* Re: [gentoo-user] Update to /etc/sudoers disables wheel users!!!
@ 2022-10-26 7:42 99% ` Ramon Fischer
0 siblings, 0 replies; 1+ results
From: Ramon Fischer @ 2022-10-26 7:42 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1.1.1: Type: text/plain, Size: 3067 bytes --]
> User "waltdnes" is a member of "wheel". If the "wheel" line is
> uncommented in /etc/sudoers, sudo works for me.
So you could create the file "/etc/sudoers.d/000" with the following
content:
%wheel ALL=(ALL:ALL) ALL
%wheel ALL=(ALL:ALL) NOPASSWD: ALL
and your user is able to synchronise your clock again.
I do not know, what the developers were thinking to encourage the user
to edit a default file, which gets potentially overwritten after each
package update...
"etc-update" helps to have an eye on, but muscle memory and fast fingers
are sometimes faster.
> I go with the more locked down approach
This is the best way. Try to be as precise as possible, but be aware of
wildcards![1]
-Ramon
[1]
https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-4-wildcards/
On 26/10/2022 08:31, Walter Dnes wrote:
> On Wed, Oct 26, 2022 at 05:04:35AM +0200, Ramon Fischer wrote
>> Hello Walter,
>>
>> I do not think, that this is a bug, since it is the default file, which
>> should not be edited by the user.
> Firstly "grep -i uncomment /etc/sudoers" results in...
>
> ## Uncomment to enable special input methods. Care should be taken as
> ## Uncomment to use a hard-coded PATH instead of the user's to find commands
> ## Uncomment to send mail if the user does not enter the correct password.
> ## Uncomment to enable logging of a command's output, except for
> ## Uncomment to allow members of group wheel to execute any command
> ## Uncomment to allow members of group sudo to execute any command
> ## Uncomment to allow any user to run sudo if they know the password
>
> ...I.e. the file is explicitly telling you to edit it if required!!!
>
>> All changes should be done in "/etc/sudoers.d/" to avoid such cases.
> My regular user has script "settime" in ${HOME}/bin
>
> #!/bin/bash
> date
> /usr/bin/sudo /usr/bin/rdate -nsv ca.pool.ntp.org
> /usr/bin/sudo /sbin/hwclock --systohc
> date
>
> /etc/sudoers.d/001 has, amongst other things, two lines...
>
> waltdnes x8940 = (root) NOPASSWD: /sbin/hwclock --systohc
> waltdnes x8940 = (root) NOPASSWD: /usr/bin/rdate -nsv ca.pool.ntp.org
>
> User "waltdnes" is a member of "wheel". If the "wheel" line is
> uncommented in /etc/sudoers, sudo works for me. If the "wheel" line is
> commented, then sudo breaks for my regular user.
>
>> I kept mine unchanged from 2nd October and only have two uncommented lines:
>>
>> [...]
>> root ALL=(ALL:AlL) ALL
>> [...]
>> @includedir /etc/sudoers.d
>>
>> I am using version "1.9.11_p3-r1".
> Me too.
>
> There seem to be two different approaches here. The loose approach is
> to allow a user to run "sudo <whatever I damn well want>". A more locked
> down approach allows regular users to run "sudo <very specific command>".
> This guards against "fat-finger-syndrome". I go with the more locked
> down approach
>
--
GPG public key: 5983 98DA 5F4D A464 38FD CF87 155B E264 13E6 99BF
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 8969 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2022-10-26 2:34 [gentoo-user] Update to /etc/sudoers disables wheel users!!! Walter Dnes
2022-10-26 3:04 ` Ramon Fischer
2022-10-26 6:31 ` Walter Dnes
2022-10-26 7:42 99% ` Ramon Fischer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox