Sudoers syntax error - macos

Everytime I run a sudo command, I get the following error message:
/etc/sudoers: syntax error near line 1 <<<
sudo: parse error in /etc/sudoers near line 1
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
My sudoers file within /etc/ is empty. How do I resolve this issue? I'm on Mac OS High Sierra

You could try this link to grab some sudoer file examples. Re-create your sudoers file using the visudo command
http://www.softpanorama.org/Access_control/Sudo/sudoer_file_examples.shtml
In case the link breaks, here is a "default" sudoer file that is described on that page:
# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
##
# User alias specification
##
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
##
# Runas alias specification
##
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
##
# Host alias specification
##
Host_Alias SPARC = bigtime, eclipse, moet, anchor:\
SGI = grolsch, dandelion, black:\
ALPHA = widget, thalamus, foobar:\
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
##
# Cmnd alias specification
##
Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
/usr/sbin/rrestore, /usr/bin/mt
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot
Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
/usr/bin/chfn
##
# Override built-in defaults
##
Defaults syslog=auth
Defaults>root !set_logname
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults#SERVERS log_year, logfile=/var/log/sudo.log
##
# User specification
##
# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
# full time sysadmins can run anything on any machine without a password
FULLTIMERS ALL = NOPASSWD: ALL
# part time sysadmins may run anything but need a password
PARTTIMERS ALL = ALL
# jack may run anything on machines in CSNETS
jack CSNETS = ALL
# lisa may run any command on any host in CUNETS (a class B network)
lisa CUNETS = ALL
# operator may run maintenance commands and anything in /usr/oper/bin/
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
# joe may su only to operator
joe ALL = /usr/bin/su operator
# pete may change passwords for anyone but root on the hp snakes
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
# bob may run anything on the sparc and sgi machines as any user
# listed in the Runas_Alias "OP" (ie: root and operator)
bob SPARC = (OP) ALL : SGI = (OP) ALL
# jim may run anything on machines in the biglab netgroup
jim +biglab = ALL
# users in the secretaries netgroup need to help manage the printers
# as well as add and remove users
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
# fred can run commands as oracle or sybase without a password
fred ALL = (DB) NOPASSWD: ALL
# on the alphas, john may su to anyone but root and flags are not allowed
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
# jen can run anything on all machines except the ones
# in the "SERVERS" Host_Alias
jen ALL, !SERVERS = ALL
# jill can run any commands in the directory /usr/bin/, except for
# those in the SU and SHELLS aliases.
jill SERVERS = /usr/bin/, !SU, !SHELLS
# steve can run any command in the directory /usr/local/op_commands/
# as user operator.
steve CSNETS = (operator) /usr/local/op_commands/
# matt needs to be able to kill things on his workstation when
# they get hung.
matt valkyrie = KILL
# users in the WEBMASTERS User_Alias (will, wendy, and wim)
# may run any command as user www (which owns the web pages)
# or simply su to www.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM

Never open sudoer file with a normal editor. always use visudo
just type
sudo visudo
this will take you to /etc/sudoers and upon saving it will make sure that there is no error in formatting.
if you make an error in sudoer file, you will lose sudo access, so always use visudo

You can use pkexec if you are stuck.
pkexec allows you to execute program as another user. If you don't specify a user then the program will be executed as root
Root Escalation
pkexec bash
Fix your syntax error
visudo

Ubuntu 20.04 encounter this error upon "sudo anycommand"
/etc/sudoers.d/sudoers: too many levels of includes near line 29 <<<
sudo: parse error in /etc/sudoers.d/sudoers near line 29
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
My solution:
Though not know how the sudoers file created in /etc/sudoers.d.
After reading README in /etc/sudoers.d,
Extract of README
Note that there must be at least one file in the sudoers.d directory (this one will do), and all files in this directory should be mode 0440.
Removed the sudoers in /etc/sudoers.d
pkexec rm /etc/sudoers.d/sudoers
System will prompt for user password.
Can execute sudo command as usual.

Related

net-snmp on start says - "Error opening specified endpoint " in Raspberry pi - Jessica

My raspberry pi - jessica has got snmpd --version
NET-SNMP version: 5.7.2.1
Web: http://www.net-snmp.org/
Email: net-snmp-coders#lists.sourceforge.net
Now, I am trying to make a subagent application and running it.
When I try to run this I get the following error -
$ sudo snmpd -f -Lo -C --rwcommunity=public --master=agentx --agentXSocket=tcp:localhost:1705
pcilib: Cannot open /proc/bus/pci
pcilib: Cannot find any working access method.
pcilib: pci_init failed
error on subcontainer 'ia_addr' insert (-1)
Turning on AgentX master support.
Error opening specified endpoint ""
Server Exiting with code 1
Why I get this error? Here is my snmpd.conf file.
###############################################################################
#
# EXAMPLE.conf:
# An example configuration file for configuring the Net-SNMP agent ('snmpd')
# See the 'snmpd.conf(5)' man page for details
#
# Some entries are deliberately commented out, and will need to be explicitly activated
#
###############################################################################
#
# AGENT BEHAVIOUR
#
# Listen for connections from the local system only
agentAddress udp:127.0.0.1:161
# Listen for connections on all interfaces (both IPv4 *and* IPv6)
#agentAddress udp:161,udp6:[::1]:161
###############################################################################
#
# SNMPv3 AUTHENTICATION
#
# Note that these particular settings don't actually belong here.
# They should be copied to the file /var/lib/snmp/snmpd.conf
# and the passwords changed, before being uncommented in that file *only*.
# Then restart the agent
# createUser authOnlyUser MD5 "remember to change this password"
# createUser authPrivUser SHA "remember to change this one too" DES
# createUser internalUser MD5 "this is only ever used internally, but still change the password"
# If you also change the usernames (which might be sensible),
# then remember to update the other occurances in this example config file to match.
###############################################################################
#
# ACCESS CONTROL
#
# system + hrSystem groups only
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1
# Full access from the local host
#rocommunity public localhost
# Default access to basic system info
rocommunity public default -V systemonly
# Full access from an example network
# Adjust this network address to match your local
# settings, change the community string,
# and check the 'agentAddress' setting above
#rocommunity secret 10.0.0.0/16
# Full read-only access for SNMPv3
rouser authOnlyUser
# Full write access for encrypted requests
# Remember to activate the 'createUser' lines above
#rwuser authPrivUser priv
# It's no longer typically necessary to use the full 'com2sec/group/access' configuration
# r[ow]user and r[ow]community, together with suitable views, should cover most requirements
###############################################################################
#
# SYSTEM INFORMATION
#
# Note that setting these values here, results in the corresponding MIB objects being 'read-only'
# See snmpd.conf(5) for more details
sysLocation Sitting on the Dock of the Bay
sysContact Me <me#example.org>
# Application + End-to-End layers
sysServices 72
#
# Process Monitoring
#
# At least one 'mountd' process
proc mountd
# No more than 4 'ntalkd' processes - 0 is OK
proc ntalkd 4
# At least one 'sendmail' process, but no more than 10
proc sendmail 10 1
# Walk the UCD-SNMP-MIB::prTable to see the resulting output
# Note that this table will be empty if there are no "proc" entries in the snmpd.conf file
#
# Disk Monitoring
#
# 10MBs required on root disk, 5% free on /var, 10% free on all other disks
disk / 10000
disk /var 5%
includeAllDisks 10%
# Walk the UCD-SNMP-MIB::dskTable to see the resulting output
# Note that this table will be empty if there are no "disk" entries in the snmpd.conf file
#
# System Load
#
# Unacceptable 1-, 5-, and 15-minute load averages
load 12 10 5
# Walk the UCD-SNMP-MIB::laTable to see the resulting output
# Note that this table *will* be populated, even without a "load" entry in the snmpd.conf file
###############################################################################
#
# ACTIVE MONITORING
#
# send SNMPv1 traps
trapsink localhost public
# send SNMPv2c traps
#trap2sink localhost public
# send SNMPv2c INFORMs
#informsink localhost public
# Note that you typically only want *one* of these three lines
# Uncommenting two (or all three) will result in multiple copies of each notification.
#
# Event MIB - automatically generate alerts
#
# Remember to activate the 'createUser' lines above
iquerySecName internalUser
rouser internalUser
# generate traps on UCD error conditions
defaultMonitors yes
# generate traps on linkUp/Down
linkUpDownNotifications yes
###############################################################################
#
# EXTENDING THE AGENT
#
#
# Arbitrary extension commands
#
extend test1 /bin/echo Hello, world!
extend-sh test2 echo Hello, world! ; echo Hi there ; exit 35
#extend-sh test3 /bin/sh /tmp/shtest
# Note that this last entry requires the script '/tmp/shtest' to be created first,
# containing the same three shell commands, before the line is uncommented
# Walk the NET-SNMP-EXTEND-MIB tables (nsExtendConfigTable, nsExtendOutput1Table
# and nsExtendOutput2Table) to see the resulting output
# Note that the "extend" directive supercedes the previous "exec" and "sh" directives
# However, walking the UCD-SNMP-MIB::extTable should still returns the same output,
# as well as the fuller results in the above tables.
#
# "Pass-through" MIB extension command
#
#pass .1.3.6.1.4.1.8072.2.255 /bin/sh PREFIX/local/passtest
#pass .1.3.6.1.4.1.8072.2.255 /usr/bin/perl PREFIX/local/passtest.pl
# Note that this requires one of the two 'passtest' scripts to be installed first,
# before the appropriate line is uncommented.
# These scripts can be found in the 'local' directory of the source distribution,
# and are not installed automatically.
# Walk the NET-SNMP-PASS-MIB::netSnmpPassExamples subtree to see the resulting output
#
# AgentX Sub-agents
#
# Run as an AgentX master agent
master agentx
# Listen for network connections (from localhost)
# rather than the default named socket /var/agentx/master
#agentXSocket tcp:localhost:705
It's probably too late for Bali Vinayak, but might help others with like issue.
On an Ubuntu 16.04.5 LTS, NET-SNMP version: 5.7.3 I solved the same error setting snmpd to use TCP instead instead of UDP.
So edit /etc/snmp/snmpd.conf:
agentAddress tcp:127.0.0.1:161
Then I got no error running the startup command:
systemctl start snmpd.service
There is a bug in the /etc/snmp/snmpd.conf file.
Search for
trapsink localhost public
and add :162 after localhost, such as
trapsink localhost:162 public
Reference: https://github.com/net-snmp/net-snmp/issues/34
I resolved it by edit /etc/snmp/snmpd.conf to this:
# agentaddress 127.0.0.1,[::1]
agentaddress 127.0.0.1
There is also another, simpler case which results in the "Error opening specified endpoint" message. Because other posts seem to be referencing to this at least indirectly, I will post it under this topic also. See my case:
root#am335x-evm:~# /etc/init.d/snmpd stop
Stopping network management services: snmpd snmptrapd.
Then trying to start snmpd manually:
root#am335x-evm:~# /usr/sbin/snmpd -Lo -a -f
Error opening specified endpoint "127.0.0.1"
Server Exiting with code 1
But look:
root#am335x-evm:~# ps aux | grep snmp
root 562 0.4 3.7 30944 9168 ? Ssl 18:17 0:00 /usr/sbin/snmpd -Ls0-6d -a -f
root 570 0.0 1.9 8880 4792 ? Ss 18:17 0:00 /usr/sbin/snmptrapd -Lsd -f
root 692 0.0 0.6 2352 1636 pts/0 S+ 18:21 0:00 grep snmp
So, the init script did not actually stop it. Stopping it properly:
root#am335x-evm:~# systemctl stop snmpd
root#am335x-evm:~# ps aux | grep snmp
root 570 0.0 1.9 8880 4792 ? Ss 18:17 0:00 /usr/sbin/snmptrapd -Lsd -f
root 708 0.0 0.6 2352 1520 pts/0 S+ 18:24 0:00 grep snmp
Then trying running:
root#am335x-evm:~# /usr/sbin/snmpd -Lo -a -f
NET-SNMP version 5.8
It works.

weird output when i run sh file.

I've made a sh file
#!/bin/bash
myvariable=Hello
anothervar=Fred
echo $myvariable $anothervar
echo
sampledir=/etc
ls $sampledir
when i run it with
$sh simplevariables.sh
I get this output:
afpovertcp.cfg networks
afpovertcp.cfg~orig networks~orig
aliases newsyslog.conf
aliases.db newsyslog.d
apache2 nfs.conf
asl nfs.conf~orig
asl.conf notify.conf
auto_home ntp-restrict.conf
auto_master ntp.conf
auto_master~orig ntp_opendirectory.conf
autofs.conf openldap
bashrc pam.d
bashrc_Apple_Terminal passwd
bashrc~previous passwd~orig
com.apple.IPConfiguration.plist paths
com.apple.screensharing.agent.launchd paths~orig
csh.cshrc periodic
csh.cshrc~orig pf.anchors
csh.login pf.conf
csh.login~orig pf.os
csh.logout php-fpm.conf.default
csh.logout~orig php.ini.default
cups php.ini.default-previous
defaults postfix
dnsextd.conf ppp
efax.rc~previous profile
emond.d profile~orig
find.codes protocols
find.codes~orig protocols~previous
fstab.hd racoon
fstab.hd~previous rc.common
ftpd.conf rc.common~previous
ftpd.conf.default rc.netboot
ftpusers resolv.conf
ftpusers~orig rmtab
gettytab rpc
gettytab~orig rpc~previous
group rtadvd.conf
group~previous rtadvd.conf~previous
hosts security
hosts-original services
hosts.equiv services~previous
hosts~orig shells
irbrc shells~orig
kern_loader.conf snmp
kern_loader.conf~previous ssh
krb5.keytab ssl
localtime sudo_lecture
locate.rc sudoers
mach_init.d sudoers.d
mach_init_per_login_session.d sudoers~orig
mach_init_per_user.d syslog.conf
mail.rc syslog.conf~previous
mail.rc~orig ttys
man.conf ttys~previous
manpaths xtab
master.passwd zprofile
master.passwd~orig zshrc
nanorc
Any suggestions how to just get an output of
Hello Fred
What should I do to get rid of all the unnecessary Garbo and just the output?
This happens to all the other scripting files that I run as well. Any suggestions?
You should remove this
sampledir=/etc
ls $sampledir
it is printing out the contents of /etc, and you are not seeing your wanted output

apache chown on its files not working

My apache user generate one file :
# ls -lsa /tmp/reference_file.csv
76 -rwxrwxrwx 1 apache apache 69921 Aug 16 14:14 /tmp/reference_file.csv
the user and the group belong to apache, but when i am trying to change it :
su -l apache -s /bin/bash
-bash-3.00$ whoami
apache
-bash-3.00$ chown explorer:btunix /tmp/reference_file.csv
chown: changing ownership of `/tmp/reference_file.csv': Operation not permitted
I tried to another folder, but the result was the same, I ve also checked attribut :
# lsattr /tmp/reference_file.csv
------------- /tmp/reference_file.csv
there is no immutable attribut
How can I do ?
Thanks
There are criteria associated with chown. Only super-user can chown files willy-nilly. Whether you can give away a file that you own depends on your UNIX flavor and how associated kernel configuration parameters (like K_CHOWN_MAY_GIVE_AWAY, for argument's sake) may have been, well, configured. This is the most GENERALLY correct answer.

