Menu
▾
▴
#4213 sudo: user.name : command not allowed
Issue started after upgrading a full-working server from CentOS 6.3 to CentOS 6.4 (both 32 and 64bit).
User's authorization and authentication are on MS Active Directory.
SSH and sudo work fine but is not possible to get them access on webmin.
Seems to be a problem with user groups from AD: To let my user to log in again, I need to explicit my username in /etc/sudoers.
Working untill CentOS 6.3:
%LinuxAdmin ALL=(ALL) NOPASSWD: ALL
Working on CentOS 6.4:
user.name ALL=(ALL) NOPASSWD: ALL
Only webmin seems to be affected after distro's upgrade.
View and moderate all "bugs Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs"
Extract from /var/log/secure
If you run the command "sudo -l -S" while SSHd in as one of the users you are trying to login to Webmin as, what does it output?
Hi!
CentOS 6.3, sudo in working and able to login in webmin, using an AD group in /etc/sudoers:
[user.name@web2 ~]$ sudo -l -S
Matching Defaults entries for user.name on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User user.name may run the following commands on this host:
(ALL) NOPASSWD: ALL
CentOS 6.4, same config as working CentOS 6.3 but unable to login in Webmin 1.620:
[user.name@test1 ~]$ sudo -l -S
Matching Defaults entries for user.name on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User user.name may run the following commands on this host:
(ALL) NOPASSWD: ALL
CentOS 6.4, added my username in /etc/sudoers, now able to login in webmin again:
[user.name@test1 ~]$ sudo -l -S
Matching Defaults entries for user.name on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User user.name may run the following commands on this host:
(ALL) NOPASSWD: ALL
(ALL) NOPASSWD: ALL
That looks OK to me - Webmin expects sudo to output either :
(ALL) ALL
or
(ALL) NOPASSWD: ALL
My guess is that this isn't working when sudo is run by Webmin. I suspect that the reason is related the the following line in /var/log/secure :
Mar 20 16:12:12 test1 sudo: nome.utente : command not allowed ; TTY=pts/1 ; PWD=/usr/libexec/webmin ; USER=root ; COMMAND=list
do you perhaps have some sudo restriction setup to disallow use of -l ?
No, we haven't. Here attached our sudo.conf, sudoers, sudo-ldap (empty) and access.conf.
Those errors disappear and I'm able to login to Webmin simply by adding my username to /etc/sudoers so I think that it is a problem while parsing User Groups membership: while in ssh "sudo -l -S" output on a CentOS 6.4 with my username explicated in sudoers, show my entry duplicated and webmin allow to login while removing my username but not my usergroup from sudoers "sudo -l -S" show my entry only once and Webmin reject my login with that error message.
So I think it means that sudo works fine but WebMin doesn't recognise my username as a member of an authorized group.
There is a debug mode I can use to verify this?
View and moderate all "bugs Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs"
Sudo config files and access.conf
View and moderate all "bugs Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs"
A clarification: The same Webmin 1.620 and sudo configuration allowed users enabled to sudo to login on Webmin up to CentOS 6.3 and is still working on the server not updated yet.
The problem appears only after the upgrade to version 6.4 (both on 32 and 64bit)
You can edit the file /etc/webmin/miniserv.conf and add the line
debuglog=/var/log/miniserv.debug
then run /etc/webmin/restart
This will log additional debug information to that miniserv.debug file when a user logs in, which may be useful for determining why sudo-capable accounts are being rejected.
View and moderate all "bugs Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs"
Here attached, some logs.
In directory "user" there are some webmin logs obtained with my username in /etc/sudoers.
In directory "group" there are the same webmin logs with only my AD groups (is not the primary one, but that which is used to grant access on our linux servers ) in /etc/sudoers.
As shown at lines 143 ad 144, starting from CentOS 6.4 the group membership is no longer usable to check sudo permissions:
check_sudo_permissions: got [sudo] password for user.name: Sorry, user user.name may not run sudo on test1.
validate_user: sudo failed
In directory "63" I put some logs that I got from a CentOS 6.3 server with only my usergroup in /etc/sudoers and where group membership works fine.
View and moderate all "bugs Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs"
Debug log
I'm not sure why sudo is able to use group membership when run from the command line, but not when run from Webmin.
Is there perhaps some environment variable that needs to be set for sudo to be able to contact active directory?
No... I don't think.
I have a kickstart script which uses authconfig to configure join to AD.
Environment variable which are shown by "sudo -l -S" are the same. It happens also on fresh install (32bit).
I use PAM and winbind to communicate with AD, so may be a problem with those modules...
I think the only way to be sure what is going wrong here would be to run strace on sudo when it is run by Webmin. But that would involve making a change to Webmin's miniserv.pl file.
I've no experience in programming...
It's a modify that I can do by myself or require source code to recompile the miniserv.pl? Else if you provide a miniserv.pl ready for this kind of strace I can try...
You could do this as follows :
1. Edit the file /usr/libexec/webmin/miniserv.pl and change line 5280 to :
exec("strace -o /tmp/strace.out sudo -l -S");
2. Run /etc/webmin/restart
3. Try to login
4. Copy the file /tmp/strace.out and attach it to this bug report.
View and moderate all "bugs Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs"
Hi!
After editing the file /usr/libexec/webmin/miniserv.pl as requested:
5280: exec("strace -o /tmp/strace.out sudo -l -S");
5281: close(SUDOr);
webmin crashes every times I try to log in with an user different than root (I get an HTTP Error code 324). I get the same problem with my username in sudoers and even without it.
Anyway, in miniserver.error seems to be appeared an error that can send us on the right way: Without the modification of line 5280, I have no error on that log.
A valid TTY is required to use sudo on our servers so the user which is trying to login in webmin has a valid TTY.
View and moderate all "bugs Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs"
Log with sudo strace in webmin
You might need to delete the file /tmp/strace.out before logging in as a non-root user, as strace will be run as that user and won't have permissions to overwrite a /tmp/strace.out file that was written by root.
View and moderate all "bugs Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs"
Hi, sorry for delay.
With the modification that you have indicated, webmin broke web sessions even on servers CentOS6.3, where the normal login with SUDO works.
Logging in as root, however, gives no problem nor on CentOS 6.3 nor CentOS 6.4
If it helps, I still attached the logs taken from this attempt.
I've moved down line 5280 to insert one that you sended me, so I moved line 5280 to 5281, that's correct?
View and moderate all "bugs Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs"
sudo_strace_2
You shouldn't need to insert a line ... just change the line :
exec("sudo -l -S");
to :
exec("strace -o /tmp/strace.out sudo -l -S");
Ok.
But in my /usr/libexec/webmin/miniserv.pl line 5280 is:
"close(SUDOr);"
exec("sudo -l -S"); is on line 5275
Done, but now (adding strace.out in the right place) network users login fails ever, also adding them to /etc/sudoers.
Problem happens also on CentOS 6.3 (sudo fails).
Logs attached (sudo_strace_3).
View and moderate all "bugs Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs"
sudo_strace_3
I think the problem here is that strace cannot run sudo, because sudo is a setuid root executable :-(
I don't have any other good ways to debug this unfortunately..