I’m not sure what security feature I need to enable or disable to allow me to sudo. I get the below error.

sudo -i
-bash: /usr/bin/id: Permission denied
-bash: /usr/libexec/grepconf.sh: /bin/bash: bad interpreter: Permission denied
-bash: /usr/bin/tty: Permission denied
-bash: /usr/libexec/grepconf.sh: /bin/bash: bad interpreter: Permission denied
-bash: /usr/libexec/grepconf.sh: /bin/bash: bad interpreter: Permission denied
-bash: /usr/bin/sed: Permission denied
-bash: /bin/cat: Permission denied

or

$ sudo su -
su: failed to execute /bin/bash: Permission denied

The user has a sudoers file setup for passwordless sudo. The only way around this is to use su instead which we don’t want to do.

Add the user to the wheel group.

Can you share the output of grep -v “#” /etc/sudoers

That is assuming that the “sudoers file setup” is in the file /etc/sudoers.
It would be cleaner to create a new file in /etc/sudoers.d/ than edit the /etc/sudoers.

I have.
id
uid=1002(ansible) gid=1003(ansible) groups=1003(ansible),10(wheel),1001(sshusers) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
/etc/sudoers

Allows people in group wheel to run all commands

%wheel ALL=(ALL) ALL

Same thing without a password

#%wheel ALL=(ALL) NOPASSWD: ALL

cat /etc/sudoers.d/ansible
ansible ALL=(ALL) NOPASSWD: ALL

This is essentially the same setup we had for our Centos boxes.

Blockquote

What are the permissions of /etc/sudoers.d/ansible?

ls -la /etc/sudoers.d/ansible
-rw-r–r–. 1 root root 32 Feb 3 09:54 /etc/sudoers.d/ansible

Sudo won’t accept that. Set it to 0440.

Looks like a minimal installation doesn’t have this issue. Perhaps the full dvd install has either a bug or additional security. Setting the file to 0440 didn’t help either. In any case, I will be reinstalling with minimal.

I would not concentrate on sudo alone with this issue.

there seems something else that’s wrong with your installation.
I would check the permissions of the mentioned files and of the bash executable and also the permissions of sudo itself.

I wonder if SELinux is preventing stuff from running; you could test this by temporarily disabling it (setenforce 0) and seeing if sudo now works.

I’d also check that you are running the right sudo command (eg not a site local replacement). I’d also look in /var/log/messages to see if anything is being flagged.

Also: separate account for Ansible? What is the usage scenario for it?
(Still learning that beast, so might have missed the obvious.)

Did you go into visudo
and under the:

Allow root to run any commands anywhere

root ALL=(ALL) ALL
(your account here) ALL=(ALL) ALL

also check vim /etc/pam.d/su
and uncomment the following line
auth required pam_wheel.so use_uid

Thank you everyone. I’ve nuked the installations and restarting with minimal. Its seems to work without any additional config.

One possible reason comes to me mind, which is a thing you have with multiple regular users and file permissions and ownership is: only owner can change ownership and permissions. If you run non-root stuff in your playbook and have to set permissions/ownership in it and have multiple sysadmins with separate user accounts for each one of them… you see?

If it’s a single user home setup, you don’t need to do any of this, you can just choose to make the user an “administrator” at Rocky 8.x install time. This works for both minimal and full iso.

Hummmmm. I’ve had problems with “sudo” along your lines. I finally ditched sudo and stuck with plain ol’ vanilla “su”, enter my secret sauce password and be on my merry way.

Remove or comment Defaults noexec from /etc/sudoers file.
When noexec option is enabled only commands specified in “secure_path” (into /etc/sudoers` file) are allowed to execute