Sudo example configuration

DJ Lucas dj at linuxfromscratch.org
Tue Sep 29 22:00:09 PDT 2009


On 09/29/2009 10:46 PM, Bruce Dubbs wrote:
> DJ Lucas wrote:
>    
>> Anybody have any objection to providing a sudoers group and adding more
>> secure/common example to the sudoers file?  Something to the effect of...
>>
>> groupadd -g<##>  sudoers&&
>> echo -e "%sudoers\tALL=(ALL)\tALL">>  /etc/sudoers&&
>> usermod -a -G sudoers<your user name>
>>
>> ...instead of the current admin user with no password example?
>>      
> I really don't have an objection, but what we have now is just as easy.  The
> superuser just needs to run visudo and add a name to the ADMIN user alias.
> Is that really any harder than adding a user to a group.
>    
Dang it, I knew I was gonna have to read the man page!  :-) No...I was 
going more for what is a common use case today...but I suppose that kind 
of icks what learning can be done by reading the manual page.  For our 
purposes, we could get the intended result from:

<username> <$hostname>=(ALL) NOPASSWD:ALL
> I don't like tabs in configuration files (or source code).
>
> The (ALL) really doesn't apply to many users any more.

I'm not sure if you confused the positions, or if these were two 
separate thoughts.  I'll separate, but answer as if confused/transposed 
for anybody who reads, as that's how I understood your comments here at 
first.  The '(ALL)' allows the user to choose all users to run the 
command as...it could also be any previously defined user alias or a 
valid user name as well.

But, yes I agree, very few people lock down commands to specific users 
anymore, and just run everything that needs elevated privileges as the 
superuser and change perms if needed when done.  I'm guilty as well...an 
it is because of relaxed sudoers files. ;-)

> I'm not even sure how
> I'd use sudo to run something on another host.
>    
You can't directly (at least not that I know of), it is intended for 
shared sudoers files (or included sudoers files) across the network.  
See the example above 'ALL' before the equal sign just lets it match 
unconditionally, any host. 'ALL' always matches unconditionally and is 
actually not really security conscious IMO, but su is not easily 
scritped, so I can justify it for my own use. ;-)


> The sudoers file can be very complex or very easy (like the current example).
> I'd prefer to leave it as it is.
>
>    
The second point of my original post is that I severely dislike the 
NOPASSWD option.  Granted, an admin shouldn't leave a console 
unattended, but in the event that she does, then she has some form of 
protection.  Having now reviewed the manual page fully, the default 
timeout is 5 minutes (before you have to enter your password again).  I 
really don't care for the generous use of 'ALL', but I can live with it.

-- DJ Lucas


-- 
This message has been scanned for viruses and
dangerous content, and is believed to be clean.




More information about the blfs-dev mailing list