Zimbra services asking for password - sudoers issue

Zimbra services asking for password - sudoers issue

   KB 23092        Last updated on 11/3/2016  




0.00
(0 votes)

Purpose

Ubuntu and CentOS/RHEL security upgrades sometimes do ask for replace the /etc/sudoers while upgrading, you will see a message like this one:

Configuration file '/etc/sudoers'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
The default action is to keep your current version.
*** sudoers (Y/I/N/O/D/Z) [default=N] ?

If you select the default option, N, Zimbra will continue working as expected, as no changes are made to the sudoers file, however if you select Y or I by any chance, the /etc/sudoers will be replaced by a default version of the file. So at the next restart of the Zimbra services you will see an error like this one for the different services:

root@mail:~# su - zimbra
zimbra@mail:~$ zmcontrol restart
Host mail.zimbra.io
        Stopping vmware-ha...Done.
        Stopping zmconfigd...Done.
        Stopping zimlet webapp...[sudo] password for zimbra:

Resolution

If you are facing this issue, please check the /etc/sudoers file, it should look something like this, if it's not, please add this content after the #includedir /etc/sudoers.d line: Zimbra Collaboration 8.6

%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmstat-fd *
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd
%zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus
%zimbra ALL=NOPASSWD:/opt/zimbra/amavisd/sbin/amavis-mc
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmunbound
%zimbra ALL=NOPASSWD:/sbin/resolvconf *
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr
%zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmcertmgr
%zimbra ALL=NOPASSWD:/opt/zimbra/nginx/sbin/nginx

After edit the /etc/sudoers file, as zimbra user you can now restart the services as expected:

zmcontrol restart

Remember that for fix the CVE-2016-2107 you need an additional line into the /etc/sudoers too at the end, more info here:

Defaults env_keep += "OPENSSL_ia32cap"

Note: This will not affect Zimbra Collaboration 8.7 and ahead, as ZCS 8.7 includes the different tiles inside the /etc/sudoers.d folder

Additional Content

Verified Against: Zimbra Collaboration 8.6, 8.0 Date Created: 11/03/2016
Article ID: https://wiki.zimbra.com/index.php?title=Zimbra_services_asking_for_password_-_sudoers_issue Date Modified: 11/3/2016



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by Jorge SME2 Need Copyeditor Last edit by Jorge de la Cruz
Jump to: navigation, search