Sudoers

From Zimbra :: Wiki

Jump to: navigation, search
   Article-alert.png  - This article is a Work in Progress, and may be unfinished or missing sections.


Admin Article

Article Information

This article applies to the following ZCS versions.
  ZCS 8.5 Article  ZCS 8.5
  ZCS 5.0 Article  ZCS 5.0

The file /etc/sudoers lists users authorized to run certain commands as other users. Edit this file if necessary with the visudo command.

The following is correct as of 8.5:

# grep zimbra /etc/sudoers
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmstat-fd *
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd
%zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus
%zimbra ALL=NOPASSWD:/opt/zimbra/amavisd/sbin/amavis-mc
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr
%zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmcertmgr

The following is correct as of 5.0.18:

# grep zimbra /etc/sudoers
%zimbra ALL=NOPASSWD:/opt/zimbra/openldap/libexec/slapd
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd
%zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr
%zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmvertmgr

Please also note it is advisable to check if the requiretty option is set. This is done as follows

# grep requiretty /etc/sudoers
Defaults    requiretty

Using the visudo command comment it out like so. Please note the first # indicates root prompt, the second line # indicates the comment

# visudo
#Defaults    requiretty 

The requiretty line, on a Fedora Core system is around line 56. This may vary on other linux or Mac systems.


On SUSE10SP1 Enterprise Server with 5.0.1 when you get '/etc/sudoers' is 0640 needs to be 0440 and ldap fails to init.

Open /opt/zimbra/libexec/zmsetup.pl in your favorite text editor:
Goto Line: 56 (in 5.0.1)
Find 0640 change to 0440 and save.

/etc/sudoers needs to be 0440 or it will not complete the requested command. Re-run /opt/zimbra/libexec/zmsetup.pl if you got an error before and all should be good. check the above too.


Verified Against: ZCS 5.0.18 Date Created: 6/8/2006
Article ID: http://wiki.zimbra.com/index.php?title=Sudoers Date Modified: 04/1/2015
Personal tools