From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 1C2C3158020 for ; Wed, 26 Oct 2022 06:31:57 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 53A1DE08C3; Wed, 26 Oct 2022 06:31:51 +0000 (UTC) Received: from barracuda.ebox.ca (barracuda.ebox.ca [96.127.255.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 14849E088F for ; Wed, 26 Oct 2022 06:31:50 +0000 (UTC) X-ASG-Debug-ID: 1666765896-0c856e167f2df10001-LfjuLa Received: from smtp.ebox.ca (smtp.ebox.ca [96.127.255.82]) by barracuda.ebox.ca with ESMTP id Z0CxlgtxOUCmhpX5 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NO) for ; Wed, 26 Oct 2022 02:31:36 -0400 (EDT) X-Barracuda-Envelope-From: waltdnes@waltdnes.org X-Barracuda-RBL-Trusted-Forwarder: 96.127.255.82 Received: from waltdnes.org (unknown [198.58.217.41]) by smtp.ebox.ca (Postfix) with SMTP id C82C8441B21 for ; Wed, 26 Oct 2022 02:31:35 -0400 (EDT) Received: by waltdnes.org (sSMTP sendmail emulation); Wed, 26 Oct 2022 02:31:35 -0400 X-Barracuda-RBL-IP: 198.58.217.41 X-Barracuda-Effective-Source-IP: 198-58-217-41.on.cable.ebox.net[198.58.217.41] X-Barracuda-Apparent-Source-IP: 198.58.217.41 From: "Walter Dnes" Date: Wed, 26 Oct 2022 02:31:35 -0400 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Update to /etc/sudoers disables wheel users!!! Message-ID: X-ASG-Orig-Subj: Re: [gentoo-user] Update to /etc/sudoers disables wheel users!!! References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Barracuda-Connect: smtp.ebox.ca[96.127.255.82] X-Barracuda-Start-Time: 1666765896 X-Barracuda-Encrypted: AES128-SHA X-Barracuda-URL: https://96.127.255.19:443/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at ebox.ca X-Barracuda-Scan-Msg-Size: 2304 X-Barracuda-BRTS-Status: 1 X-Barracuda-Spam-Score: 0.46 X-Barracuda-Spam-Status: No, SCORE=0.46 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=5.0 tests=PLING_PLING X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.101685 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.46 PLING_PLING Subject has lots of exclamation marks X-Archives-Salt: dfcc2f97-a5e3-4619-8b84-4bfe80676857 X-Archives-Hash: 71a7679294e6af5c2b618fbd84c6b0aa On Wed, Oct 26, 2022 at 05:04:35AM +0200, Ramon Fischer wrote > Hello Walter, > > I do not think, that this is a bug, since it is the default file, which > should not be edited by the user. Firstly "grep -i uncomment /etc/sudoers" results in... ## Uncomment to enable special input methods. Care should be taken as ## Uncomment to use a hard-coded PATH instead of the user's to find commands ## Uncomment to send mail if the user does not enter the correct password. ## Uncomment to enable logging of a command's output, except for ## Uncomment to allow members of group wheel to execute any command ## Uncomment to allow members of group sudo to execute any command ## Uncomment to allow any user to run sudo if they know the password ...I.e. the file is explicitly telling you to edit it if required!!! > All changes should be done in "/etc/sudoers.d/" to avoid such cases. My regular user has script "settime" in ${HOME}/bin #!/bin/bash date /usr/bin/sudo /usr/bin/rdate -nsv ca.pool.ntp.org /usr/bin/sudo /sbin/hwclock --systohc date /etc/sudoers.d/001 has, amongst other things, two lines... waltdnes x8940 = (root) NOPASSWD: /sbin/hwclock --systohc waltdnes x8940 = (root) NOPASSWD: /usr/bin/rdate -nsv ca.pool.ntp.org User "waltdnes" is a member of "wheel". If the "wheel" line is uncommented in /etc/sudoers, sudo works for me. If the "wheel" line is commented, then sudo breaks for my regular user. > I kept mine unchanged from 2nd October and only have two uncommented lines: > >     [...] >     root ALL=(ALL:AlL) ALL >     [...] >     @includedir /etc/sudoers.d > > I am using version "1.9.11_p3-r1". Me too. There seem to be two different approaches here. The loose approach is to allow a user to run "sudo ". A more locked down approach allows regular users to run "sudo ". This guards against "fat-finger-syndrome". I go with the more locked down approach -- I've seen things, you people wouldn't believe; Gopher, Netscape with frames, the first Browser Wars. Searching for pages with AltaVista, pop-up windows self-replicating, trying to uninstall RealPlayer. All those moments, will be lost in time like tears in rain... time to die.