clear "msgs" column under CentOS 5.x and later versions of Fedora despite hobbitclient.sh hack

Thomas Leavitt tleavitt at unameits.com
Fri Aug 15 08:03:28 CEST 2008


All,

 

I just spent way too much time too late at night to be doing this,
trying to figure out why my CentOS 5.1 VM had a "clear" under the
"msgs" column, despite having implemented the standard modification to
hobbitclient.sh and put the proper entry in /etc/sudoers. It was driving
me nuts, because it would work when I ran hobbitclient.sh as the user
hobbit, but not when it was executing as a service. It would just
sliently fail to execute without giving any error message... eventually
it occurred to me that I've been driven nuts this way by another
paranoid security mechanism that "silently" changes the way everything
works, SELinux, and decided to go grep for sudo in /var/log... where I
saw hordes of messages like this:

 

secure.2:Aug  3 03:46:43 dust-testlink-vm sudo:   hobbit : sorry, you
must have a tty to run sudo ; TTY=unknown ; PWD=/local/home/hobbit ;
USER=root ; COMMAND=/local/home/hobbit/client/bin/logfetch
/local/home/hobbit/client/tmp/logfetch.dust-testlink-vm.cfg
/local/home/hobbit/client/tmp/logfetch.dust-testlink-vm.status

 

 

Doh, I should've looked there sooner. Bleah.

 

It turns out that in these versions of RHEL and Fedora, they've locked
down sudo so that, by default, you can't run it unless you're attached
to a real tty... you have to comment out this line in /etc/sudoers:
"Defaults    requiretty".

 

Any comments on the security implications of turning this off? Is there
an alternative solution?

 

I figured I'd share this so the next person wouldn't go crazy the same
way.

 

Regards,

Thomas Leavitt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20080814/f8db31ce/attachment.html>


More information about the Xymon mailing list