public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* Re: [gentoo-user] Update to /etc/sudoers disables wheel users!!!
  @ 2022-10-26  7:42 99%     ` Ramon Fischer
  0 siblings, 0 replies; 1+ results
From: Ramon Fischer @ 2022-10-26  7:42 UTC (permalink / raw
  To: gentoo-user


[-- Attachment #1.1.1: Type: text/plain, Size: 3067 bytes --]

> User "waltdnes" is a member of "wheel". If the "wheel" line is
> uncommented in /etc/sudoers, sudo works for me.
So you could create the file "/etc/sudoers.d/000" with the following 
content:

     %wheel ALL=(ALL:ALL) ALL
     %wheel ALL=(ALL:ALL) NOPASSWD: ALL

and your user is able to synchronise your clock again.

I do not know, what the developers were thinking to encourage the user 
to edit a default file, which gets potentially overwritten after each 
package update...

"etc-update" helps to have an eye on, but muscle memory and fast fingers 
are sometimes faster.

> I go with the more locked down approach
This is the best way. Try to be as precise as possible, but be aware of 
wildcards![1]

-Ramon

[1] 
https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-4-wildcards/

On 26/10/2022 08:31, Walter Dnes wrote:
> On Wed, Oct 26, 2022 at 05:04:35AM +0200, Ramon Fischer wrote
>> Hello Walter,
>>
>> I do not think, that this is a bug, since it is the default file, which
>> should not be edited by the user.
>    Firstly "grep -i uncomment /etc/sudoers" results in...
>
> ## Uncomment to enable special input methods.  Care should be taken as
> ## Uncomment to use a hard-coded PATH instead of the user's to find commands
> ## Uncomment to send mail if the user does not enter the correct password.
> ## Uncomment to enable logging of a command's output, except for
> ## Uncomment to allow members of group wheel to execute any command
> ## Uncomment to allow members of group sudo to execute any command
> ## Uncomment to allow any user to run sudo if they know the password
>
> ...I.e. the file is explicitly telling you to edit it if required!!!
>
>> All changes should be done in "/etc/sudoers.d/" to avoid such cases.
>    My regular user has script "settime" in ${HOME}/bin
>
> #!/bin/bash
> date
> /usr/bin/sudo /usr/bin/rdate -nsv ca.pool.ntp.org
> /usr/bin/sudo /sbin/hwclock --systohc
> date
>
>    /etc/sudoers.d/001 has, amongst other things, two lines...
>
> waltdnes  x8940 = (root) NOPASSWD: /sbin/hwclock --systohc
> waltdnes  x8940 = (root) NOPASSWD: /usr/bin/rdate -nsv ca.pool.ntp.org
>
>    User "waltdnes" is a member of "wheel".  If the "wheel" line is
> uncommented in /etc/sudoers, sudo works for me.  If the "wheel" line is
> commented, then sudo breaks for my regular user.
>
>> I kept mine unchanged from 2nd October and only have two uncommented lines:
>>
>>       [...]
>>       root ALL=(ALL:AlL) ALL
>>       [...]
>>       @includedir /etc/sudoers.d
>>
>> I am using version "1.9.11_p3-r1".
>    Me too.
>
>    There seem to be two different approaches here.  The loose approach is
> to allow a user to run "sudo <whatever I damn well want>".  A more locked
> down approach allows regular users to run "sudo <very specific command>".
> This guards against "fat-finger-syndrome".  I go with the more locked
> down approach
>

-- 
GPG public key: 5983 98DA 5F4D A464 38FD CF87 155B E264 13E6 99BF


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 8969 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2022-10-26  2:34     [gentoo-user] Update to /etc/sudoers disables wheel users!!! Walter Dnes
2022-10-26  3:04     ` Ramon Fischer
2022-10-26  6:31       ` Walter Dnes
2022-10-26  7:42 99%     ` Ramon Fischer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox