Difference between revisions of "Sudoers"
(updates for 8.5) |
|||
| (17 intermediate revisions by 9 users not shown) | |||
| Line 1: | Line 1: | ||
| − | The file /etc/sudoers lists users authorized to run certain commands as other users. Edit this file if necessary with the '''visudo''' command | + | {{BC|Community Sandbox}} |
| + | __FORCETOC__ | ||
| + | <div class="col-md-12 ibox-content"> | ||
| + | =Sudoers= | ||
| + | {{KB|{{Unsupported}}|{{ZCS 8.6}}|{{ZCS 8.5}}|}} | ||
| + | {{WIP}} | ||
| + | The file /etc/sudoers lists users authorized to run certain commands as other users. Edit this file if necessary with the '''visudo''' command. | ||
| − | + | Example from 8.7: | |
| − | + | <pre> | |
| − | + | $ sudo grep -hr ^ /etc/sudoers.d/ | sort | |
| − | + | Defaults:zimbra !requiretty | |
| − | + | %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/amavis-mc | |
| − | + | %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/nginx | |
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postalias | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postcat | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postconf | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postfix | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postsuper | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/qshape.pl | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmdnscachealign * | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmtastatus | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmstat-fd * | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmunbound | ||
| + | </pre> | ||
| − | + | Example from 8.5: | |
| − | + | ||
| − | + | <pre> | |
| + | # grep zimbra /etc/sudoers | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmstat-fd * | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/amavisd/sbin/amavis-mc | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmcertmgr | ||
| + | </pre> | ||
| + | |||
| + | Example from 5.0.18: | ||
| + | |||
| + | <pre> | ||
| + | # grep zimbra /etc/sudoers | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/openldap/libexec/slapd | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr | ||
| + | %zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmvertmgr | ||
| + | </pre> | ||
Please also note it is advisable to check if the requiretty option is set. | Please also note it is advisable to check if the requiretty option is set. | ||
This is done as follows | This is done as follows | ||
| − | + | <pre> | |
| − | + | # grep requiretty /etc/sudoers | |
| + | Defaults requiretty | ||
| + | </pre> | ||
Using the '''visudo''' command comment it out like so. Please note the first # indicates root prompt, the second line # indicates the comment | Using the '''visudo''' command comment it out like so. Please note the first # indicates root prompt, the second line # indicates the comment | ||
# visudo | # visudo | ||
| − | #Defaults requiretty | + | #Defaults requiretty |
| + | The requiretty line, on a Fedora Core system is around line 56. This may vary on other linux or Mac systems. | ||
| + | |||
| + | |||
| + | On SUSE10SP1 Enterprise Server with 5.0.1 when you get '/etc/sudoers' is 0640 needs to be 0440 | ||
| + | and ldap fails to init. | ||
| + | |||
| + | Open /opt/zimbra/libexec/zmsetup.pl in your favorite text editor: | ||
| + | Goto Line: 56 (in 5.0.1) | ||
| + | Find 0640 change to 0440 and save. | ||
| + | |||
| + | /etc/sudoers needs to be 0440 or it will not complete the requested command. Re-run /opt/zimbra/libexec/zmsetup.pl | ||
| + | if you got an error before and all should be good. check the above too. | ||
| + | |||
| + | {{Article Footer|ZCS 5.0.18|6/8/2006}} | ||
| + | |||
| + | [[Category:Administration]] | ||
| + | [[Category:Configuration]] | ||
| + | [[Category:Linux]] | ||
| + | [[Category:OSX]] | ||
| + | [[Category:MTA]] | ||
| + | [[Category:LDAP]] | ||
| + | [[Category:ZCS 5.0]] | ||
Latest revision as of 22:03, 25 January 2017
Contents
Sudoers
- This article is a Work in Progress, and may be unfinished or missing sections.
The file /etc/sudoers lists users authorized to run certain commands as other users. Edit this file if necessary with the visudo command.
Example from 8.7:
$ sudo grep -hr ^ /etc/sudoers.d/ | sort Defaults:zimbra !requiretty %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/amavis-mc %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/nginx %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postalias %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postcat %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postconf %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postfix %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postsuper %zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/qshape.pl %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmdnscachealign * %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmtastatus %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmstat-fd * %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmunbound
Example from 8.5:
# grep zimbra /etc/sudoers %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmstat-fd * %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd %zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus %zimbra ALL=NOPASSWD:/opt/zimbra/amavisd/sbin/amavis-mc %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr %zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmcertmgr
Example from 5.0.18:
# grep zimbra /etc/sudoers %zimbra ALL=NOPASSWD:/opt/zimbra/openldap/libexec/slapd %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd %zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr %zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmvertmgr
Please also note it is advisable to check if the requiretty option is set. This is done as follows
# grep requiretty /etc/sudoers Defaults requiretty
Using the visudo command comment it out like so. Please note the first # indicates root prompt, the second line # indicates the comment
# visudo #Defaults requiretty
The requiretty line, on a Fedora Core system is around line 56. This may vary on other linux or Mac systems.
On SUSE10SP1 Enterprise Server with 5.0.1 when you get '/etc/sudoers' is 0640 needs to be 0440
and ldap fails to init.
Open /opt/zimbra/libexec/zmsetup.pl in your favorite text editor: Goto Line: 56 (in 5.0.1) Find 0640 change to 0440 and save.
/etc/sudoers needs to be 0440 or it will not complete the requested command. Re-run /opt/zimbra/libexec/zmsetup.pl if you got an error before and all should be good. check the above too.
