[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: "sudo" command passwd is not canceled.

Erk. Thanks, Tom. I've got to quit trusting my memory on things that I
don't do every day.

2012/1/5 Tom H <tomh0665@gmail.com>:
> 2012/1/4 Joel Rees <joel.rees@gmail.com>:
>> On Wed, Jan 4, 2012 at 8:26 PM, chengshid <chengshid@gmail.com> wrote:
>>> 于 2012年01月04日 14:45, Bob Proulx 写道:
>>>> chengshid wrote:
>>> root    ALL=(ALL:ALL) ALL
>> Odd that root would have to use the password where all the rest don't. But, ...
>> That's a huge security hole. You don't want to do that. That's almost
>> the same thing as letting root log in without a password.
>> You should have one user that you only log in to for administration
>> purposes. You might be tempted to call the user "admin" but it's
>> better not to use a name that is easily guessed.
>> Let's say I call my administrator user "bigboy". (I don't, but let's
>> say I do.) Then that line would be
>> user    bigboy=(ALL:ALL)NOPASSWD: ALL
> "user ALL=(ALL:ALL)NOPASSWD: ALL" means that the user "user" can sudo
> to any user and execute any command on any box without entering a
> password.

I always forget about the machine entry, because I keep forgetting
that the syntax is designed so you can share one sudoers file between
a large group of similar machines on the network.

> "user bigboy=(ALL:ALL)NOPASSWD: ALL" means that the user "user" can
> sudo to any user and execute any command on the "bigboy" box without
> entering a password.



which, except for fileglobs being evaluated by the shell in the bigboy
context before being passed to sudo, makes bigboy equivalent to root
on any machine that has this line -- which makes it dangerous to leave
bigboy logged in on pretty much any unattended terminal on the
network, among other not-so-good things. Or,

    bigboy   mybox=(ALL:ALL)NOPASSWD:ALL

which makes bigboy just like root on the computer "mybox", except for
fileglobs, if the user remembers to say, "sudo".

I have only recently understood that, sudo not being a built-in, the
shell necessarily evaluates the fileglobs before calling sudo.
Sometimes I get excited about little things. (Being noisy because sudo
is on my mind at the moment.)

> [I would've have thought that there ought to be a space between
> "(ALL:ALL)" and "NOPASSWD:" but since it worked for the OP before he
> edited polkit files, I guess not.]

Yeah, since I'm checking, man 5 sudoers, around line 480 on the Fedora
15 system I have booted right now, "whitespace optional".

Good study for the test I have to take pretty soon.

Joel Rees

Reply to: