Zimbra services asking for password - sudoers issue

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Zimbra services asking for password - sudoers issue

   KB 23092        Last updated on 2023-08-17  




0.00
(0 votes)

Purpose

Ubuntu and CentOS/RHEL security upgrades sometimes do ask for replace the /etc/sudoers while upgrading, you will see a message like this one:

Configuration file '/etc/sudoers'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
The default action is to keep your current version.
*** sudoers (Y/I/N/O/D/Z) [default=N] ?

If you select the default option, N, Zimbra will continue working as expected, as no changes are made to the sudoers file, however if you select Y or I by any chance, the /etc/sudoers will be replaced by a default version of the file. So at the next restart of the Zimbra services you will see an error like this one for the different services:

root@mail:~# su - zimbra
zimbra@mail:~$ zmcontrol restart
Host mail.zimbra.io
        Stopping vmware-ha...Done.
        Stopping zmconfigd...Done.
        Stopping zimlet webapp...[sudo] password for zimbra:

Resolution

If you are facing this issue, please check the /etc/sudoers file, it should look something like this, if it's not, please add this content after the #includedir /etc/sudoers.d line: Zimbra Collaboration 8.6

%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmstat-fd *
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd
%zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus
%zimbra ALL=NOPASSWD:/opt/zimbra/amavisd/sbin/amavis-mc
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmunbound
%zimbra ALL=NOPASSWD:/sbin/resolvconf *
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr
%zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmcertmgr
%zimbra ALL=NOPASSWD:/opt/zimbra/nginx/sbin/nginx

After edit the /etc/sudoers file, as zimbra user you can now restart the services as expected:

zmcontrol restart

Remember that for fix the CVE-2016-2107 you need an additional line into the /etc/sudoers too at the end, more info here:

Defaults env_keep += "OPENSSL_ia32cap"

Note: This will not affect Zimbra Collaboration 8.7 and ahead, as ZCS 8.7 includes the different files inside the /etc/sudoers.d folder

Additional Content

Verified Against: Zimbra Collaboration 8.6, 8.0 Date Created: 11/03/2016
Article ID: https://wiki.zimbra.com/index.php?title=Zimbra_services_asking_for_password_-_sudoers_issue Date Modified: 2023-08-17



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by Jorge SME2 Need Copyeditor Last edit by Phoenix
Jump to: navigation, search