Search Results

Search found 28 results on 2 pages for 'visudo'.

Page 1/2 | 1 2  | Next Page >

  • Auto-starting a GUI application that requires sudo

    - by nanostuff
    Question: I need to auto-start a GUI application that requires sudo. I know I need to edit the sudoers file with: sudo visudo However, I don't know what to write in the file. What I already tried: sudo visudo and then added the following: nanostuff ALL = NOPASSWD: /usr/lib/AirVPN/AirVPN.exe I also tried with: nanostuff ALL = NOPASSWD /usr/bin/X11/airvpn and nanostuff ALL = NOPASSWD /usr/bin/airvpn None of those worked. By doing: ps aux | grep airvpn I get the following output: nanostuff 6805 0.2 0.4 483520 17384 ? Sl 17:13 0:01 /usr/bin/gksu -u root -m AirVPN Client needs administrative privileges. Please enter your password. mono /usr/lib/AirVPN/AirVPN.exe path=/home/nanostuff/.airvpn root 6806 0.0 0.0 78604 2392 ? Ss 17:13 0:00 /usr/bin/sudo -H -S -p GNOME_SUDO_PASS -u root -- mono /usr/lib/AirVPN/AirVPN.exe path=/home/nanostuff/.airvpn root 6808 3.2 2.0 1257532 83032 ? Sl 17:13 0:12 mono /usr/lib/AirVPN/AirVPN.exe path=/home/nanostuff/.airvpn root 6832 0.0 0.0 22652 3336 ? S 17:14 0:00 /usr/sbin/openvpn --config /home/nanostuff/.airvpn/384ef91f85df5ea2abc88c7416b95bbdf2bc4299edd2850614d4e343ba721ae3.tmp.ovpn nanostuff 6951 0.0 0.0 18932 932 pts/2 S+ 17:20 0:00 grep --color=auto airvpn Additional info: OS: Ubuntu 14.04 64bits Application: It's a VPN client

    Read the article

  • How disable mysql command in sudoers file?

    - by Carlos A. Junior
    How i can disable /usr/bin/mysql command in sudoers file ? ... Actually I've tryed use with this way: %tailonly ALL=!/usr/bin/mysql But when i'm access if user 'tailonly' of group 'tailonly', this command still enabled. In resume, i'm only want that 'tailonly' user access 'tail -f /usr/app/*.log' ... This is possible ? Edit: With this config, the user 'tailonly' still can access mysql terminal with 'mysql' command: $: sudo su $: visudo Cmnd_Alias MYSQL = /usr/bin/mysql Cmnd_Alias TAIL=/usr/bin/tail -f /jacad/jacad3/logs/*.log # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL %swa ALL=/etc/init.d/jacad3 stop %swa ALL=/etc/init.d/jacad3 start %swa ALL=/etc/init.d/jacad3 restart %swa ALL=sudoedit /jacad/jacad3/bin/jacad_start.sh %tailonly ALL=ALL,!MYSQL

    Read the article

  • Ubuntu, User Accounts messed up

    - by Vor
    I need to fix Ubuntu Accounts some how but don't really see how it could be done. The problem is: files /etc/passwd and /etc/hostname and /etc/hosts where changed. /etc/passwd After John:x:1000:1000:John,,,:/home/serg:/bin/bash Befoure serg:x:1000:1000:John,,,:/home/serg:/bin/bash /etc/hosts After 127.0.0.1 localhost 127.0.1.1 John-The-Rippe Befoure 127.0.0.1 localhost 127.0.1.1 serg-Protege /etc/hostname After John-The-Ripper Befoure serg-PORTEGE-Z835 I was trying to simply changed this files but can not do this because permission denied. When I'm trying to login as a root I got this message: John@John-The-Ripper:~$ sudo -s [sudo] password for John: John is not in the sudoers file. This incident will be reported The file sudoers is empty: John@John-The-Ripper:~$ vi /etc/sudoers When I type users in cp: John@John-The-Ripper:~$ users John John When I type id, I got this: John@John-The-Ripper:~$ id uid=1000(John) gid=1000(serg) groups=1000(serg) This doesn't work eather: John@John-The-Ripper:~$ usermod -l John serg usermod: user 'serg' does not exist John@John-The-Ripper:~$ adduser serg adduser: Only root may add a user or group to the system. ater. Then I tried to go to the GRUB menu and from there log in as a root. I did this, but however When I tryed to create user serg, It gave me an error that group already exist. When I tried to change /etc/passwd it said 'permission denied' And this doens't do the trick: John@John-The-Ripper:~$ visudo visudo: /etc/sudoers: Permission denied visudo: /etc/sudoers: Permission denied Also The last thing I tried to do is to create a bootable USB and reinstall ubuntu, however I can not open USB-Creator because it asked me a root passwd. But it doesn't work. HELP ME PLEASE =)))

