public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* Re: [gentoo-user] Update to /etc/sudoers disables wheel users!!!
  @ 2022-10-26  6:31 99%   ` Walter Dnes
  0 siblings, 0 replies; 1+ results
From: Walter Dnes @ 2022-10-26  6:31 UTC (permalink / raw
  To: gentoo-user

On Wed, Oct 26, 2022 at 05:04:35AM +0200, Ramon Fischer wrote
> Hello Walter,
> 
> I do not think, that this is a bug, since it is the default file, which 
> should not be edited by the user.

  Firstly "grep -i uncomment /etc/sudoers" results in...

## Uncomment to enable special input methods.  Care should be taken as
## Uncomment to use a hard-coded PATH instead of the user's to find commands
## Uncomment to send mail if the user does not enter the correct password.
## Uncomment to enable logging of a command's output, except for
## Uncomment to allow members of group wheel to execute any command
## Uncomment to allow members of group sudo to execute any command
## Uncomment to allow any user to run sudo if they know the password

...I.e. the file is explicitly telling you to edit it if required!!!

> All changes should be done in "/etc/sudoers.d/" to avoid such cases.

  My regular user has script "settime" in ${HOME}/bin

#!/bin/bash
date
/usr/bin/sudo /usr/bin/rdate -nsv ca.pool.ntp.org
/usr/bin/sudo /sbin/hwclock --systohc
date

  /etc/sudoers.d/001 has, amongst other things, two lines...

waltdnes  x8940 = (root) NOPASSWD: /sbin/hwclock --systohc
waltdnes  x8940 = (root) NOPASSWD: /usr/bin/rdate -nsv ca.pool.ntp.org

  User "waltdnes" is a member of "wheel".  If the "wheel" line is
uncommented in /etc/sudoers, sudo works for me.  If the "wheel" line is
commented, then sudo breaks for my regular user.

> I kept mine unchanged from 2nd October and only have two uncommented lines:
> 
>      [...]
>      root ALL=(ALL:AlL) ALL
>      [...]
>      @includedir /etc/sudoers.d
> 
> I am using version "1.9.11_p3-r1".

  Me too.

  There seem to be two different approaches here.  The loose approach is
to allow a user to run "sudo <whatever I damn well want>".  A more locked
down approach allows regular users to run "sudo <very specific command>".
This guards against "fat-finger-syndrome".  I go with the more locked
down approach

-- 
I've seen things, you people wouldn't believe; Gopher, Netscape with
frames, the first Browser Wars.  Searching for pages with AltaVista,
pop-up windows self-replicating, trying to uninstall RealPlayer.  All
those moments, will be lost in time like tears in rain... time to die.


^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2022-10-26  2:34     [gentoo-user] Update to /etc/sudoers disables wheel users!!! Walter Dnes
2022-10-26  3:04     ` Ramon Fischer
2022-10-26  6:31 99%   ` Walter Dnes

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox