Re: sudoers question
On 5/12/23, DdB wrote:
> Am 13.05.2023 um 00:03 schrieb Lee:
>> On 5/12/23, Stefan Monnier wrote:
>>>> Or configure sudo to disable tty_tickets, so that the timeout (10
>>>> minutes by default IIRC) applies to all terminals.
>>>
>>> `sudo bash` anyone?
>>
>> me! me! but I also have
> (...)
>> %adm ALL = (root) NOPASSWD: ADM_COMMANDS
>
> Of course, there are ways to allow any/all sudo commands without
> password. And i also have to cast a warning here:
>
> The kind of mistakes, any user (including yourself) can initiate, grows
> considerably, if he can use any commands without even thinking.
In general, yes, but how much trouble can
/usr/bin/dmesg,
/usr/bin/apt list
/usr/bin/apt update
/usr/sbin/checkrestart
/usr/sbin/needrestart
cause?
OTOH, I like the idea of logging in as root to do admin stuff. But
that seems to be frowned on now.. I don't know why :( .. unless
logging? 'sudo bash' or logging in as root doesn't leave an audit
trail of commands you've done
> To my eye, as there is a huge responsability involved with using
> elevated powers, i would not want "my little brother" to accidentally
> sit in front of my computer while just trying commands at a console,
> that he may have heard of somewhere.
I gave login credentials to a 4 yr old :) I was a bit apprehensive
when he started mashing the keyboard but I'd already tried to find all
the world-writeable files on the machine so I wasn't all _that_
worried. I'm more concerned that I did the search wrong & missed some
thing than I am of getting a "rm -fr /" from random keyboard mashing.
> Even worse: When i found out, how to prevent sudo from asking a pwd, i
> in fact did cause a couple of bad mistakes, that the system would
> otherwise have prevented from happening (including making it
> unbootable). And it took my quite some time in order to get used to some
> kind of a routine, that keps me from having to reinstall everything from
> scratch after each mishap.
>
> So, after some time, i have become way more cautious at allowing too
> many powers to myself without thinking. And especially the OP did reveal
> some contradictory habits:
> He was asking, how to allow any sudo command without being asked for a
> password ( which means: without being controlled by the system ). On one
> hand, this could make sense under certain premises.
> OTOH, he was failing to display any kind of responsible attitude for the
> job (like as if reading logfiles was hs only interest ...).
>
> Just simply asking for help in this regard let me wonder, as i had been
> able to find out all this without even knowing about his group,
> including the relevance of sudoedit in this regard (which no one even
> mentioned).
>
> You can't have your cake and eat it too!
>
> If we (as a community) would support such a behavior, wouldn't we be
> responsible for the effecs, this entails
No.
> Would you hand out a loaded weapon to a child? (I certainly did not.)
Maybe I have? But this is a personal/household machine so if files
get deleted I'll get to find out if my backup/restore process works as
well as I hope it does :)
At work, downtime is expensive, so I do tend to lock things down at
work. At home I'm a lot more casual.
Regards
Lee
Reply to: