[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: permissions/sudo/sudoers

On Tue, 2 Apr 2013 01:45:53 +0200
sp113438 <sp113438@telfort.nl> wrote:

Personally I think it would be great if package devs added perhaps
commented by default lines sudoers or to a file in sudoers.d 

There is no need for groups and logging back in for the average system
and sudoers changes take immediate effect whereas group changes don't.
Though groups can be handy. Sudo is much easier to use, encourages
better programming and is more secure and more powerful than polkit
partly due to being filesystem based and certainly less disruptive as
it is simply a tool in the proper UNIX sense.

You should use visudo as root to edit sudoers as it will warn you if
you have mad a mistake before applying the new policy

> add to /ets/sudoers:
> yourname     ALL=(ALL) NOPASSWD:ALL

Or to be more secure as you really shouldn't do the above even with
Requiretty enabled and even if using a seperate autologged in user from
the console

yourusername	ALL=(ALL) NOPASSWD: /usr/bin/apt-get install

or to match more packages

yourusername	ALL=(ALL) NOPASSWD: /usr/bin/apt-get install *

Some others may be handy too.

yourusername	ALL=(ALL) NOPASSWD: /usr/bin/apt-get install
[a-zA-Z0-9-]*, /usr/bin/apt-get update, /usr/bin/apt-get
dist-upgrade, /usr/bin/aptitude

This one should have a password

yourusername	ALL=(ALL) sudoedit /etc/apt/sources.list

Using synaptic to decide what to install (you don't need root to
browse) before using aptitude, isn't a bad idea.

Later rules override previous ones which may matter if a more inclusive
match such as ALL commands allowed with password comes after a NOPASSWD

Unfortunately apt downloads as root. It is priviledge reduction in
things like that that distros should be focussing on rather than
wasing time on this polkit when sudo exits, especially because it's
predecessor was apparently criticised out of existence.

Reply to: