoers.d/deployer
, and I am trying again.
$ sudo /usr/bin/whoami root
Success!