From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 9F247158020 for ; Wed, 26 Oct 2022 18:22:09 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 35AB3E099B; Wed, 26 Oct 2022 18:22:05 +0000 (UTC) Received: from mail.digimed.co.uk (mail.digimed.co.uk [82.69.83.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CE0F4E098A for ; Wed, 26 Oct 2022 18:22:04 +0000 (UTC) Received: from digimed.co.uk (shooty.digimed.co.uk [192.168.1.4]) by mail.digimed.co.uk (Postfix) with ESMTPS id 8CC2F96069 for ; Wed, 26 Oct 2022 19:22:03 +0100 (BST) Date: Wed, 26 Oct 2022 19:22:03 +0100 From: Neil Bothwick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Update to /etc/sudoers disables wheel users!!! Message-ID: <20221026192203.4721a707@digimed.co.uk> In-Reply-To: References: Organization: Digital Media Production X-Mailer: Claws Mail 4.1.1 (GTK 3.24.34; x86_64-pc-linux-gnu) X-GPG-Fingerprint: 7260 0F33 97EC 2F1E 7667 FE37 BA6E 1A97 4375 1903 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/pfHDUdPdodXbYBQ2eDCVTnd"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Archives-Salt: e2b02217-1d28-4d1e-8c75-ab7ec296913d X-Archives-Hash: 85c062b2ea3cc4736a72b397d310705c --Sig_/pfHDUdPdodXbYBQ2eDCVTnd Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, 26 Oct 2022 20:04:10 +0200, Ramon Fischer wrote: > Also a very interesting question! >=20 > I just tested this with "visudo" and it does not intercept this. >=20 > If "su" is disabled, you are locked out and you are forced to enter > your system via a live USB stick and a "chroot" in order to edit=20 > "/etc/shadow" to set a root password via "mkpasswd" and enable "su".=20 > Nice. :D You need to be root to write to /etc/sudoers.d. If someone has that access, you are already doomed! >=20 > -Ramon >=20 > On 26/10/2022 18:52, Grant Taylor wrote: > > What if someone were to put the following into > > /etc/sudoers.d/zzzzzzzzzz > > > > =C2=A0=C2=A0 ALL ALL=3D(ALL) !ALL > > > > }:-) =20 --=20 Neil Bothwick I thought I saw the light at the end of the tunnel... but it was just some sod with a torch bringing me more work! --Sig_/pfHDUdPdodXbYBQ2eDCVTnd Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE8k9T/rX16EJxEKG692eFu0QSMJgFAmNZessACgkQ92eFu0QS MJhO8g/9FMYDoOWDmW3sIk9mZoSuuweyYBlFnOHx/q/Zx71Y7Ro1qNrCvS43H106 ODi5RcrvDvQ9v1o6daacUo65Tn00Kp3p2wrITDUi18XQcexgR+4Cg8k569P4D2/x DpBDXlKROavz5CylafcldiXl/VFP494r9AARaeOOvw4GEtLEW6HHleZqyyGBmCxc fAytx7uMV3AzLYM4VWFpXkjhBrVzTU+U2/PCsmAV/AW5MEBsmeBEMqXfRdOZAD9q Nwjl6hLSHt6m/ywSr0T2HLhzCeeQqxVEqQR2ldNM4WW53SUDo1B9TiKpTaj8Nqvr ddSy9DvVoyyXvirCvKZQbSaCIpEbpy1h2jCAVJqL4+IpbWhHF74W0hlwvbMM/mKc D33AdON8bjpqSJrDJYbfUC7UIyGfzrUdIz1LmsXt7ANfJZWiAqvwHvYKZ8jW5sBu guwsPG+OSPT43E250dEHbwzaFF1MFc7VJM6JYPrpI5GkkJJM+hrvWnwofLpwnalX GfzXKiRPrdQ0EEfLY6tGgvp1tUtOOXqPGEBWpeyCLZNf2tSI5pdPYNoHsXV9RnGK 8m+P8rPxVafbjcrORcjvnOxPo0hkhmwklir+X4/o2SlZQ0knIp/A9NomYAqWuT2E NMHwjT+zQGFygAx98+BdX/HlbChETOd1Ots3kpJ3IFzGhjoMqEc= =8iu/ -----END PGP SIGNATURE----- --Sig_/pfHDUdPdodXbYBQ2eDCVTnd--