Menu
▾
▴
Re: [webmin-l] Webmin login broken on sudo upgrade
|
From: up@3.am - 2010-10-14 13:24:42
|
Have you tried commenting out this in the /etc/sudoers file? Defaults requiretty > Yeah, you might have to ask the sudo developers what the error : > > "Sorry, user teresaejunior may not run sudo on localhost." > > means .. > > On 13/Oct/2010 16:09 Teresa e Junior <ter...@gm...> wrote .. >> Hello, Jamie! >> >> Sorry, I tried a couple of different things without success. Sudo is a >> bit hard to debug. I enabled sudo logging via rsyslog, but the only >> output is: >> >> Oct 13 20:04:37 localhost sudo: teresaejunior : command not allowed ; >> TTY=pts/6 ; PWD=/usr/share/webmin ; USER=root ; COMMAND=list >> >> and from /var/log/auth.log: >> >> Oct 13 19:58:16 localhost x-www-browser: gethostby*.getanswer: >> asked for "", got "." >> Oct 13 19:58:21 localhost perl[3897]: PAM unable to >> dlopen(/lib/security/pam_winbind.so): /lib/security/pam_winbind.so: >> cannot open shared object file: No such file or directory >> Oct 13 19:58:21 localhost perl[3897]: PAM adding faulty >> module: /lib/security/pam_winbind.so >> Oct 13 19:58:21 localhost perl[3897]: pam_unix(webmin:session): session >> opened for user teresaejunior by (uid=0) >> Oct 13 19:58:21 localhost sudo: teresaejunior : command not allowed ; >> TTY=pts/6 ; PWD=/usr/share/webmin ; USER=root ; COMMAND=list >> Oct 13 19:58:21 localhost webmin[3897]: Invalid login as teresaejunior >> from 127.0.0.1 >> >> Should a file a bug against sudo? Or maybe ask for help in their >> mailing lists? >> >> Best regards! >> Teresa e Junior >> >> On Wed, 13 Oct 2010 11:57:03 -0700 (PDT) >> "Jamie Cameron" <jca...@we...> wrote: >> >> > Ok, I see the error .. sudo is failing with the message : >> > >> > "Sorry, user teresaejunior may not run sudo on localhost." >> > >> > I have no idea what that means though! It may be related to >> > Webmin not running sudo with a valid TTY .. >> > >> > On 13/Oct/2010 09:10 Teresa e Junior <ter...@gm...> >> > wrote .. >> > > Hello, Jamie! >> > > >> > > Here goes miniserv.debug attached. Its output still doesn't seem >> > > very helpful to me. It looks the changes are related to >> > > tty_tickets. In sudo 1.7.2, I could run sudo from Menu > Run >> > > Command..., now it seems to expect a tty (or terminal emulator). My >> > > scripts could work again using "Defaults !tty_tickets". Sorry if >> > > that is not the case! >> > > >> > > BTW, we're in a mailing list, so I changed my password with ****** >> > > in miniserv.debug! >> > > >> > > * When the tty_tickets sudoers option is enabled but there is >> > > no terminal device, sudo will no longer use or create a >> > > tty-based ticket file. Previously, sudo would use a tty name >> > > of "unknown". As a consequence, if a user has no terminal >> > > device, sudo will now always prompt for a password. >> > > >> > > * The tty_tickets sudoers option is now enabled by default. >> > > >> > > Best regards! >> > > Teresa e Junior >> > > >> > > On Tue, 12 Oct 2010 15:41:45 -0700 (PDT) >> > > "Jamie Cameron" <jca...@we...> wrote: >> > > >> > > > Hi Teresa, >> > > > >> > > > That output actually looks OK to me... >> > > > >> > > > One thing you could try is turning on debug logging. To do this, >> > > > edit /etc/webmin/miniserv.conf and add the line : >> > > > >> > > > debuglog=/var/webmin/miniserv.debug >> > > > >> > > > then run /etc/webmin/restart , and try to login to webmin. >> > > > >> > > > Then send me the contents of the /var/webmin/miniserv.debug file. >> > > > >> > > > On 12/Oct/2010 13:16 Teresa e Junior <ter...@gm...> >> > > > wrote .. >> > > > > Hello, Jamie! >> > > > > >> > > > > teresaejunior@localhost:~$ sudo -l -S >> > > > > Matching Defaults entries for teresaejunior on this host: >> > > > > env_reset, !tty_tickets, env_keep+=HOME >> > > > > >> > > > > User teresaejunior may run the following commands on this host: >> > > > > (ALL) ALL >> > > > > teresaejunior@localhost:~$ >> > > > > >> > > > > >> > > > > On Tue, 12 Oct 2010 11:45:09 -0700 (PDT) >> > > > > "Jamie Cameron" <jca...@we...> wrote: >> > > > > >> > > > > > Hi Teresa, >> > > > > > >> > > > > > The problem might be that the output from the sudo command has >> > > > > > changed, which confuses Webmin. >> > > > > > >> > > > > > If you SSH into the system as the user you are trying to login >> > > > > > with and run the command : >> > > > > > >> > > > > > sudo -l -S >> > > > > > >> > > > > > what does it output? >> > > > > > >> > > > > > - Jamie >> > > > > > >> > > > > > On 12/Oct/2010 07:37 Teresa e Junior <ter...@gm...