[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudoers question

On 5/12/23, DdB  wrote:
> Am 13.05.2023 um 00:03 schrieb Lee:
>> On 5/12/23, Stefan Monnier  wrote:
>>>> Or configure sudo to disable tty_tickets, so that the timeout (10
>>>> minutes by default IIRC) applies to all terminals.
>>>
>>> `sudo bash` anyone?
>>
>> me!  me!  but I also have
> (...)
>> %adm          ALL = (root) NOPASSWD: ADM_COMMANDS
>
> Of course, there are ways to allow any/all sudo commands without
> password. And i also have to cast a warning here:
>
> The kind of mistakes, any user (including yourself) can initiate, grows
> considerably, if he can use any commands without even thinking.

In general, yes, but how much trouble can
  /usr/bin/dmesg,
  /usr/bin/apt list
  /usr/bin/apt update
  /usr/sbin/checkrestart
  /usr/sbin/needrestart
cause?

OTOH, I like the idea of logging in as root to do admin stuff.  But
that seems to be frowned on now.. I don't  know why :(   .. unless
logging?  'sudo bash' or logging in as root doesn't leave an audit
trail of commands you've done

> To my eye, as there is a huge responsability involved with using
> elevated powers, i would not want "my little brother" to accidentally
> sit in front of my computer while just trying commands at a console,
> that he may have heard of somewhere.

I gave login credentials to a 4 yr old :)  I was a bit apprehensive
when he started mashing the keyboard but I'd already tried to find all
the world-writeable files on the machine so I wasn't all _that_
worried.  I'm more concerned that I did the search wrong & missed some
thing than I am of getting a "rm -fr /" from random keyboard mashing.

> Even worse: When i found out, how to prevent sudo from asking a pwd, i
> in fact did cause a couple of bad mistakes, that the system would
> otherwise have prevented from happening (including making it
> unbootable). And it took my quite some time in order to get used to some
> kind of a routine, that keps me from having to reinstall everything from
> scratch after each mishap.
>
> So, after some time, i have become way more cautious at allowing too
> many powers to myself without thinking. And especially the OP did reveal
> some contradictory habits:
> He was asking, how to allow any sudo command without being asked for a
> password ( which means: without being controlled by the system ). On one
> hand, this could make sense under certain premises.
> OTOH, he was failing to display any kind of responsible attitude for the
> job (like as if reading logfiles was hs only interest ...).
>
> Just simply asking for help in this regard let me wonder, as i had been
> able to find out all this without even knowing about his group,
> including the relevance of sudoedit in this regard (which no one even
> mentioned).
>
> You can't have your cake and eat it too!
>
> If we (as a community) would support such a behavior, wouldn't we be
> responsible for the effecs, this entails

No.

> Would you hand out a loaded weapon to a child? (I certainly did not.)

Maybe I have?   But this is a personal/household machine so if files
get deleted I'll get to find out if my backup/restore process works as
well as I hope it does :)

At work, downtime is expensive, so I do tend to lock things down at
work.  At home I'm a lot more casual.

Regards
Lee
Reply to: