Open-source Languages & Tools for z/OS

 View Only

  • 1.  sudo oddities

    Posted 06-21-2021 03:31
    This is sudo version 1.8.21p2

    Whe I ran sudo there were complaints about setuid bits aso. After I have corrected all that stuff the sudo binary looks like follows:


    # ls -lEn sudo
    ---s--x--x -p-- 1 0 0 11964416 Apr 7 06:13 sudo


    If I run `sudo -l` as a normal user I get

    sudo: kerb5: unable to parse 'DEMNT15': Configuration file does not specify default realm

    Where and how do I specify a default realm?

    Thanks, Manfred

    ------------------------------
    Manfred Lotz
    IBM
    ------------------------------


  • 2.  RE: sudo oddities

    ROCKETEER
    Posted 06-21-2021 16:33
    Hello Manfred,

    The default realm is configured in Kerberos config file, which is /etc/krb5.conf. This config file, however, should already contain proper values if Kerberos is used on your system. If Kerberos is not used, there's no point in adding that file - instead of that, you need to install the version of sudo configured to work without Kerberos. At the moment it is only available in Rocket's secure channel, the package name is sudo_nokrb.

    Regards,
    Vladimir

    ------------------------------
    Vladimir Ein
    Rocket Software
    ------------------------------

    Original Message


  • 3.  RE: sudo oddities

    Posted 06-22-2021 01:43
    Hi Vladimir,
    Thanks for your reply.

    We don't use Kerberos.

    If I understand you correctly the public available sudo isn't usable by all who don't use Kerberos. Is there a time frame when Rocket plans to make a sudo without Kerberos available in the public channel?

    --
    Manfred

    ------------------------------
    Manfred Lotz
    IBM
    ------------------------------

    Original Message


  • 4.  RE: sudo oddities

    ROCKETEER
    Posted 06-22-2021 08:45
    It appears that this message is only a warning and does not prevent sudo from working correctly. Unfortunately there's no way to suppress the message.

    ------------------------------
    Vladimir Ein
    Rocket Software
    ------------------------------

    Original Message


  • 5.  RE: sudo oddities

    Posted 06-22-2021 09:12

    I try to understand.

    We have

    1. The sudo from the previous Rocket Ported Tools, i.e. 1.8.21p2 with build 005-nokrb doesn't show that message.

    Makes sense, as it is build without kerberos support.

    2. The sudo from the miniconda install (public channel) which is 1.8.21p2 build 3 show that message because it supports kerberos.

    You say:
    > only a warning and does not prevent sudo from working correctly

    You are right. It works ok. Nevertheless, the message is ugly.

    The ideal solution would be if the kerberos based sudo could be used without the warning when Kerberos is not used. I almost cannot believe that this wouldn't be possible to configure.

    --
    Manfred



    ------------------------------
    Manfred Lotz
    IBM
    ------------------------------

    Original Message


  • 6.  RE: sudo oddities

    ROCKETEER
    Posted 06-22-2021 09:42
    Unfortunately it is configured at compile time and cannot be changed at runtime. If sudo is built with Kerberos support, it initializes Kerberos authentication method at startup (no way around that). Without krb5.conf, Kerberos initialization fails, and sudo disables this authentication method and goes on as if there were no Kerberos at all - but there's no way to disable it permanently.

    ------------------------------
    Vladimir Ein
    Rocket Software
    ------------------------------

    Original Message


  • 7.  RE: sudo oddities

    ROCKETEER
    Posted 06-23-2021 07:44
    A follow-up on this - sudo_nokrb is expected to show up in the public channel by June 30.

    ------------------------------
    Vladimir Ein
    Rocket Software
    ------------------------------

    Original Message


  • 8.  RE: sudo oddities

    Posted 06-23-2021 08:41
    Thanks a lot, Vladimir.

    Sounds good!


    Manfred

    ------------------------------
    Manfred Lotz
    IBM
    ------------------------------

    Original Message