    Read the article

  • Allow user to SUDO a script without password.

    - by John Isaacks
    I have a php script with this: <?php #echo exec('whoami'); $output = shell_exec('bash /usr/local/svn/bash_repo/make-live'); echo "$output"; ?> The make-live script contains this: #!/bin/bash cd /var/www-cake sudo svn checkout file:///usr/local/svn/bash_repo/repo/ echo "Head revision has been pushed to live server" So the PHP user who is www-data needs to have nopasswd for that script. I am told I need to add: www-data ALL=NOPASSWD: /usr/local/svn/bash_repo/make-live To sudoers to allow this. First I run sudo visudo but I have no experience with vi so I try to open it in gedit with export EDITOR=gedit && sudo -E visudo which then just opens a sudoers.tmp file which is empty. I add the line and save it. But it doesn't do save. So I just try sudo visudo and I add the line right beneath this part: # User privilege specification root ALL=(ALL) ALL www-data ALL=NOPASSWD: /usr/local/svn/bash_repo/make-live I closed out sudoers and reopened to verify that it has saved. I even restart apache. I run the php file and it still doesn't work. What am I missing?

    Read the article

  • Wine + InstallShield can't find a locale challenged .msi file

    - by visudo
    I am trying to install this cheap old Japanese game I've bought but I can't get past the Installer. The CD contains a File named D:\[Japanese Characters].msi and Installshield running under wine is unable to find it giving me error 1155. I have tried mounting the CD with iocharset=sjis as well as the default utf-8 and also running the installer with and without LANG=ja_JP.Shift-JIS, but it doesn't make a difference. Also the file really is in D:. Any idea?

    Read the article

  • Allow any arguments for a given command with sudo

    - by Mark L
    I have the following sudo config entry which I added via sudo visudo: mark ALL = NOPASSWD: /usr/bin/lxc-ls* I can run lxc-ls with my user fine but I can't append any parameters without it demanding I prefix the command with sudo. $ whoami mark $ lxc-ls test-container $ lxc-ls --fancy lxc-ls: error: You must be root to access advanced container properties. Try running: sudo /usr/bin/lxc-ls Any idea how I can edit via sudo visudo to allow for any argument after the command? I don't want to prefix the command with sudo as I'm using a python library to execute the command and it's being funny about sudo prefixes.

    Read the article

  • Sudo and startup script

    - by Pitto
    Hello my friends. I have a new asus 1215n and I need to digit commands to enable multitouch. No problem: I've made a script. Since this netbook also need manual activation of the wifi driver the complete script is: #!/bin/bash # # list of synaptics device properties http://www.x.org/archive/X11R7.5/doc/man/man4/synaptics.4.html#sect4 # list current synaptics device properties: xinput list-props '"SynPS/2 Synaptics TouchPad"' # sleep 5 #added delay... xinput set-int-prop "SynPS/2 Synaptics TouchPad" "Device Enabled" 8 1 xinput --set-prop --type=int --format=32 "SynPS/2 Synaptics TouchPad" "Synaptics Two-Finger Pressure" 4 xinput --set-prop --type=int --format=32 "SynPS/2 Synaptics TouchPad" "Synaptics Two-Finger Width" 9 # Below width 1 finger touch, above width simulate 2 finger touch. - value=pad-pixels xinput --set-prop --type=int --format=8 "SynPS/2 Synaptics TouchPad" "Synaptics Edge Scrolling" 1 1 0 # vertical, horizontal, corner - values: 0=disable 1=enable xinput --set-prop --type=int --format=32 "SynPS/2 Synaptics TouchPad" "Synaptics Jumpy Cursor Threshold" 250 # stabilize 2 finger actions - value=pad-pixels #xinput --set-prop --type=int --format=8 "SynPS/2 Synaptics TouchPad" "Synaptics Tap Action" 0 0 0 0 1 2 3 # pad corners rt rb lt lb tap fingers 1 2 3 (can't simulate more then 2 tap fingers AFAIK) - values: 0=disable 1=left 2=middle 3=right etc. (in FF 8=back 9=forward) xinput --set-prop --type=int --format=8 "SynPS/2 Synaptics TouchPad" "Synaptics Two-Finger Scrolling" 1 0 # vertical scrolling, horizontal scrolling - values: 0=disable 1=enable #xinput --set-prop --type=int --format=8 "SynPS/2 Synaptics TouchPad" "Synaptics Circular Scrolling" 1 #xinput --set-prop --type=int --format=8 "SynPS/2 Synaptics TouchPad" "Synaptics Circular Scrolling Trigger" 3 sudo modprobe lib80211 sudo insmod /home/pitto/Drivers/broadcom/wl.ko exit I've saved the script, then put it in my home, then chmod +x scriptname and then added it to startup applications. Then I did: sudo visudo and added this row: myusername ALL=(ALL) NOPASSWD: /home/scriptname rebooted and... Multitouch works but wifi not. When I manually launch the script it asks for sudo password so I thought it was because of modprobe and insmod commands and I've added those commands to sudo visudo. Nothing. What am I doing wrong?

    Read the article

  • User not in the sudoers file. This incident will be reported

    - by Sergiy Byelozyorov
    I need to install a package. For that I need root access. However the system says that I am not in sudoers file. When trying to edit one, it complains alike! How I am supposed to add myself to the sudoers file if I don't have the right to edit one? I have installed this system and only administrator. What can I do? Edit: I have tried visudo already. It requires me to be in sudoers in the first place. amarzaya@linux-debian-gnu:/$ sudo /usr/sbin/visudo We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for amarzaya: amarzaya is not in the sudoers file. This incident will be reported. amarzaya@linux-debian-gnu:/$

    Read the article

  • Getting permission denied error

    - by JM4
    On my Media Temple DV 4.0 server I am getting permission denied errors: -bash: cd: httpdocs: Permission denied If I switch from my login user to sudo (sudo su) or switch to root using su-, I can access the directory with any issue. This is just my site's files directory though so not sure why I'm being denied. Additionally, I added my user to the visudo commands file with: user ALL=(ALL) ALL Any suggestions to what else could be the issue?

    Read the article

  • CentoOS SSH Access

    - by Rodrigo
    I'm executed this commands with root user i'm on a CentOS 6.3 server: #useradd newuser #passwd newuser #visudo then I added this line at end of file: AllowUsers newuser #service sshd restart #exit Now, I can't access server with deployer or root user! Both accounts return: **Permission denied, please try again.** Any suggestions? EDIT: Why add AllowUsers newuser dont allows newuser to login by ssh?

    Read the article

  • 8 Ways to Tweak and Configure Sudo on Ubuntu

    - by Chris Hoffman
    Like most things on Linux, the sudo command is very configurable. You can have sudo run specific commands without asking for a password, restrict specific users to only approved commands, log commands run with sudo, and more. The sudo command’s behavior is controlled by the /etc/sudoers file on your system. This command must be edited with the visudo command, which performs syntax-checking to ensure you don’t accidentally break the file. HTG Explains: What Is Windows RT and What Does It Mean To Me? HTG Explains: How Windows 8′s Secure Boot Feature Works & What It Means for Linux Hack Your Kindle for Easy Font Customization

    Read the article

  • How do I allow a standard user to update the kernel modules for VMware?

    - by GUI Junkie
    I've set up VMWare Player for my wife. Every once in a while (notably after a kernel update), the VMWare Player needs to be compiled into the kernel. My spouse does not have su- activated (if anybody screws up the OS, it's going to be me). I'd like to give her permission to do this, but only for that program. Is this possible? Can it be done safely (for the OS)? How can it be done? Edit: I tried to add the following to visudo guijunkette ALL=(ALL) NOPASSWD: /usr/bin/vmware-modconfig When running with her user, after typing her password, the following error occurred: So, in the end, no cigar. Edit: I've given up on VMWare Player and moved to VirtualBox. Made a clean install.

