User is not in the sudoers file. This incident will be reported.

HTop · 03-20-2024, 06:03 AM

Hello,
I use RHEL 8.9 update today.
I joined my Active Directory domain animals.internal with realm join.
I permitted users of group koalas@animals.internal to log on through SSH.

Then the user pete (member of koalas) is able to log on on RHEL server.

I created a file called /etc/sudoers.d/animals.internal with the following text:

%koalas@animals.internal ALL=(ALL) NOPASSWD:ALL

But when pete runs "sudo su -", he gets
pete@animals.internal is not in the sudoers file. This incident will be reported.

I checked the syntax and it's ok.

visudo -c /etc/sudoers.d/animals.internal
/etc/sudoers.d/animals.internal: parsed OK

If I move the line %koalas@animals.internal ALL=(ALL) NOPASSWD:ALl on /etc/sudoers file, it works.

/etc/sudoers last line is
#includerdir /etc/sudoers.d/

The command ls -la /etc/sudoers.d/animals.internal
returns -r--r-----
Selinux is disabled.

What did I do wrong?

Sudo version is 1.9.5p2

Keith Hedger · 03-20-2024, 06:59 AM

You need to uncomment this line:

Code:

#includerdir /etc/sudoers.d/

otherwise it wont be run.

HTop · 03-20-2024, 07:35 AM

Reading the man of sudoers, lines is that start with # are comments unless the # is immediately followed by either include or includedir.

pan64 · 03-20-2024, 07:43 AM

in that case I think the permissions on that file is not accepted by sudo. Or something similar happened.
by the way sudo and su should not be used together (but it is another issue).

rknichols · 03-20-2024, 08:05 AM

Quote:

Originally Posted by HTop

/etc/sudoers last line is
#includerdir /etc/sudoers.d/

That should be "#includedir", not "#includerdir".

The misspelling makes that line a comment, and thus no syntax error found.

jefro · 03-20-2024, 03:32 PM

Isn't there some issue with ssh access on this?? I forget.

sundialsvcs · 03-20-2024, 04:01 PM

That seems like a "lazy hack" on the part of the original programmer in question. Why not use another preceding character, like '$'? Oh well, water under the bridge now.

scasey · 03-20-2024, 04:16 PM

Quote:

Originally Posted by sundialsvcs

That seems like a "lazy hack" on the part of the original programmer in question. Why not use another preceding character, like '$'? Oh well, water under the bridge now.

You say "lazy hack." I say it's just dumb. I wonder what possessed that developer? <sigh>

jefro · 03-20-2024, 06:03 PM

One site said they used new @

rknichols · 03-20-2024, 06:11 PM

Quote:

Originally Posted by scasey

You say "lazy hack." I say it's just dumb. I wonder what possessed that developer? <sigh>

I suspect that it's just because "#include" is common in many other languages, and the programmer just got too used to typing it.

pan64 · 03-21-2024, 02:19 AM

Quote:

Originally Posted by scasey

You say "lazy hack." I say it's just dumb. I wonder what possessed that developer? <sigh>

yes, it is an extremely "inconvenient" construct, but perfect if you just want to get a rise out of the user

HTop · 03-25-2024, 09:00 AM

In the file I keep the original line
#includedir /etc/sudoers.d/
I wrote here as "#includerdir /etc/sudoers.d/" but it's "#includedir /etc/sudoers.d/" indeed.

Maybe I'll do some syscall tracking to address this strange behavior.