Re: Don't try this at home kids
- To: debian-user@lists.debian.org
- Subject: Re: Don't try this at home kids
- From: David Wright <deblis@lionunicorn.co.uk>
- Date: Thu, 2 Dec 2021 20:48:57 -0600
- Message-id: <[🔎] 20211203024857.GA26928@axis.corp>
- Reply-to: debian-user@lists.debian.org
- In-reply-to: <YaZqXH1x+IpcWi1w@wooledge.org>
- References: <4oo985q9-pp1o-p837-r65q-o89q2qoo187@ehcgherq-qhpx.pbz> <5ee7ca26-da2e-a872-875e-28e8a3707473@ardley.org> <alpine.NEB.2.23.451.2111291744530.20205@panix1.panix.com> <20211130044201.GD32633@axis.corp> <1b1r2ycie8.fsf@pfeifferfamily.net> <CAMPM96rX7HiWCv61iN4k0GZvpvDTU9Wj5Rw91ycTEF6efvL5ww@mail.gmail.com> <YaZqXH1x+IpcWi1w@wooledge.org>
On Tue 30 Nov 2021 at 13:15:56 (-0500), Greg Wooledge wrote:
> On Tue, Nov 30, 2021 at 11:12:49AM -0600, Paul Johnson wrote:
> > On Mon, Nov 29, 2021 at 11:57 PM Joe Pfeiffer <pfeiffer@cs.nmsu.edu> wrote:
> > > David Wright <deblis@lionunicorn.co.uk> writes:
> > > > As /etc/sudoers already contains the line:
> > > >
> > > > %sudo ALL=(ALL:ALL) ALL
> > > >
> > > > one should be able to achieve the same effect by
> > > > adding the user to the sudo group.
> > >
> > > Near as I can tell from my experience, that doesn't work around the
> > > password requirement.
Yes, I don't really approve of the original request. It's one thing
to allow using a closed set of specific, routine commands without
a password, as I do, but to open up the whole system by typing sudo
at the start of a line seems like going a bit too far for me.
It's bad enough that after typing it once, AIUI, you get 15 mins of
passwordless freedom. However, can you not use that to your advantage
by increasing the default timeout to a value that suits you?
Presumably, typing the password once in, say, 9 hours, is not too
onerous, and a major advantage is that it's revokable, merely by
closing the terminal that you typed it into. OTOH, NOPASSWD: leaves
all your sessionS wide open, as it's not revokable.
> > Make sure you log out and log back in after you do 'adduser joe sudo' (or
> > whatever your username is). Group permissions are generally only effective
> > as they were at the time of that session's login.
>
> What you said is correct, but it doesn't contradict the paragraph that
> you cited.
>
> Adding yourself to the sudo group (and then re-logging-in) allows you
> to use sudo. It doesn't skip the password requirement.
>
> To skip the password requirement, you need to make edits, either to the
> main sudoers file or to a drop-in file. Instructions have already been
> given earlier in this thread. It involves adding the string NOPASSWD
> and some punctuation in the right position in a ridiculously overengineered
> file.
It's difficult to imagine using the flexibility that man sudoers
demonstrates. But then, I've never had to administer a system that's
subject to the excessive ingenuity that some people (think students)
can show.
Cheers,
David.
Reply to: