# sudo not allowing access [solved]

## grx

I've put these lines into /etc/sudoers:

```
# User privilege specification

root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands

# %wheel        ALL=(ALL)       ALL

# Same thing without a password

# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Users in group www are allowed to  edit httpd.conf and ftpd.conf

# using sudoedit, or sudo -e, without a password.

# %www          ALL=(ALL)       NOPASSWD: sudoedit /etc/httpd.conf, /etc/ftpd.conf

# Samples

# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom

# %users  localhost=/sbin/shutdown -h now

george   localhost = /usr/libexec/xfsm-shutdown-helper

george   localhost = /usr/bin/emerge

```

now if I try to run anything, it gives me this:

```
 sudo -l

Password:

Sorry, user george may not run sudo on washington.

```

/var/log/messages gets this line:

```
Apr 16 22:46:12 washington sudo:    george : command not allowed ; TTY=pts/0 ; PWD=/home/george ; USER=root ; COMMAND=list

```

What gives?  Am I misunderstanding how to put the lines into the sudoers file?Last edited by grx on Mon Apr 17, 2006 6:24 pm; edited 1 time in total

----------

## phajdan.jr

Change 'localhost' to 'ALL'.

----------

## grx

That works, but I'd rather not make it possible to sudo remotely.  What do I have to fix to get it to work that way?

----------

## phajdan.jr

Well, it doesn't work like that. There is a 'host' entry because the same sudoers file can be used on several machines. Then each computer reads only 'his' entries... It's not a host you connect from, but a host you run command on.

I don't know how to setup it in the way you want. You could create another user, not allowed to connect remotely etc. But in my opinion there is nothing to worry about. Just give the user a strong password, block the account after say 3 failed login attempts, maybe with some combination with port knocking / one time passwords... It should be quite safe, really.

----------

## grx

Actually, I just discovered that the problem is the "localhost".  It needs the actual host name, so when I change it to "washington", it works fine.  Thinking about it, I decided to keep the ALL anyway.  Thanks all!

----------