    Read the article

  • sudo does not work in GUI after upgrade to 13.10

    - by Radim
    On 2 completely different machines I have the same problem after upgrading from 13.04 to 13.10: All programs/task requiering sudo permissions (software updater, starting synaptic, installing programs, shutdown) do not start / execute. No gksu (or other) window comes up. Synaptic never shows, software updater pops up with a "you are not allowed to perform this action" message. All programs / task work when started from terminal with sudo, like "sudo synaptics" asks for my password, starts and works as expected. I am in the admin group which is liked in sudoers config (verified with visudo and getent group admin). Some link from GUI to gksu (or similar) is broken. Please help! Radim

    Read the article

  • Ubuntu server 12.04 on AWS - How does the passwordless sudo work for the ubuntu user?

    - by aychedee
    I'm using Ubuntu server 12.04 on Amazon. I want to add a new user that has the same behaviour as the default ubuntu user. Specifically I want passwordless sudo for this new user. So I've added a new user and went to edit /etc/sudoers (using visudo of course). From reading that file it seemed like the default ubuntu user was getting it's passwordless sudo from being a member of the admin group. So I added my new user to that. Which didn't work. Then I tried adding the NOPASSWD directive to sudoers. Which also didn't work. Anyway, now I'm just curious. How does the ubuntu user get passwordless privileges if they aren't defined in /etc/sudoers. What is the mechanism that allows this?

    Read the article

  • How to make a normal user can install package with `pkg_add` on FreeBSD?

    - by Eonil
    How to make a normal user can install package with pkg_add on FreeBSD? pkg_add -r command fails with normal user with sudo. Downloading succeeds, but installation fails with this error message. Equal command executed successfully with root login. %sudo pkg_add -r apache22 Password: Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.1-release/Latest/apache22.tbz: Syntax error, command unrecognized pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.1-release/Latest/apache22.tbz' by URL % Assume my username as eonil. I added eonil ALL=(ALL) ALL code as next of root ALL=(ALL) ALL via visudo, and added the user to wheel group by pw usermod eonil -G wheel . But the user cannot install package with sudo pkg_add -r apache22. (not only the apache, any package.)

    Read the article

  • Bootstrap a debian build environment and build source packages with no root privileges

    - by Erwan Queffélec
    On debian squeeze, I am trying to do the following : fetch sources package from the wheezy source repository bootstrap a squeeze chroot for several architectures build the packages for several architectures (i386, amd64 + all and any) I want both the fetching, bootstrapping and build operation to be scriptable, repeatable, and run as a normal user. For the environment setup, I want to make as little use of the root account as possible (install the necessary dependencies, and maybe some visudo stuff). If possible I would like to avoid using a VM (pbuilder with user mode linux) So far I have tried several things with pbuilder (require root), debootstrap (require root) with little success. Here is an example script of what I want to do (does not work): #/bin/bash set -e set -x this=`readlink -f $0` this_dir=`dirname $this` archs='i386 amd64 any all' pushd $this_dir/src # I actually want the following line to work with a repo that # is not in /etc/apt/sources.list but that is another question apt-get source cyrus-imapd-2.4 popd for arch in $archs do build_dir=$this_dir/build/$arch/ pbuilder --create --configfile $build_dir/pbuilderrc --buildresult $build_dir/ pbuilder --build --configfile $build_dir/pbuilderrc --buildresult \ $build_dir/ $this_dir/src/*.dsc # of course I want to use the .dput.cf in /home/myuser/ # and not in /root/ dput $build_dir/$arch/*.changes done

    Read the article

  • How to make a non-root user to use chown for any user group files?

    - by user1877716
    I would like to make a user super powerful, with almost all root rights but unable to touch a the root user (to change the password of the root). My goal is to user "B" to manage my web server. The problem is user B need to able to run the chown and chmod commands on some files belonging to other users. I tried to put B in root group or use visudo, but it's not enough. I'm working an Centos 6 system. If some body have ideas!

    Read the article

  • How does Amazon ec2-user get its sudo rights

    - by Johan
    I am looking for where the default Amazon AMI linux image sets up the privileges for the default ec2-user account. After logging in with this account I can use sudo successfully. Checking via the sudoers file, which I open by running visudo (with no other options) I see a few default settings and permissions for root ALL ALL So ... Where is the permissions for ec2-user assigned? I have not yet tried to add a new permission but ultimately I want to resign ec2-user for systems management tasks and use a non-full root user for administering the applications (stop and start mysql, httpd, edit apache's vhost files, and upload / edit web content under the web root)

    Read the article

  • Password not working for sudo ("Authentication failure")

    - by Souta
    Before I mention anything further, DO NOT give me a response saying that terminal won't show password input. I'm AWARE of that. I'm typing my user password in (not a capslock issue), and for some reason it still says 'Authentication Failure'. Is there some other password (one I'm not aware of) I'm supposed to be using other than my user password? I've had this ubuntu before, on another hard drive and I didn't have this problem. (And it was the same ubuntu, ubuntu 12.04 LTS) ai@AiNekoYokai:~$ groups ai adm cdrom sudo dip plugdev lpadmin sambashare ai@AiNekoYokai:~$ lsb_release -rd Description: Ubuntu 12.04 LTS Release: 12.04 ai@AiNekoYokai:~$ pkexec cat /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d I can log in with my password, but it's not accepted as valid for authentication <-- That is pretty much my issue. (Although, I haven't gone into recovery mode.) I've ran: ai@AiNekoYokai:~$ ls /etc/sudoers.d README And also reinstalled sudo with: pkexec apt-get update pkexec apt-get --purge --reinstall install sudo pkexec usermod -a -G admin $USER <- Says admin does not exist su $USER <- worked for me, however, my password still does not do much (in sense of not working for other things) I changed my password with pkexec passwd $USER. I was able to change it no problem. gksudo xclock was something I was able to get into, no problem. (Clock showed) ai@AiNekoYokai:~$ gksudo xclock

    Read the article

  • How to run sudo command with no password?

    - by aychedee
    tl;dr: How does the ubuntu user on the AWS images for Ubuntu Server 12.04 have passwordless sudo for all commands when there is no configuration for it in `/etc/sudoers'? I'm using Ubuntu server 12.04 on Amazon. I want to add a new user that has the same behaviour as the default ubuntu user. Specifically I want passwordless sudo for this new user. So I've added a new user and went to edit /etc/sudoers (using visudo of course). From reading that file it seemed like the default ubuntu user was getting it's passwordless sudo from being a member of the admin group. So I added my new user to that. Which didn't work. Then I tried adding the NOPASSWD directive to sudoers. Which also didn't work. Anyway, now I'm just curious. How does the ubuntu user get passwordless privileges if they aren't defined in /etc/sudoers. What is the mechanism that allows this?

    Read the article

  • nagios NRPE: Unable to read output

    - by user555854
    I currently set up a script to restart my http servers + php5 fpm but can't get it to work. I have googled and have found that mostly permissions are the problems of my error but can't figure it out. I start my script using /usr/lib/nagios/plugins/check_nrpe -H bart -c restart_http This is the output in my syslog on the node I want to restart Jun 27 06:29:35 bart nrpe[8926]: Connection from 192.168.133.17 port 25028 Jun 27 06:29:35 bart nrpe[8926]: Host address is in allowed_hosts Jun 27 06:29:35 bart nrpe[8926]: Handling the connection... Jun 27 06:29:35 bart nrpe[8926]: Host is asking for command 'restart_http' to be run... Jun 27 06:29:35 bart nrpe[8926]: Running command: /usr/bin/sudo /usr/lib/nagios/plugins/http-restart Jun 27 06:29:35 bart nrpe[8926]: Command completed with return code 1 and output: Jun 27 06:29:35 bart nrpe[8926]: Return Code: 1, Output: NRPE: Unable to read output Jun 27 06:29:35 bart nrpe[8926]: Connection from 192.168.133.17 closed. If I run the command myself it runs fine (but asks for a password) (nagios user) This are the script permission and the script contents. -rwxrwxrwx 1 nagios nagios 142 Jun 26 21:41 /usr/lib/nagios/plugins/http-restart #!/bin/bash echo "ok" /etc/init.d/nginx stop /etc/init.d/nginx start /etc/init.d/php5-fpm stop /etc/init.d/php5-fpm start echo "done" I also added this line to visudo nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ My local nagios nrpe.cfg ############################################################################# # Sample NRPE Config File # Written by: Ethan Galstad ([email protected]) # # # NOTES: # This is a sample configuration file for the NRPE daemon. It needs to be # located on the remote host that is running the NRPE daemon, not the host # from which the check_nrpe client is being executed. ############################################################################# # LOG FACILITY # The syslog facility that should be used for logging purposes. log_facility=daemon # PID FILE # The name of the file in which the NRPE daemon should write it's process ID # number. The file is only written if the NRPE daemon is started by the root # user and is running in standalone mode. pid_file=/var/run/nagios/nrpe.pid # PORT NUMBER # Port number we should wait for connections on. # NOTE: This must be a non-priviledged port (i.e. > 1024). # NOTE: This option is ignored if NRPE is running under either inetd or xinetd server_port=5666 # SERVER ADDRESS # Address that nrpe should bind to in case there are more than one interface # and you do not want nrpe to bind on all interfaces. # NOTE: This option is ignored if NRPE is running under either inetd or xinetd #server_address=127.0.0.1 # NRPE USER # This determines the effective user that the NRPE daemon should run as. # You can either supply a username or a UID. # # NOTE: This option is ignored if NRPE is running under either inetd or xinetd nrpe_user=nagios # NRPE GROUP # This determines the effective group that the NRPE daemon should run as. # You can either supply a group name or a GID. # # NOTE: This option is ignored if NRPE is running under either inetd or xinetd nrpe_group=nagios # ALLOWED HOST ADDRESSES # This is an optional comma-delimited list of IP address or hostnames # that are allowed to talk to the NRPE daemon. # # Note: The daemon only does rudimentary checking of the client's IP # address. I would highly recommend adding entries in your /etc/hosts.allow # file to allow only the specified host to connect to the port # you are running this daemon on. # # NOTE: This option is ignored if NRPE is running under either inetd or xinetd allowed_hosts=127.0.0.1,192.168.133.17 # COMMAND ARGUMENT PROCESSING # This option determines whether or not the NRPE daemon will allow clients # to specify arguments to commands that are executed. This option only works # if the daemon was configured with the --enable-command-args configure script # option. # # *** ENABLING THIS OPTION IS A SECURITY RISK! *** # Read the SECURITY file for information on some of the security implications # of enabling this variable. # # Values: 0=do not allow arguments, 1=allow command arguments dont_blame_nrpe=0 # COMMAND PREFIX # This option allows you to prefix all commands with a user-defined string. # A space is automatically added between the specified prefix string and the # command line from the command definition. # # *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! *** # Usage scenario: # Execute restricted commmands using sudo. For this to work, you need to add # the nagios user to your /etc/sudoers. An example entry for alllowing # execution of the plugins from might be: # # nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ # # This lets the nagios user run all commands in that directory (and only them) # without asking for a password. If you do this, make sure you don't give # random users write access to that directory or its contents! command_prefix=/usr/bin/sudo # DEBUGGING OPTION # This option determines whether or not debugging messages are logged to the # syslog facility. # Values: 0=debugging off, 1=debugging on debug=1 # COMMAND TIMEOUT # This specifies the maximum number of seconds that the NRPE daemon will # allow plugins to finish executing before killing them off. command_timeout=60 # CONNECTION TIMEOUT # This specifies the maximum number of seconds that the NRPE daemon will # wait for a connection to be established before exiting. This is sometimes # seen where a network problem stops the SSL being established even though # all network sessions are connected. This causes the nrpe daemons to # accumulate, eating system resources. Do not set this too low. connection_timeout=300 # WEEK RANDOM SEED OPTION # This directive allows you to use SSL even if your system does not have # a /dev/random or /dev/urandom (on purpose or because the necessary patches # were not applied). The random number generator will be seeded from a file # which is either a file pointed to by the environment valiable $RANDFILE # or $HOME/.rnd. If neither exists, the pseudo random number generator will # be initialized and a warning will be issued. # Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness #allow_weak_random_seed=1 # INCLUDE CONFIG FILE # This directive allows you to include definitions from an external config file. #include=<somefile.cfg> # INCLUDE CONFIG DIRECTORY # This directive allows you to include definitions from config files (with a # .cfg extension) in one or more directories (with recursion). #include_dir=<somedirectory> #include_dir=<someotherdirectory> # COMMAND DEFINITIONS # Command definitions that this daemon will run. Definitions # are in the following format: # # command[<command_name>]=<command_line> # # When the daemon receives a request to return the results of <command_name> # it will execute the command specified by the <command_line> argument. # # Unlike Nagios, the command line cannot contain macros - it must be # typed exactly as it should be executed. # # Note: Any plugins that are used in the command lines must reside # on the machine that this daemon is running on! The examples below # assume that you have plugins installed in a /usr/local/nagios/libexec # directory. Also note that you will have to modify the definitions below # to match the argument format the plugins expect. Remember, these are # examples only! # The following examples use hardcoded command arguments... command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10 command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 command[check_hda1]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1 command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200 # The following examples allow user-supplied arguments and can # only be used if the NRPE daemon was compiled with support for # command arguments *AND* the dont_blame_nrpe directive in this # config file is set to '1'. This poses a potential security risk, so # make sure you read the SECURITY file before doing this. #command[check_users]=/usr/lib/nagios/plugins/check_users -w $ARG1$ -c $ARG2$ #command[check_load]=/usr/lib/nagios/plugins/check_load -w $ARG1$ -c $ARG2$ #command[check_disk]=/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ #command[check_procs]=/usr/lib/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$ command[restart_http]=/usr/lib/nagios/plugins/http-restart # # local configuration: # if you'd prefer, you can instead place directives here include=/etc/nagios/nrpe_local.cfg # # you can place your config snipplets into nrpe.d/ include_dir=/etc/nagios/nrpe.d/ My Sudoers files # /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ # Allow members of group sudo to execute any command # (Note that later entries override this, so you might need to move # it further down) %sudo ALL=(ALL) ALL # #includedir /etc/sudoers.d Hopefully someone can help!

