Arch Linux

Laplace's Daemon

Member

Registered: 2007-08-14

Posts: 30

Sudoers problem: users hibernate without password, wheel with password

I'm trying to set up my sudoers file so that (1) members of the users group can access pm-hibernate without requiring a password, and (2) members of wheel can access all commands with sudo, but require a password.  My /etc/suders

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Runas alias specification

# User privilege specification
root    ALL=(ALL) SETENV: ALL

 %users ALL=(ALL) NOPASSWD: /usr/sbin/pm-hibernate
# Uncomment to allow people in group wheel to run all commands
# and set environment variables.
 %wheel ALL=(ALL) SETENV: ALL

# Same thing without a password
# %wheel        ALL=(ALL) NOPASSWD: SETENV: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

As it's set up now, members of users can run pm-hibernate without password, but members of both users and wheel require a password to run pm-hibernate (or any sudo command).  If I interchange the order of the users and wheel commands, then menbers of wheel can run any sudo command without a password. 

According to the documentation that I can find, this should be working correctly, any idea on why it is not?

bored_engineer

Member

Registered: 2007-10-13

Posts: 2

Re: Sudoers problem: users hibernate without password, wheel with password

From the man page:

When multiple entries match for a user, they are applied in order.  Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

Reverse the order of the two lines and you should be fine.

dschrute

Member

From: NJ, USA

Registered: 2007-04-09

Posts: 183

Re: Sudoers problem: users hibernate without password, wheel with password

 %users ALL=(ALL) NOPASSWD: /usr/sbin/pm-hibernate

This is saying that %users can run all commands via sudo ( Password required ), and /usr/sbin/pm-hibernate with no password.

Instead try :

%users ALL = NOPASSWD: /usr/sbin/pm-hibernate
%wheel ALL=(ALL) SETENV: ALL

Laplace's Daemon

Member

Registered: 2007-08-14

Posts: 30

Re: Sudoers problem: users hibernate without password, wheel with password

It seems to be working now.  Thanks!