[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: "sudo" command passwd is not canceled.

Erk. Thanks, Tom. I've got to quit trusting my memory on things that I
don't do every day.

2012/1/5 Tom H <tomh0665@gmail.com>:
> 2012/1/4 Joel Rees <joel.rees@gmail.com>:
>> On Wed, Jan 4, 2012 at 8:26 PM, chengshid <chengshid@gmail.com> wrote:
>>> 于 2012年01月04日 14:45, Bob Proulx 写道:
>>>> chengshid wrote:
>>> root    ALL=(ALL:ALL) ALL
>>
>> Odd that root would have to use the password where all the rest don't. But, ...
>>
>>> user    ALL=(ALL:ALL)NOPASSWD: ALL
>>
>> That's a huge security hole. You don't want to do that. That's almost
>> the same thing as letting root log in without a password.
>>
>> You should have one user that you only log in to for administration
>> purposes. You might be tempted to call the user "admin" but it's
>> better not to use a name that is easily guessed.
>>
>> Let's say I call my administrator user "bigboy". (I don't, but let's
>> say I do.) Then that line would be
>>
>> user    bigboy=(ALL:ALL)NOPASSWD: ALL
>
> "user ALL=(ALL:ALL)NOPASSWD: ALL" means that the user "user" can sudo
> to any user and execute any command on any box without entering a
> password.

I always forget about the machine entry, because I keep forgetting
that the syntax is designed so you can share one sudoers file between
a large group of similar machines on the network.

> "user bigboy=(ALL:ALL)NOPASSWD: ALL" means that the user "user" can
> sudo to any user and execute any command on the "bigboy" box without
> entering a password.

So,

    bigboy   ALL =(ALL:ALL)NOPASSWD:ALL

which, except for fileglobs being evaluated by the shell in the bigboy
context before being passed to sudo, makes bigboy equivalent to root
on any machine that has this line -- which makes it dangerous to leave
bigboy logged in on pretty much any unattended terminal on the
network, among other not-so-good things. Or,

    bigboy   mybox=(ALL:ALL)NOPASSWD:ALL

which makes bigboy just like root on the computer "mybox", except for
fileglobs, if the user remembers to say, "sudo".

I have only recently understood that, sudo not being a built-in, the
shell necessarily evaluates the fileglobs before calling sudo.
Sometimes I get excited about little things. (Being noisy because sudo
is on my mind at the moment.)

> [I would've have thought that there ought to be a space between
> "(ALL:ALL)" and "NOPASSWD:" but since it worked for the OP before he
> edited polkit files, I guess not.]

Yeah, since I'm checking, man 5 sudoers, around line 480 on the Fedora
15 system I have booted right now, "whitespace optional".

Good study for the test I have to take pretty soon.

--
Joel Rees
Reply to: