From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-199897-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id AD22C158020
	for <garchives@archives.gentoo.org>; Wed, 26 Oct 2022 19:29:50 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 3D1FAE09CA;
	Wed, 26 Oct 2022 19:29:47 +0000 (UTC)
Received: from tncsrv06.tnetconsulting.net (tncsrv06.tnetconsulting.net [IPv6:2600:3c00:e000:1e9::8849])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id CBEF9E0976
	for <gentoo-user@lists.gentoo.org>; Wed, 26 Oct 2022 19:29:46 +0000 (UTC)
Received: from Contact-TNet-Consulting-Abuse-for-assistance
	by tncsrv06.tnetconsulting.net (8.15.2/8.15.2/Debian-3) with ESMTPSA id 29QJTjMl007216
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO)
	for <gentoo-user@lists.gentoo.org>; Wed, 26 Oct 2022 14:29:46 -0500
Subject: Re: [gentoo-user] Update to /etc/sudoers disables wheel users!!!
To: gentoo-user@lists.gentoo.org
References: <Y1icwhwgw3WJpBQG@waltdnes.org>
 <AM6PR10MB2440A940379969FE0A2D6D32EF309@AM6PR10MB2440.EURPRD10.PROD.OUTLOOK.COM>
 <Y1jURxx+uvtr5E/Y@waltdnes.org>
 <AM6PR10MB244018D45D67CF1633EAB4F6EF309@AM6PR10MB2440.EURPRD10.PROD.OUTLOOK.COM>
 <e19fda7e-8611-fcbf-a275-ccf8a2ea1fd3@spamtrap.tnetconsulting.net>
 <AM6PR10MB244072B23AC2FA84B29C14D3EF309@AM6PR10MB2440.EURPRD10.PROD.OUTLOOK.COM>
 <20221026192203.4721a707@digimed.co.uk>
From: Grant Taylor <gtaylor@gentoo.tnetconsulting.net>
Organization: TNet Consulting
Message-ID: <44b8fdd1-a618-ad1c-3b9b-e256ad555440@spamtrap.tnetconsulting.net>
Date: Wed, 26 Oct 2022 13:28:49 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.13.0
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
In-Reply-To: <20221026192203.4721a707@digimed.co.uk>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 94ee722d-1069-4b9b-a96e-990eacc73547
X-Archives-Hash: db759abf996c2941474f25e40cbeffcb

On 10/26/22 12:22 PM, Neil Bothwick wrote:
> You need to be root to write to /etc/sudoers.d. If someone has that
> access, you are already doomed!

And what happens if someone uses the existing root-via-sudo access to 
break sudo?

You loose root-via-sudo access.

Someone could become root, via sudo, edit the sudoers file without using 
visudo, introduce a syntax problem, thereby breaking sudo (fail secure).

You could easily do this to yourself if you don't follow best practices.



-- 
Grant. . . .
unix || die