[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: "sudo" command passwd is not canceled.

(Woops. I keep forgetting debian-user does the return address right.)

On Wed, Jan 4, 2012 at 8:26 PM, chengshid <chengshid@gmail.com> wrote:
> 于 2012年01月04日 14:45, Bob Proulx 写道:
>
>> chengshid wrote:
>>>
>>> "sudo" command passwd is not canceled since i modify the follows files.
>>> /usr/share/polkit-1/actions/  and /etc/pam.d/
>>>
>>> the /etc/sudoers file have modified with no required passwd.
>>>
>>> help me!  thanks.
>>
>> I do not understand what you are asking.  Are you saying that it is
>> not requiring a password now?  The default password timeout is 15
>> minutes.
>>
>> Use 'sudo -k' to revoke your permissions.
>>
>> use 'sudo -l' to list information about what you are allowed.  This
>> will display any NOPASSWD flags set in the file.
>>
>> Bob
>
> $sudo -l
>    env_reset,
>
>  secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
>
>    (ALL : ALL) NOPASSWD: ALL
>    (ALL : ALL) ALL
>
> This my content of sudoers
> #
> # This file MUST be edited with the 'visudo' command as root.

Just in case, I'll ask. You didn't edit /etc/sudoers or any files
under /etc/sudoers.d directly, of course?

(Took me a while to find the "visudo -f <file>" option for the included files.)

> # Please consider adding local content in /etc/sudoers.d/ instead of
> # directly modifying this file.
> #
> # See the man page for details on how to write a sudoers file.
> #
> Defaults        env_reset
> Defaults
>  secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:$
>
> # Host alias specification
>
> # User alias specification
>
> # Cmnd alias specification
>
> # User privilege specification
> root    ALL=(ALL:ALL) ALL

Odd that root would have to use the password where all the rest don't. But, ...

> user    ALL=(ALL:ALL)NOPASSWD: ALL

That's a huge security hole. You don't want to do that. That's almost
the same thing as letting root log in without a password.

You should have one user that you only log in to for administration
purposes. You might be tempted to call the user "admin" but it's
better not to use a name that is easily guessed.

Let's say I call my administrator user "bigboy". (I don't, but let's
say I do.) Then that line would be

user    bigboy=(ALL:ALL)NOPASSWD: ALL

which is better, but not by a whole lot.

It's best to just get used to using the password, and, in fact, I
would leave off the network ALL.

> # Allow members of group sudo to execute any command
> %sudo   ALL=(ALL:ALL) ALL

It doesn't look like you've defined any users in the %sudo group.
(That would be like an administration group, and you can call it
something else, if you want, maybe "admin".)

> # See sudoers(5) for more information on "#include" directives:
>
> #includedir /etc/sudoers.d
>
> Thanks!

I'm going to repeat myself.

Maybe you're just practicing on that computer, so you don't want to
have fight with password issues in addition to figuring out what the
commands mean and how to use them. But then you'll be learning bad
habits too. The goal of disabling passwords is not a good goal.

As far as your problems with ACLs, I'm not going to comment on that.

--
Joel Rees
Reply to: