Difference between revisions of "Sudoers"

(updates for 8.5)
 
(17 intermediate revisions by 9 users not shown)
Line 1: Line 1:
The file /etc/sudoers lists users authorized to run certain commands as other users. Edit this file if necessary with the '''visudo''' command. You should see some lines like the following, though the versions of '''postfix''' and '''openldap''' should match what's on your system rather than what is here.
+
{{BC|Community Sandbox}}
 +
__FORCETOC__
 +
<div class="col-md-12 ibox-content">
 +
=Sudoers=
 +
{{KB|{{Unsupported}}|{{ZCS 8.6}}|{{ZCS 8.5}}|}}
 +
{{WIP}}
 +
The file /etc/sudoers lists users authorized to run certain commands as other users. Edit this file if necessary with the '''visudo''' command.
  
# grep zimbra /etc/sudoers
+
Example from 8.7:
%zimbra   ALL=NOPASSWD:/opt/zimbra/openldap-2.3.21/libexec/slapd
+
<pre>
%zimbra   ALL=NOPASSWD:/opt/zimbra/postfix-2.2.9/sbin/postfix, /opt/zimbra/postfix-2.2.9/sbin/postalias, /opt/zimbra/postfix-2.2.9/sbin/qshape.pl, /opt/zimbra/postfix-2.2.9/sbin/postconf,/opt/zimbra/postfix-2.2.9/sbin/postsuper
+
$ sudo grep -hr ^ /etc/sudoers.d/ | sort
%zimbra   ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat
+
Defaults:zimbra !requiretty
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmtomcatstart
+
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/amavis-mc
%zimbra ALL=NOPASSWD:/opt/zimbra/perdition/sbin/perdition
+
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/nginx
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postalias
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postcat
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postconf
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postfix
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postsuper
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/qshape.pl
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmdnscachealign *
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmtastatus
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmstat-fd *
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmunbound
 +
</pre>
  
# ls -l /opt/zimbra/openldap /opt/zimbra/postfix
+
Example from 8.5:
lrwxrwxrwx  1 root root 27 May  9 14:23 /opt/zimbra/openldap -> /opt/zimbra/openldap-2.3.21
+
 
lrwxrwxrwx  1 root root 25 May  9 14:23 /opt/zimbra/postfix -> /opt/zimbra/postfix-2.2.9
+
<pre>
 +
# grep zimbra /etc/sudoers
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmstat-fd *
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/amavisd/sbin/amavis-mc
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmcertmgr
 +
</pre>
 +
 
 +
Example from 5.0.18:
 +
 
 +
<pre>
 +
# grep zimbra /etc/sudoers
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/openldap/libexec/slapd
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr
 +
%zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmvertmgr
 +
</pre>
  
 
Please also note it is advisable to check if the requiretty option is set.
 
Please also note it is advisable to check if the requiretty option is set.
 
This is done as follows
 
This is done as follows
# grep requiretty /etc/sudoers
+
<pre>
Defaults    requiretty
+
# grep requiretty /etc/sudoers
 +
Defaults    requiretty
 +
</pre>
  
 
Using the '''visudo''' command comment it out like so.  Please note the first # indicates root prompt, the second line # indicates the comment
 
Using the '''visudo''' command comment it out like so.  Please note the first # indicates root prompt, the second line # indicates the comment
 
  # visudo
 
  # visudo
  #Defaults    requiretty
+
  #Defaults    requiretty  
 +
The requiretty line, on a Fedora Core system is around line 56.  This may vary on other linux or Mac systems.
 +
 
 +
 
 +
On SUSE10SP1 Enterprise Server with 5.0.1 when you get '/etc/sudoers' is 0640 needs to be 0440
 +
and ldap fails to init.
 +
 +
Open /opt/zimbra/libexec/zmsetup.pl in your favorite text editor:
 +
Goto Line: 56 (in 5.0.1)
 +
Find 0640 change to 0440 and save.
 +
 +
/etc/sudoers needs to be 0440 or it will not complete the requested command. Re-run /opt/zimbra/libexec/zmsetup.pl
 +
if you got an error before and all should be good. check the above too.
 +
 
 +
{{Article Footer|ZCS 5.0.18|6/8/2006}}
 +
 
 +
[[Category:Administration]]
 +
[[Category:Configuration]]
 +
[[Category:Linux]]
 +
[[Category:OSX]]
 +
[[Category:MTA]]
 +
[[Category:LDAP]]
 +
[[Category:ZCS 5.0]]

Latest revision as of 22:03, 25 January 2017

Contents

Sudoers

   KB 1554        Last updated on 2017-01-25  




0.00
(0 votes)

The file /etc/sudoers lists users authorized to run certain commands as other users. Edit this file if necessary with the visudo command.

Example from 8.7:

$ sudo grep -hr ^ /etc/sudoers.d/ | sort
Defaults:zimbra !requiretty
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/amavis-mc
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/nginx
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postalias
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postcat
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postconf
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postfix
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postsuper
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/qshape.pl
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmdnscachealign *
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmtastatus
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmstat-fd *
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmunbound

Example from 8.5:

# grep zimbra /etc/sudoers
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmstat-fd *
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd
%zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus
%zimbra ALL=NOPASSWD:/opt/zimbra/amavisd/sbin/amavis-mc
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr
%zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmcertmgr

Example from 5.0.18:

# grep zimbra /etc/sudoers
%zimbra ALL=NOPASSWD:/opt/zimbra/openldap/libexec/slapd
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd
%zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr
%zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmvertmgr

Please also note it is advisable to check if the requiretty option is set. This is done as follows

# grep requiretty /etc/sudoers
Defaults    requiretty

Using the visudo command comment it out like so. Please note the first # indicates root prompt, the second line # indicates the comment

# visudo
#Defaults    requiretty 

The requiretty line, on a Fedora Core system is around line 56. This may vary on other linux or Mac systems.


On SUSE10SP1 Enterprise Server with 5.0.1 when you get '/etc/sudoers' is 0640 needs to be 0440 and ldap fails to init.

Open /opt/zimbra/libexec/zmsetup.pl in your favorite text editor:
Goto Line: 56 (in 5.0.1)
Find 0640 change to 0440 and save.

/etc/sudoers needs to be 0440 or it will not complete the requested command. Re-run /opt/zimbra/libexec/zmsetup.pl if you got an error before and all should be good. check the above too.

Verified Against: ZCS 5.0.18 Date Created: 6/8/2006
Article ID: https://wiki.zimbra.com/index.php?title=Sudoers Date Modified: 2017-01-25



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search