    Read the article

  • How can I implement ansible with per-host passwords, securely?

    - by supervacuo
    I would like to use ansible to manage a group of existing servers. I have created an ansible_hosts file, and tested successfully (with the -K option) with commands that only target a single host ansible -i ansible_hosts host1 --sudo -K # + commands ... My problem now is that the user passwords on each host are different, but I can't find a way of handling this in Ansible. Using -K, I am only prompted for a single sudo password up-front, which then seems to be tried for all subsequent hosts without prompting: host1 | ... host2 | FAILED => Incorrect sudo password host3 | FAILED => Incorrect sudo password host4 | FAILED => Incorrect sudo password host5 | FAILED => Incorrect sudo password Research so far: a StackOverflow question with one incorrect answer ("use -K") and one response by the author saying "Found out I needed passwordless sudo" the Ansible docs, which say "Use of passwordless sudo makes things easier to automate, but it’s not required." (emphasis mine) this security StackExchange question which takes it as read that NOPASSWD is required article "Scalable and Understandable Provisioning..." which says: "running sudo may require typing a password, which is a sure way of blocking Ansible forever. A simple fix is to run visudo on the target host, and make sure that the user Ansible will use to login does not have to type a password" article "Basic Ansible Playbooks", which says "Ansible could log into the target server as root and avoid the need for sudo, or let the ansible user have sudo without a password, but the thought of doing either makes my spleen threaten to leap up my gullet and block my windpipe, so I don’t" My thoughts exactly, but then how to extend beyond a single server? ansible issue #1227, "Ansible should ask for sudo password for all users in a playbook", which was closed a year ago by mpdehaan with the comment "Haven't seen much demand for this, I think most people are sudoing from only one user account or using keys most of the time." So... how are people using Ansible in situations like these? Setting NOPASSWD in /etc/sudoers, reusing password across hosts or enabling root SSH login all seem rather drastic reductions in security.

    Read the article

1 2  | Next Page >