Re: sudoers question

To: debian-user@lists.debian.org
Subject: Re: sudoers question
From: Kushal Kumaran <kushal@locationd.net>
Date: Sat, 13 May 2023 09:07:19 -0700
Message-id: <[🔎] 87mt28kyfc.fsf@copper.locationd.net>
In-reply-to: <[🔎] CAD8GWst0q48oV+YCOMAKYX=wFAVGXSD6NHEhP-MoCPx4ngrM4Q@mail.gmail.com> (Lee's message of "Sat, 13 May 2023 01:51:03 -0400")
References: <[🔎] 1393b162f62c87dcf3ff2dfc0afadbba.squirrel@dkinbox.com> <[🔎] ZF4qETGKxCamsPjf@wooledge.org> <[🔎] c419144fc583f16edf56f39f2e226141.squirrel@dkinbox.com> <[🔎] ZF4uvSVqAMETTHr2@wooledge.org> <[🔎] ZF4vd6z25CTHCrif@phare.normalesup.org> <[🔎] jwvzg69ka8w.fsf-monnier+gmane.linux.debian.user@gnu.org> <[🔎] CAD8GWssj5-KNCujDA+EOj2nvDhZvOkZSoB29=XKHKhY_1fmjFQ@mail.gmail.com> <[🔎] 89fab97f-34c5-b1e4-c1a8-e354ef0f09e6@potentially-spam.de-bruyn.de> <[🔎] CAD8GWst0q48oV+YCOMAKYX=wFAVGXSD6NHEhP-MoCPx4ngrM4Q@mail.gmail.com>

On Sat, May 13 2023 at 01:51:03 AM, Lee <ler762@gmail.com> wrote:
> On 5/12/23, DdB  wrote:
>> Am 13.05.2023 um 00:03 schrieb Lee:
>>> On 5/12/23, Stefan Monnier  wrote:
>>>>> Or configure sudo to disable tty_tickets, so that the timeout (10
>>>>> minutes by default IIRC) applies to all terminals.
>>>>
>>>> `sudo bash` anyone?
>>>
>>> me!  me!  but I also have
>> (...)
>>> %adm          ALL = (root) NOPASSWD: ADM_COMMANDS
>>
>> Of course, there are ways to allow any/all sudo commands without
>> password. And i also have to cast a warning here:
>>
>> The kind of mistakes, any user (including yourself) can initiate, grows
>> considerably, if he can use any commands without even thinking.
>
> In general, yes, but how much trouble can
>   /usr/bin/dmesg,
>   /usr/bin/apt list
>   /usr/bin/apt update
>   /usr/sbin/checkrestart
>   /usr/sbin/needrestart
> cause?
>
> OTOH, I like the idea of logging in as root to do admin stuff.  But
> that seems to be frowned on now.. I don't  know why :(   .. unless
> logging?  'sudo bash' or logging in as root doesn't leave an audit
> trail of commands you've done
>

The benefit is that there is no shared password.  If one of the people
entrusted with sudo privileges needs to lose those privileges (perhaps
because they leave the organization), removing that user account stops
their access.  If, on the other hand, you were allowing admins to login
as root, you now need to change the shared root password.  Of course,
this requires a degree of locking down.  For example, the set of users
allowed to do day-to-day administration tasks must not overlap with the
set of users permitted to modify the sudo configuration or set root
password.  You can also have different sets of users permitted to do
different kinds of administrative tasks: one group might be permitted to
stop/restart a small set of services, for example.  And no one can be
permitted to do `sudo bash` or its equivalent.

Logging is a nice additional benefit, and some organizations may be
required to keep audit logs for server configuration changes.  sudo
providing this will be a bonus for them.

On single-user systems, the ability to do NOPASSWD for selected commands
is nice.  I don't know of any other benefit.

-- 
regards,
kushal

Reply to:

Follow-Ups:
- Re: sudoers question
  - From: <tomas@tuxteam.de>

References:
- sudoers question
  - From: "Tom Reed" <tom@dkinbox.com>
- Re: sudoers question
  - From: Greg Wooledge <greg@wooledge.org>
- Re: sudoers question
  - From: "Tom Reed" <tom@dkinbox.com>
- Re: sudoers question
  - From: Greg Wooledge <greg@wooledge.org>
- Re: sudoers question
  - From: Nicolas George <george@nsup.org>
- Re: sudoers question
  - From: Stefan Monnier <monnier@iro.umontreal.ca>
- Re: sudoers question
  - From: Lee <ler762@gmail.com>
- Re: sudoers question
  - From: DdB <debianlist@potentially-spam.de-bruyn.de>
- Re: sudoers question
  - From: Lee <ler762@gmail.com>

Prev by Date: Re: how to find out regdomain/country of wifi network
Next by Date: Re: how to find out regdomain/country of wifi network
Previous by thread: Re: sudoers question
Next by thread: Re: sudoers question
Index(es):
- Date
- Thread