Sudoers [SOLVED]

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
nwha03498
Posts: 7
Joined: Tue Aug 21, 2018 5:17 pm

Sudoers [SOLVED]

Post by nwha03498 »

Hey guys!
I'm running zimbra 8.8 on Ubuntu 16.04.5 LTS. The issue I've encountered is whenever I run anything for zimbra as the zimbra user I get prompted to enter the user password. For instance I'll run ./zmcontrol status and be prompted at seemingly random intervals for the zimbra user password. I checked the wiki entry for this issue & modified my sudoers file accordingly, but the entry states that this shouldn't be an issue past Zimbra 8.7. I also checked the sudoers.d directory, it has the following:

File:
01_zimbra
Text:

Code: Select all

Defaults:zimbra !requiretty
File:
02_zimbra-core
Text:

Code: Select all

%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmstat-fd *
File:
02_zimbra-dnscache
Text:

Code: Select all

%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmunbound
%zimbra ALL=NOPASSWD:/sbin/resolvconf *

File:
02_zimbra-ldap
Text:

Code: Select all

%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd
File:
02_zimbra-proxy
Text:

Code: Select all

%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/nginx
File:
02_zimbra-store
Text:

Code: Select all

%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr
as well as the readme for sudoers. My current sudoers file looks like -

Code: Select all

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmstat-fd *
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd
%zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus
%zimbra ALL=NOPASSWD:/opt/zimbra/amavisd/sbin/amavis-mc
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmunbound
%zimbra ALL=NOPASSWD:/sbin/resolvconf *
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmailboxdmgr
%zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmcertmgr
%zimbra ALL=NOPASSWD:/opt/zimbra/nginx/sbin/nginx
(all of the %zimbra stuff was added by me recently, it wasn't in there before I edited the doc via visudo).
Last edited by nwha03498 on Fri Aug 24, 2018 5:37 pm, edited 1 time in total.
nwha03498
Posts: 7
Joined: Tue Aug 21, 2018 5:17 pm

Re: Sudoers

Post by nwha03498 »

After cross referencing between whats in my sudoers directory and what the forum post states I should have in my sudoers file it appears as though there aren't entries for the following components within my sudoers directory:

Code: Select all

%zimbra ALL=NOPASSWD:/opt/zimbra/postfix/sbin/postfix, /opt/zimbra/postfix/sbin/postalias, /opt/zimbra/postfix/sbin/qshape.pl, /opt/zimbra/postfix/sbin/postconf,/opt/zimbra/postfix/sbin/postsuper
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat,/opt/zimbra/libexec/zmmtastatus
%zimbra ALL=NOPASSWD:/opt/zimbra/amavisd/sbin/amavis-mc
%zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmcertmgr
Could this be the cause of the issue? If so where and under what file names should I place these entries?
nwha03498
Posts: 7
Joined: Tue Aug 21, 2018 5:17 pm

Re: Sudoers

Post by nwha03498 »

I setup a "dummy" server with a fresh Zimbra install on it to cross reference what should be in sudoers.d vs what I had. I was missing the 02_zimbra-mta file. Not sure how this happened. The issues coincided with the install & configuration of OSSEC HIDS on the server as well as an Ubuntu update. For future reference if anyone needs it the 02_zimbra-mta file in sudoers.d should contain the following:

Code: Select all

%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postfix
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postalias
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/qshape.pl
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postconf
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postsuper
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/postcat
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmqstat
%zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmmtastatus
%zimbra ALL=NOPASSWD:/opt/zimbra/common/sbin/amavis-mc
User avatar
themetman
Posts: 14
Joined: Tue Sep 30, 2014 12:37 pm
ZCS/ZD Version: ZDesktop 7.3.1 ZCS 8.8.10
Contact:

Re: Sudoers [SOLVED]

Post by themetman »

Thank You! Thank You! Thank You!
I have just done a fresh install and migrated from old server, and ran into this problem.
The MTA service was reported as not running in the Administration Browser, so from command line ran into this problem.
You have saved me considerable anguish!!!
Post Reply