Sudoers question

> Tim Patterson wrote:
> > carnold@nospam.com wrote:
> >
> >>> carnold5@email.unc.edu wrote:
> >>>
> >>>> Hello again! I have some users sysadmin users that i do not want
to be
> >>>> checked for rights. I have setup my sudoers file like this:
> >>>> # User privilege specification
> >>>> # You should not use sudo as root in an SELinux environment
> >>>> # If you use SELinux, remove the following line
> >>>> root ALL=(ALL) ALL
> >>>> userhere ALL=(ALL) ALL
> >>>> userhere ALL=(ALL) ALL
> >>>>
> >>>> The root entry, of course, works but the other entries do not work
> >>>> (they
> >>>> are prompted to enter the root password.) Thanks for any help!
> >>>
> >>>
> >>> Actually, the way sudo works is they are prompted for their own
> >>> password. They do not need to know the root password (that's the
point).
> >>>
> >>
> >> Why would you be prompted for your password? Root does not get
checked
> >> for
> >> permissions and i want that same thing for a couple other users. Any
> >> way to
> >> do this?
> >
> >
> > Do it like this:
> > userid ALL=(ALL) NOPASSWD: ALL
>
> And for the description of why this works, see the man page for sudoers:
>
> NOPASSWD and PASSWD
>
> By default, sudo requires that a user authenticate him or herself
before
> running a command. This behavior can be modified via the NOPASSWD tag.
> Like a Runas_Spec, the NOPASSWD tag sets a default for the commands
that
> follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used
> to reverse things. For example:
>
> ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
>
> would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm
as
> root on the machine rushmore as root without authenticating himself. If
> we only want ray to be able to run /bin/kill without a password the
> entry would be:
>
> ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
>
> Note, however, that the PASSWD tag has no effect on users who are in
the
> group specified by the exempt_group option.
>
> By default, if the NOPASSWD tag is applied to any of the entries for a
> user on the current host, he or she will be able to run sudo -l without
> a password. Additionally, a user may only run sudo -v without a
password
> if the NOPASSWD tag is present for all a user's entries that pertain to
> the current host. This behavior may be overridden via the verifypw and
> listpw options.
>
> --
> Chris Hobbs Silver Valley Unified School District
> Head geek: Technology Services Coordinator
> webmaster: http://www.silvervalley.k12.ca.us/~chobbs/
> postmaster: chobbs@silvervalley.k12.ca.us

Cool. Thanks guys for the replies!! I do have another question: what if i
have an edirectory user that i don't want to be checked for rights? Need
a sudoers book, LOL

Chris