cannot access crontab with sudo after being added to /etc/sudoers list

My user "craig" is in the /etc/sudoers file on my CentOS 5.6 VM, however when I try to access the crontab using the command below I am presented with an error message:

sudo crontab -e -u crmpicco-stock-dev
[sudo] password for craig:
Sorry, user craig is not allowed to execute '/usr/bin/crontab -e' as root on dev.localdomain.

Why do I get this message as I can see in my /etc/sudoers file that I can access the crontab requested.

Here is the entry from my /etc/sudoers file:

craig   ALL=(crmpicco-stock-dev) /usr/bin/crontab, /var/spool/cron/crmpicco-stock-dev

crmpicco

Posted 2012-12-20T16:39:49.697

Reputation: 305

Answers

The specification ALL=(crmpicco-stock-dev) /usr/bin/crontab means that on ALL hosts, you are allowed to run /usr/bin/crontab as the user crmpicco-stock-dev. This does not mean that sudo will, whenever you try to run /usr/bin/crontab, automatically select to do so as crmpicco-stock-dev - the default is still root, which the config disallows, and the error message gives it away: Sorry, user craig is not allowed [...] as root.

Try running sudo -u crmpicco-stock-dev crontab -e. That will tell sudo that you want to be crmpicco-stock-dev and invoke /usr/bin/crontab, whch should be allowed; crontab -e will by default try to edit the crontab of the current user - which will be crmpicco-stock-dev, so you don't need to specify that again.

Putting the -u crmpicco-stock-dev after the first non-option, sudo will assume it's part of the command you want to run, and ignore it. The whole line looks similar, but means something very different.

Gabe

Posted 2012-12-20T16:39:49.697

Reputation: 1 837

Can you try to do :

sudo crontab -u crmpicco-stock-dev -e

From the man page this seem the correct order.

Best Regards

ricciocri

Posted 2012-12-20T16:39:49.697

Reputation: 206

No, this produces the same error. So I don't think the order matters here. [craig@dev53 dev_crmpicco]$ sudo crontab -u crmpicco-stock-dev -e [sudo] password for craig: Sorry, user craig is not allowed to execute '/usr/bin/crontab -u crmpicco-stock-dev -e' as root on dev.localdomain. – crmpicco – 2012-12-20T17:03:08.783

An alternative could be to run: sudo su -c "crontab -e" crmpicco-stock-dev – ricciocri – 2012-12-20T17:19:02.970

Same again, unfortunately. Sorry, user craig is not allowed to execute '/bin/su -c crontab -e crmpicco-stock-dev' as root on dev.localdomain. – crmpicco – 2012-12-20T17:22:04.173

Have you changed /etc/sudoers to allow craig to execute /bin/su ? – ricciocri – 2012-12-20T17:39:12.703

I have editedmy sudoers file with visudo to include the line Cmnd_Alias SU = /bin/su, there is no mention of the craig user in the file. Should adding the command alias line open it up for all users? After adding this line there has been no change to the problem - i'm still unable to access the crmpicco-stock-dev crontab with the craig user. Anything else I can try? – crmpicco – 2013-01-07T11:44:32.590

Changing /etc/sudoers to craig ALL=(ALL) ALL works, but it's not exactly what I was looking for. – crmpicco – 2013-01-07T11:58:02.173

I believe that you are going to have to contact your system administrator to help you in debugging the problem. I suspect that it is some type of artifact from either the setuid() or seteuid() calls in sudo and the fact that you are calling a SUID program. I've seen this before and it is most frustrating to fix.

How I might start to fix it is by trying to put the crontab call in an executable wrapper program with no special perms itself and using sudo to call the wrapper program instead.

mdpc

Posted 2012-12-20T16:39:49.697

Reputation: 4 176