[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] disabled root account / distinct group for users with administrative privileges

On Tue, 19 Oct 2010 00:38:41 +0200, Michael Biebl <biebl@debian.org> wrote:

> Bdale went ahead and added the following to /etc/sudoers:
> # Allow members of group sudo to not need a password
> # (Note that later entries override this, so you might need to move
> # it further down)
> %sudo ALL=(ALL) ALL

Ah yes -- that's a bug in the comment of course.

The comment says (incorrectly) that people in the sudo group don't need
a password.  It would need a NOPASSWD tag for the comment to be correct.

Thankfully, the configuration does the right thing, and requires that
the user know their own password to become root.

> The installer was changed to add the user to group "sudo" if the system is
> installed with root disabled.
> For PolicyKit, I can now simply ship a file, say
> /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains:
> [Configuration]
> AdminIdentities=unix-group:sudo

I would object to 'sudo' being a group of people that can simply become
root if they happen to be logged in -- is that what the PolicyKit
incantation would allow?

Cheers, Phil.
|)|  Philip Hands [+44 (0)20 8530 9560]    http://www.hands.com/
|-|  HANDS.COM Ltd.                    http://www.uk.debian.org/
|(|  10 Onslow Gardens, South Woodford, London  E18 1NE  ENGLAND

Attachment: pgp5adHa8pAvq.pgp
Description: PGP signature

Reply to: