Zimbra services asking for password - sudoers issue
Zimbra services asking for password - sudoers issue
Purpose
Ubuntu and CentOS/RHEL security upgrades sometimes do ask for replace the /etc/sudoers while upgrading, you will see a message like this one:
Configuration file '/etc/sudoers' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** sudoers (Y/I/N/O/D/Z) [default=N] ?
If you select the default option, N, Zimbra will continue working as expected, as no changes are made to the sudoers file, however if you select Y or I by any chance, the /etc/sudoers will be replaced by a default version of the file. So at the next restart of the Zimbra services you will see an error like this one for the different services:
root@mail:~# su - zimbra zimbra@mail:~$ zmcontrol restart Host mail.zimbra.io Stopping vmware-ha...Done. Stopping zmconfigd...Done. Stopping zimlet webapp...[sudo] password for zimbra:
Resolution
If you are facing this issue, please check the /etc/sudoers file, it should look something like this, if it's not, please add this content after the #includedir /etc/sudoers.d line: Zimbra Collaboration 8.6
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmstat-fd * %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd %zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus %zimbra ALL=NOPASSWD:/opt/zimbra/amavisd/sbin/amavis-mc %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmunbound %zimbra ALL=NOPASSWD:/sbin/resolvconf * %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr %zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmcertmgr %zimbra ALL=NOPASSWD:/opt/zimbra/nginx/sbin/nginx
After edit the /etc/sudoers file, as zimbra user you can now restart the services as expected:
zmcontrol restart
Remember that for fix the CVE-2016-2107 you need an additional line into the /etc/sudoers too at the end, more info here:
Defaults env_keep += "OPENSSL_ia32cap"
Note: This will not affect Zimbra Collaboration 8.7 and ahead, as ZCS 8.7 includes the different files inside the /etc/sudoers.d folder
Additional Content
- Forum thread about the issue - Forum topic