public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: Grant Taylor <gtaylor@gentoo.tnetconsulting.net>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Update to /etc/sudoers disables wheel users!!!
Date: Wed, 26 Oct 2022 10:52:29 -0600	[thread overview]
Message-ID: <e19fda7e-8611-fcbf-a275-ccf8a2ea1fd3@spamtrap.tnetconsulting.net> (raw)
In-Reply-To: <AM6PR10MB244018D45D67CF1633EAB4F6EF309@AM6PR10MB2440.EURPRD10.PROD.OUTLOOK.COM>

On 10/26/22 1:42 AM, Ramon Fischer wrote:
> and your user is able to synchronise your clock again.

I'm not sure that will work as hoped.  See my other reply about PTY and 
testing the commands at the command line for more explanation of what I 
suspect is happening.

> I do not know, what the developers were thinking to encourage the user 
> to edit a default file, which gets potentially overwritten after each 
> package update...

To the sudo developers, the /etc/sudoers file is *SUPPOSED* *TO* /be/ 
/edited/.

The sudo developers provide the sudo (et al.) program(s) for your use 
and /you/ provide the configuration file(s) that it (they) use.

It is natural for the /etc/sudoers file to be edited.

To me the disconnect is when people other than the sudo developers 
distribute the /etc/sudoers file and expect that it will not be edited.

What are end users / systems administrators to do if the default file 
has something like the following enabled in the default /etc/sudoers 
file and the EUs / SAs want it to not be there?

    %wheel ALL=(ALL:ALL) ALL

They have no choice but to change (edit / replace) the /etc/sudoers file.

Especially if other parts of the system rely on the wheel group and not 
putting users in it is not an option.  --  The above line *MUST* be 
taken out, thus the /etc/sudoers file *MUST* be edited.

Unix has 50 years of editing files to make the system behave as desired. 
  Modularization and including other files is nice /when/ /it/ /works/. 
But there are times that modularization doesn't work and files *MUST* be 
edited.

> "etc-update" helps to have an eye on, but muscle memory and fast fingers 
> are sometimes faster.

How many levels of safety do you suggest that we put in place?

What if someone were to put the following into /etc/sudoers.d/zzzzzzzzzz

    ALL ALL=(ALL) !ALL

}:-)

> This is the best way. Try to be as precise as possible, but be aware of 
> wildcards![1]

The /etc/sudoers syntax can be tricky to master.  But it can also be 
very powerful when done correctly.



-- 
Grant. . . .
unix || die


  parent reply	other threads:[~2022-10-26 16:53 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-26  2:34 [gentoo-user] Update to /etc/sudoers disables wheel users!!! Walter Dnes
2022-10-26  3:04 ` Ramon Fischer
2022-10-26  3:15   ` Grant Taylor
2022-10-26  3:34     ` Ramon Fischer
2022-10-26  3:40       ` Ramon Fischer
2022-10-26  3:44     ` Matt Connell
2022-10-26 16:21       ` Grant Taylor
2022-10-26 17:15         ` Neil Bothwick
2022-10-26 17:31           ` Rich Freeman
2022-10-26 20:17             ` Dale
2022-10-26 21:26               ` [gentoo-user] " Grant Edwards
2022-10-26 22:44                 ` Dale
2022-10-27  1:23                   ` Ramon Fischer
2022-10-27  3:01                     ` Dale
2022-10-27  7:55                       ` Ramon Fischer
2022-10-27  7:59                         ` Ramon Fischer
2022-10-26 23:55                 ` Rich Freeman
2022-10-26  6:31   ` [gentoo-user] " Walter Dnes
2022-10-26  7:42     ` Ramon Fischer
2022-10-26 11:31       ` Rich Freeman
2022-10-26 14:41         ` Ramon Fischer
2022-10-26 16:52       ` Grant Taylor [this message]
2022-10-26 17:12         ` [gentoo-user] " Grant Edwards
2022-10-26 17:54           ` Ramon Fischer
2022-10-26 18:04         ` [gentoo-user] " Ramon Fischer
2022-10-26 18:22           ` Neil Bothwick
2022-10-26 19:28             ` Grant Taylor
2022-10-26 20:08               ` Neil Bothwick
2022-10-26 20:17                 ` Grant Taylor
2022-10-26 21:13                   ` Neil Bothwick
2022-10-26 21:29                     ` Grant Taylor
2022-10-26 21:48               ` Ramon Fischer
2022-10-26 23:06                 ` Grant Taylor
2022-10-27  1:27                   ` Ramon Fischer
2022-10-27  1:47                     ` Grant Taylor
2022-10-27  7:53                       ` Ramon Fischer
2022-10-26 18:35           ` Jack
2022-10-26 18:38             ` Ramon Fischer
2022-10-26 20:06               ` Neil Bothwick
2022-10-26 21:27                 ` Ramon Fischer
2022-10-26 21:30                   ` Grant Taylor
2022-10-26 19:31             ` Grant Taylor
2022-10-26 19:26           ` Grant Taylor
2022-10-26 18:04         ` Ramon Fischer
2022-10-26 16:38     ` Grant Taylor
2022-10-26  3:12 ` Matt Connell
2022-10-26  4:00 ` Anna “CyberTailor”

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e19fda7e-8611-fcbf-a275-ccf8a2ea1fd3@spamtrap.tnetconsulting.net \
    --to=gtaylor@gentoo.tnetconsulting.net \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox