25. July 2025
VxRail: VxVerify – suoders: Missing permissions in ‘/etc/sudoers’
Even though I find it very sad how the fantastic hyperconverged and VMware-integrated solution Dell VxRail is currently being handled, there are still plenty of customers who are thrilled with it.
During a vSphere 8 patch from 8.0 U2 to 8.0 U3, I was confronted with the above mentioned challenge from VxVerify.
Don’t know what VxVerify is? See here:
#========================#=======#========#====================================================================#==============#
| Hostname / Category |Status Dell_KB | Warnings or Failures, unless tests Passed ; Product S.N. |
#========================#=======#========#====================================================================#==============#
| VxRM | Warning 337432 | sudoers: Missing permissions in '/etc/sudoers'. .|This warning occurs when the configuration of the file /etc/sudoers does not have permission for the following entries: tcserver ALL=(ALL) ALL and Defaults:tcserver targetpw. If not, a warning is thrown as show above.
The expected output of the /etc/sudoers file is:
less /etc/sudoers
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##
##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias WEBSERVERS = www1, www2, www3
##
## User alias specification
##
## Groups of users. These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias ADMINS = millert, dowdy, mikef
##
## Cmnd alias specification
##
## Groups of commands. Often used to group related commands together.
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# /usr/bin/pkill, /usr/bin/top
# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
##
## Defaults specification
##
## Prevent environment variables from influencing programs in an
## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
Defaults always_set_home
## Path that will be used for every command run from sudo
Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
Defaults env_reset
## Change env_reset to !env_reset in previous line to keep all environment variables
## Following list will no longer be nevessary after this change
Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
## Comment out the preceding line and uncomment the following one if you need
## to use special input methods. This may allow users to compromise the root
## account if they are allowed to run commands without authentication.
#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
## Do not insult users when they enter an incorrect password.
Defaults !insults
## Uncomment to use a hard-coded PATH instead of the user's to find commands
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
##
## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
## In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system. When configuring sudo, delete the two
## following lines:
Defaults !targetpw
##
## Runas alias specification
##
##
## User privilege specification
##
root ALL=(ALL) ALL
## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d
# For the STIG
mystic ALL=(ALL) NOPASSWD: /mystic/stig/info
service ALL=(ALL) NOPASSWD: /usr/sbin/rabbitmqctl *
service ALL=(ALL) NOPASSWD: /usr/sbin/service rabbitmq-server *
service ALL=(ALL) NOPASSWD: /usr/sbin/service vmware-marvin *
service ALL=(ALL) NOPASSWD: /usr/sbin/service runjars *
Defaults timestamp_timeout=0
Defaults !rootpw
Defaults !runaspw
Defaults !targetpw
tcserver ALL=(ALL) ALL
Defaults:tcserver targetpwThere are two ways to get rid of the warning. Either run VxVerify as root user including Autofix, i.e. the -f or –fix argument, which automatically corrects the file.
After applying autofix:
#========================#=======#========#====================================================================#==============#
| Hostname / Category |Status Dell_KB | Warnings or Failures, unless tests Passed ; Product S.N. |
#========================#=======#========#====================================================================#==============#
| VxRM | _Fixed 337432 | sudoers: Updated '/etc/sudoers' with missing entries successful Alternatively, and this is my preferred method, edit /etc/sudoers manually with the following command:
sudo vi /etc/sudoersImportant!!! Please make sure to take a snapshot or backup of the VxRail Manager before you edit the Suoders File.
Then run VxVerify again and the warning should no longer appear. That’s it for this blog post. If you have any questions, please use the comments section.