Asterisk GUI - Checking Write Permission for GUI Folder

I have installed Asterisk and Asterisk GUI on an Ubuntu Desktop 14.04. When I go to the GUI page and login it comes up and says "Checking write permission for gui folder" and stays on that screen.
http.conf file:
[general]
enabled = yes
bindaddr = 10.0.0.16
bindport = 8088
prefix = asterisk
;sessionlimit=100
enablestatic = yes
redirect = / /asterisk/static/config/index.htm
manager.conf file:
[general]
enabled = yes
webenabled = yes
port = 5038
bindaddr = 10.0.0.16
;#include "manager.d/*.conf"
[admin]
secret = admin
read = system,call,log,verbose,command,agent,user,config
write = system,call,log,verbose,command,agent,user,config,originate
Those config files have no any relation.
1) check in asterisk.conf which user it use(usualy asterisk)
2) do
chown asterisk /var/lib/asterisk/ /var/spool/asterisk -R
chmod 777 should only be required, when the user asterisk has not been added or when it's group membership is somehow messed up - otherwise a chown should be enough to open the astdb.sqlite3 in read/write mode.
chown -R asterisk:asterisk /etc/asterisk/ /var/lib/asterisk /usr/share/asterisk
chmod 644 /etc/asterisk/*
wiki

Files created through Cygwin (calling a shell script) don't have correct Windows permissions

I am currently running Cygwin on a target Windows Server 2003 machine to fire off a shell script that, among other things, creates a bunch of files on disc. However after the files are created I no longer have permissions to manipulate them through Windows.
When the files are created the owner is getting set to 'SYSTEM' and the permissions for Administrators/Creator Group/Creator Owner/system are set to only 'special permissions' and nothing else.
The permissions for Everyone and Users have Read & Execute, List folder contents and Read.
My problem is that I cannot delete/modify the files now through Windows. I would prefer to have something built into my scripts (either the shell script or something to call in Cygwin) that would allow Administrators full control on the folder and all contents.
My current workaround has been to either do file modifications through Cygwin but this is not preferable. I have also used setfacl -r -m default:other:rwx to add write permissions for the 'Users' group but it doesn't appear to have a recursive option and still doesn't give 'full control'
Is there a better way to use setfacl? Can I call the shell script using different/elevated permissions?
Results of getfacl on a newly created directory:
$ getfacl Directory/
# file: Directory/
# owner: SYSTEM
# group: root
user::rwx
group::r-x
group:Users:rwx
mask:rwx
other:r-x
default:user::rwx
default:group::r-x
default:group:Users:rwx
default:mask:rwx
default:other:r-x
You can try setting umask:
umask u=rwx,g=rwx,o=rwx
That should give user, group, and other read/write/execute on any newly created dirs.
If you only want the modified umask permanently, you can add it to your .bash_profile
Edit - Added example of mkdir before/after umask.
Here's the output of getfacl on a directory created before I set umask:
[/cygdrive/c/Documents and Settings/NOYB/Desktop]
==> getfacl test_wo_umask/
# file: test_wo_umask/
# owner: NOYB
# group: Domain Users
user::rwx
group::r-x
group:root:rwx
group:SYSTEM:rwx
mask:rwx
other:r-x
default:user::rwx
default:user:NOYB:rwx
default:group::r-x
default:group:root:rwx
default:group:SYSTEM:rwx
default:mask:rwx
default:other:r-x
Here's the output of getfacl on a directory created after I set umask:
[/cygdrive/c/Documents and Settings/NOYB/Desktop]
==> getfacl test_w_umask/
# file: test_w_umask/
# owner: NOYB
# group: Domain Users
user::rwx
group::rwx
group:root:rwx
group:SYSTEM:rwx
mask:rwx
other:rwx
default:user::rwx
default:user:NOYB:rwx
default:group::rwx
default:group:root:rwx
default:group:SYSTEM:rwx
default:mask:rwx
default:other:rwx

Resources