Sudo example configuration
dj at linuxfromscratch.org
Tue Sep 29 22:00:09 PDT 2009
On 09/29/2009 10:46 PM, Bruce Dubbs wrote:
> DJ Lucas wrote:
>> Anybody have any objection to providing a sudoers group and adding more
>> secure/common example to the sudoers file? Something to the effect of...
>> groupadd -g<##> sudoers&&
>> echo -e "%sudoers\tALL=(ALL)\tALL">> /etc/sudoers&&
>> usermod -a -G sudoers<your user name>
>> ...instead of the current admin user with no password example?
> I really don't have an objection, but what we have now is just as easy. The
> superuser just needs to run visudo and add a name to the ADMIN user alias.
> Is that really any harder than adding a user to a group.
Dang it, I knew I was gonna have to read the man page! :-) No...I was
going more for what is a common use case today...but I suppose that kind
of icks what learning can be done by reading the manual page. For our
purposes, we could get the intended result from:
<username> <$hostname>=(ALL) NOPASSWD:ALL
> I don't like tabs in configuration files (or source code).
> The (ALL) really doesn't apply to many users any more.
I'm not sure if you confused the positions, or if these were two
separate thoughts. I'll separate, but answer as if confused/transposed
for anybody who reads, as that's how I understood your comments here at
first. The '(ALL)' allows the user to choose all users to run the
command as...it could also be any previously defined user alias or a
valid user name as well.
But, yes I agree, very few people lock down commands to specific users
anymore, and just run everything that needs elevated privileges as the
superuser and change perms if needed when done. I'm guilty as well...an
it is because of relaxed sudoers files. ;-)
> I'm not even sure how
> I'd use sudo to run something on another host.
You can't directly (at least not that I know of), it is intended for
shared sudoers files (or included sudoers files) across the network.
See the example above 'ALL' before the equal sign just lets it match
unconditionally, any host. 'ALL' always matches unconditionally and is
actually not really security conscious IMO, but su is not easily
scritped, so I can justify it for my own use. ;-)
> The sudoers file can be very complex or very easy (like the current example).
> I'd prefer to leave it as it is.
The second point of my original post is that I severely dislike the
NOPASSWD option. Granted, an admin shouldn't leave a console
unattended, but in the event that she does, then she has some form of
protection. Having now reviewed the manual page fully, the default
timeout is 5 minutes (before you have to enter your password again). I
really don't care for the generous use of 'ALL', but I can live with it.
-- DJ Lucas
This message has been scanned for viruses and
dangerous content, and is believed to be clean.
More information about the blfs-dev