cancel
Showing results for 
Search instead for 
Did you mean: 
JohnAdams
Flight Engineer
Flight Engineer
  • 1,316 Views

Only some members of a group can run sudo -l

Hi, folks,

     I've got a weird sudo problem. Only some members of a group can run sudo -l (or other sudo commands). My only clues are a) that the two users who can sudo -l have 2xxx UID/GIDs, whereas all the others have 65xxx GIDs and b) adding Defaults !pam_acct_mgmt to /etc/sudoers allowed all members to run. I assume that points to PAM as the issue, but from there, I'm lost.

 
     I'm using sudo version 1.8.29 on RHEL 8.5. The command line error:
 

~]$ sudo -l

sudo: PAM account management error: Permission denied

      The /var/log/secure entry:
 

sudo[69765]:    <user> : PAM account management error: Permission denied ; TTY=pts/0 ;

     The file in /etc/sudoers.d ends with this group entry:

%<groupname> ALL = NOPASSWD: <commands>

      Anything in <brackets> is redacted stuff.

Thanks,

     John A

2 Replies
Fran_Garcia
Starfighter Starfighter
Starfighter
  • 1,303 Views

How does your PAM config differ from the defaults? You can check sudo details at:

# grep "" /etc/pam.d/sudo*
/etc/pam.d/sudo:#%PAM-1.0
/etc/pam.d/sudo:auth include system-auth
/etc/pam.d/sudo:account include system-auth
/etc/pam.d/sudo:password include system-auth
/etc/pam.d/sudo:session optional pam_keyinit.so revoke
/etc/pam.d/sudo:session required pam_limits.so
/etc/pam.d/sudo:session include system-auth
/etc/pam.d/sudo-i:#%PAM-1.0
/etc/pam.d/sudo-i:auth include sudo
/etc/pam.d/sudo-i:account include sudo
/etc/pam.d/sudo-i:password include sudo
/etc/pam.d/sudo-i:session optional pam_keyinit.so force revoke
/etc/pam.d/sudo-i:session include sudo

 

Alternatively, having a look at /etc/pam.d and checking what's different from a defualt installation should give you a clue.

0 Kudos
JohnAdams
Flight Engineer
Flight Engineer
  • 1,293 Views

Nothing is different in the su* files. The system-auth file is somewhat different. I don't see anything in it which would discriminate by UID/GID number:

auth        required                                     pam_env.so

auth        required                                     pam_faildelay.so delay=2000000

auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular

auth        [default=1 ignore=ignore success=ok]         pam_localuser.so

auth        sufficient                                   pam_unix.so nullok

auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular

auth        sufficient                                   pam_sss.so forward_pass

auth        required                                     pam_deny.so

 

account     required                                     pam_unix.so

account     sufficient                                   pam_localuser.so

account     sufficient                                   pam_usertype.so issystem

account     [default=bad success=ok user_unknown=ignore] pam_sss.so

account     required                                     pam_permit.so

 

password    requisite                                    pam_pwquality.so local_users_only

password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok

password    sufficient                                   pam_sss.so use_authtok

password    required                                     pam_deny.so

 

session     optional                                     pam_keyinit.so revoke

session     required                                     pam_limits.so

-session    optional                                     pam_systemd.so

session     optional                                     pam_oddjob_mkhomedir.so

session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid

session     required                                     pam_unix.so

session     optional                                     pam_sss.so

0 Kudos
Join the discussion
You must log in to join this conversation.