sudo command trying to search for hostname

Recently, I have changed the sudoers file and the hostname through /etc/hostname. After changing this files, my sudo command is taking a lot of time. Also, it says sudo unable to resolve host kaagini(hostname of my machine).

Why does sudo have to know the hostname for providing permission to something ??

My sudoers file has a command "Defaults env_reset". I saw some similar questions but the context is not a remote login here. The error is showing on a localhost.

Initial googling for the problem says that the /etc/hosts file must have the actual hostname for 127.0.0.1 . This fixed my issue. But my actual question is : Why do we require this for sudo ?? Should the sudo work irrespective of the place of login.

prathmesh.kallurkar

Posted 2012-05-28T18:20:43.657

Reputation: 297

http://superuser.com/questions/how-to-ask – Der Hochstapler – 2012-05-28T18:23:13.983

@OliverSalzburg I have rephrased the question properly. Kindly let me know if anything is wrong – prathmesh.kallurkar – 2012-05-28T18:28:52.083

Answers

The /etc/sudoers file is designed to be able to be distributed among multiple servers. In order to accomplish this, each permission in the file has a host portion.

This is usually set to ALL= which means that the permission is valid for any server, however it can be set to specific hosts:

%sudo    kaagini=(ALL) ALL

In order for sudo to know wether this rule should be applied, it needs to lookup the host it is running on. It uses a call that relies on the /etc/hosts being correct, which is why it fails if it is not right.

It might be argued that sudo doesn't need to bother doing a name lookup if the host portion is set to ALL= for all permissions, but it just doesn't work that way - it appears to work out where it running is prior to processing the rules.

This is really for ease of maintenance as sudo only reads /etc/sudoers to see what the user can do on the current machine. But as an admin with 100 servers, this might require 100 different /etc/sudoers files to maintain. Because sudoers has a host portion in the permissions, you can maintain a single sudoers file and distribute it to all machines, yet still have granularity over what users can do on each machine.

Paul

Posted 2012-05-28T18:20:43.657

Reputation: 52 173

I consider that to be a bug (if there are only ALL rules then sudo doesn't need to know its host name) and thus have filed https://bugzilla.sudo.ws/show_bug.cgi?id=916

– Matthias Urlichs – 2020-02-10T08:34:23.520

Thanks for the answer. Can you come at the distributed sudoers file again ?? See, i have an operating system running on machineA. Should the permissions file (/etc/sudoers) for this Operating System be stored on other machines. Or your answer means to say that sudo command can say something like user John can sudo from machineA but not from machineB ?? – prathmesh.kallurkar – 2012-05-29T08:51:42.563

It is really for ease of maintenance. sudo only reads /etc/sudoers to see what the user can do on the current machine. But as an admin with 100 servers, this might require 100 different /etc/sudoers files to maintain. Because sudoers has a host portion in the permissions, you can maintain a single sudoers file and distribute it to all machines, yet still have granularity over what users can to on each machine. – Paul – 2012-05-29T13:36:54.923

one more question... does the server administrator have to scp the new sudoers file every time there is a change in the main sudoers file or does sudo provide a way to maintain the sudoers file over the network ?? – prathmesh.kallurkar – 2012-05-29T16:32:19.640

@prathmesh.kallurkar No, there isn't a built-in method of distributing, but this is linux, so this is normal. You would use rsync or scp or another tool to get this part done. – Paul – 2012-05-29T23:34:42.253

-3

Puppet is a configuration management software which is capable of configuring a fleet of servers automatically by reading Puppet Manifests files. Such a file could include a definition of your /etc/sudoers file, which can then be pushed out to all your puppet "agents" from your puppet "master". Then all hosts will get the same copy of your /etc/sudoers file, which can (and should) include HOST definitions, so you can grant some users some commands on some hosts (but not on others).

Felipe Alvarez

Posted 2012-05-28T18:20:43.657

Reputation: 1 666

Can you expand your answer to explain what is puppet, where do you find it, and how do you use it to solve the problem? From review queue

– fixer1234 – 2016-08-13T04:30:24.077

Please read How do I recommend software for some tips as to how you should go about recommending software. You should provide at least a link, some additional information about the software itself, and how it can be used to solve the problem in the question.

– DavidPostill – 2016-08-13T08:15:11.930