Bug #14381: Directive Sudoers allow both passwordless sudo and all commands. - Rudder - Issue Tracker

Actions

Copy link

Bug #14381

open

Directive Sudoers allow both passwordless sudo and all commands.

Added by Matthew Frost over 5 years ago. Updated 5 months ago.

Status:

New

Priority:

N/A

Assignee:

Félix DALLIDET

Category:

Techniques

Target version:

7.3.17

Pull Request:

Severity:

Minor - inconvenience | misleading | easy workaround

UX impact:

User visibility:

Getting started - demo | first install | Technique editor and level 1 Techniques

Effort required:

Priority:

Name check:

Fix check:

Regression:

Description

Hello Rudder,

During my testing yesterday we attempted to allow a user on our staging server to execute passwordless sudo and all commands, but we found that when you enable the following options in the directive:

Allow the entity to execute the given commands without entering his password (true)
Allow the entity to execute all commands (true)
Commands allowed to this entity - Optional (EMPTY)

The sudeors file results in the following:

#includedir /etc/sudoers.d
# begin_section_user
user    ALL=(ALL) ALL

This does allow the user to execute sudo commands but prompts for a password our goal would be to allow all sudo commands on staging without entering a password.

Thank you!

Actions

Copy link

Updated by Alexis Mousset over 5 years ago

Description updated (diff)
Category set to Techniques
Target version set to 5.0.7

Actions

Copy link

Updated by François ARMAND over 5 years ago

Target version changed from 5.0.7 to 5.0.9

Actions

Copy link

Updated by Vincent MEMBRÉ over 5 years ago

Target version changed from 5.0.9 to 5.0.10

Actions

Copy link

Updated by Nicolas CHARLES over 5 years ago

Hi Matthew

What would be the expected content of sudo config file to achieve that correctly in your opinion?

Actions

Copy link

Updated by Matthew Frost over 5 years ago

Hello Nicolas,

It would be:

myuser ALL=(ALL) NOPASSWD:ALL for a single user, or

%sudo ALL=(ALL) NOPASSWD:ALL for a group.

Actions

Copy link

Updated by François ARMAND over 5 years ago

Assignee set to Félix DALLIDET
Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility set to Getting started - demo | first install | Technique editor and level 1 Techniques
Priority changed from 0 to 93

Actions

Copy link

Updated by François ARMAND over 5 years ago

Severity changed from Critical - prevents main use of Rudder | no workaround | data loss | security to Minor - inconvenience | misleading | easy workaround
Priority changed from 93 to 50

In fact, I misunderstood the problem: here, it asks for the password when it should not (so it's more minor than critical)

Actions

Copy link

Updated by Félix DALLIDET over 5 years ago

Status changed from New to In progress

Actions

Copy link

Updated by Félix DALLIDET over 5 years ago

I was unable to reproduce on a debian9 platform, I tested it in 5.0.6 and 5.0.9.
Could you double check if the issue is still relevant? If so, could you describe precisely the steps and environment needed to reproduce.

Actions

Copy link

#10