> >> > > > > > wrote .. >> > > > > > > Hello, Webmin developers! >> > > > > > > >> > > > > > > sudo 1.7.4 upgrade brings a lot of modifications, which had >> > > > > > > broken a bunch of shell scripts I had (which was solved by >> > > > > > > including "Defaults !tty_tickets" in sudoers file), and also >> > > > > > > makes login to Webmin unavailable. >> > > > > > > >> > > > > > > The error message is simply "Login failed. Please try >> > > > > > > again.". Downgrading to sudo 1.7.2 solves the issue. >> > > > > > > >> > > > > > > Unfortunately I don't know how to debug this, but I am >> > > > > > > available to answer any question or do any test needed. At >> > > > > > > the bottom I've included a piece from sudo NEWS file >> > > > > > > pertaining the 1.7.3 and 1.7.4 releases. >> > > > > > > >> > > > > > > Best regards! >> > > > > > > Teresa e Junior >> > > > > > > >> > > > > > > What's new in Sudo 1.7.4? >> > > > > > > >> > > > > > > * Sudoedit will now preserve the file extension in the >> > > > > > > name of the temporary file being edited. The extension is >> > > > > > > used by some editors (such as emacs) to choose the editing >> > > > > > > mode. >> > > > > > > >> > > > > > > * Time stamp files have moved from /var/run/sudo to >> > > > > > > either /var/db/sudo, /var/lib/sudo or /var/adm/sudo. The >> > > > > > > directories are checked for existence in that order. >> > > > > > > This prevents users from receiving the sudo lecture every >> > > > > > > time the system reboots. Time stamp files older than the >> > > > > > > boot time are ignored on systems where it is possible to >> > > > > > > determine this. >> > > > > > > >> > > > > > > * The tty_tickets sudoers option is now enabled by default. >> > > > > > > >> > > > > > > * Ancillary documentation (README files, LICENSE, etc) is >> > > > > > > now installed in a sudo documentation directory. >> > > > > > > >> > > > > > > * Sudo now recognizes "tls_cacert" as an alias for >> > > > > > > "tls_cacertfile" in ldap.conf. >> > > > > > > >> > > > > > > * Defaults settings that are tied to a user, host or >> > > > > > > command may now include the negation operator. For example: >> > > > > > > Defaults:!millert lecture >> > > > > > > will match any user but millert. >> > > > > > > >> > > > > > > * The default PATH environment variable, used when no PATH >> > > > > > > variable exists, now includes /usr/sbin and /sbin. >> > > > > > > >> > > > > > > * Sudo now uses polypkg >> > > > > > > (http://rc.quest.com/topics/polypkg/) for cross-platform >> > > > > > > packing. >> > > > > > > >> > > > > > > * On Linux, sudo will now restore the nproc resource limit >> > > > > > > before executing a command, unless the limit appears to have >> > > > > > > been modified by pam_limits. This avoids a problem with >> > > > > > > bash scripts that open more than 32 descriptors on SuSE >> > > > > > > Linux, where sysconf(_SC_CHILD_MAX) will return -1 when >> > > > > > > RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1). >> > > > > > > >> > > > > > > * The HOME and MAIL environment variables are now reset >> > > > > > > based on the target user's password database entry when the >> > > > > > > env_reset sudoers option is enabled (which is the case in >> > > > > > > the default configuration). Users wishing to preserve the >> > > > > > > original values should use a sudoers entry like: Defaults >> > > > > > > env_keep += HOME to preserve the old value of HOME and >> > > > > > > Defaults env_keep += MAIL >> > > > > > > to preserve the old value of MAIL. >> > > > > > > >> > > > > > > * Fixed a problem in the restoration of the AIX authdb >> > > > > > > registry setting. >> > > > > > > * Sudo will now fork(2) and wait until the command has >> > > > > > > completed before calling pam_close_session(). >> > > > > > > >> > > > > > > * The default syslog facility is now "authpriv" if the >> > > > > > > operating system supports it, else "auth". >> > > > > > > >> > > > > > > What's new in Sudo 1.7.3? >> > > > > > > >> > > > > > > * Support for logging I/O for the command being run. >> > > > > > > For more information, see the documentation for the >> > > > > > > "log_input" and "log_output" Defaults options in the sudoers >> > > > > > > manual. Also see the sudoreplay manual for how to replay >> > > > > > > I/O log sessions. >> > > > > > > >> > > > > > > * The use_pty sudoers option can be used to force a >> > > > > > > command to be run in a pseudo-pty, even when I/O logging is >> > > > > > > not enabled. >> > > > > > > >> > > > > > > * On some systems, sudo can now detect when a user has >> > > > > > > logged out and back in again when tty-based time stamps are >> > > > > > > in use. Supported systems include Solaris systems with the >> > > > > > > devices file system, Mac OS X, and Linux systems with the >> > > > > > > devpts filesystem (pseudo-ttys only). >> > > > > > > >> > > > > > > * On AIX systems, the registry setting >> > > > > > > in /etc/security/user is now taken into account when >> > > > > > > looking up users and groups. Sudo now applies the correct >> > > > > > > the user and group ids when running a command as a user >> > > > > > > whose account details come from a different source (e.g. >> > > > > > > LDAP or DCE vs. local files). >> > > > > > > >> > > > > > > * Support for multiple 'sudoers_base' and 'uri' entries in >> > > > > > > ldap.conf. When multiple entries are listed, sudo will try >> > > > > > > each one in the order in which they are specified. >> > > > > > > >> > > > > > > * Sudo's SELinux support should now function correctly when >> > > > > > > running commands as a non-root user and when one of stdin, >> > > > > > > stdout or stderr is not a terminal. >> > > > > > > >> > > > > > > * Sudo will now use the Linux audit system with configure >> > > > > > > with the --with-linux-audit flag. >> > > > > > > >> > > > > > > * Sudo now uses mbr_check_membership() on systems that >> > > > > > > support it to determine group membership. Currently, only >> > > > > > > Darwin (Mac OS X) supports this. >> > > > > > > >> > > > > > > * When the tty_tickets sudoers option is enabled but there >> > > > > > > is no terminal device, sudo will no longer use or create a >> > > > > > > tty-based ticket file. Previously, sudo would use a tty >> > > > > > > name of "unknown". As a consequence, if a user has no >> > > > > > > terminal device, sudo will now always prompt for a password. >> > > > > > > >> > > > > > > * The passwd_timeout and timestamp_timeout options may now >> > > > > > > be specified as floating point numbers for more granular >> > > > > > > timeout values. >> > > > > > > >> > > > > > > * Negating the fqdn option in sudoers now works correctly >> > > > > > > when sudo is configured with the --with-fqdn option. In >> > > > > > > previous versions of sudo the fqdn was set before sudoers >> > > > > > > was parsed. >> > > > > > >> > > > > > ------------------------------------------------------------------------------ >> > > > > > Beautiful is writing same markup. Internet Explorer 9 supports >> > > > > > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 >> > > > > > & L3. Spend less time writing and rewriting code and more >> > > > > > time creating great experiences on the web. Be a part of the >> > > > > > beta today. http://p.sf.net/sfu/beautyoftheweb >> > > > > > - >> > > > > > Forwarded by the Webmin mailing list at >> > > > > > web...@li... To remove yourself from >> > > > > > this list, go to >> > > > > > http://lists.sourceforge.net/lists/listinfo/webadmin-list >> > > > > >> > > > > ------------------------------------------------------------------------------ >> > > > > Beautiful is writing same markup. Internet Explorer 9 supports >> > > > > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & >> > > > > L3. Spend less time writing and rewriting code and more time >> > > > > creating great experiences on the web. Be a part of the beta >> > > > > today. http://p.sf.net/sfu/beautyoftheweb >> > > > > - >> > > > > Forwarded by the Webmin mailing list at >> > > > > web...@li... To remove yourself from this >> > > > > list, go to >> > > > > http://lists.sourceforge.net/lists/listinfo/webadmin-list >> > > > >> > > > ------------------------------------------------------------------------------ >> > > > Beautiful is writing same markup. Internet Explorer 9 supports >> > > > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >> > > > Spend less time writing and rewriting code and more time creating >> > > > great experiences on the web. Be a part of the beta today. >> > > > http://p.sf.net/sfu/beautyoftheweb >> > > > - >> > > > Forwarded by the Webmin mailing list at >> > > > web...@li... To remove yourself from this >> > > > list, go to >> > > > http://lists.sourceforge.net/lists/listinfo/webadmin-list >> > >> > ------------------------------------------------------------------------------ >> > Beautiful is writing same markup. Internet Explorer 9 supports >> > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >> > Spend less time writing and rewriting code and more time creating >> > great experiences on the web. Be a part of the beta today. >> > http://p.sf.net/sfu/beautyoftheweb >> > - >> > Forwarded by the Webmin mailing list at >> > web...@li... To remove yourself from this >> > list, go to http://lists.sourceforge.net/lists/listinfo/webadmin-list >> >> ------------------------------------------------------------------------------ >> Beautiful is writing same markup. Internet Explorer 9 supports >> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >> Spend less time writing and rewriting code and more time creating great >> experiences on the web. Be a part of the beta today. >> http://p.sf.net/sfu/beautyoftheweb >> - >> Forwarded by the Webmin mailing list at >> web...@li... >> To remove yourself from this list, go to >> http://lists.sourceforge.net/lists/listinfo/webadmin-list > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today. > http://p.sf.net/sfu/beautyoftheweb > - > Forwarded by the Webmin mailing list at > web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > |