Erk. Thanks, Tom. I've got to quit trusting my memory on things that I don't do every day.
2012/1/5 Tom H <tomh0...@gmail.com>: > 2012/1/4 Joel Rees <joel.r...@gmail.com>: >> On Wed, Jan 4, 2012 at 8:26 PM, chengshid <chengs...@gmail.com> wrote: >>> 于 2012年01月04日 14:45, Bob Proulx 写道: >>>> chengshid wrote: >>> root ALL=(ALL:ALL) ALL >> >> Odd that root would have to use the password where all the rest don't. But, >> ... >> >>> user ALL=(ALL:ALL)NOPASSWD: ALL >> >> That's a huge security hole. You don't want to do that. That's almost >> the same thing as letting root log in without a password. >> >> You should have one user that you only log in to for administration >> purposes. You might be tempted to call the user "admin" but it's >> better not to use a name that is easily guessed. >> >> Let's say I call my administrator user "bigboy". (I don't, but let's >> say I do.) Then that line would be >> >> user bigboy=(ALL:ALL)NOPASSWD: ALL > > "user ALL=(ALL:ALL)NOPASSWD: ALL" means that the user "user" can sudo > to any user and execute any command on any box without entering a > password. I always forget about the machine entry, because I keep forgetting that the syntax is designed so you can share one sudoers file between a large group of similar machines on the network. > "user bigboy=(ALL:ALL)NOPASSWD: ALL" means that the user "user" can > sudo to any user and execute any command on the "bigboy" box without > entering a password. So, bigboy ALL =(ALL:ALL)NOPASSWD:ALL which, except for fileglobs being evaluated by the shell in the bigboy context before being passed to sudo, makes bigboy equivalent to root on any machine that has this line -- which makes it dangerous to leave bigboy logged in on pretty much any unattended terminal on the network, among other not-so-good things. Or, bigboy mybox=(ALL:ALL)NOPASSWD:ALL which makes bigboy just like root on the computer "mybox", except for fileglobs, if the user remembers to say, "sudo". I have only recently understood that, sudo not being a built-in, the shell necessarily evaluates the fileglobs before calling sudo. Sometimes I get excited about little things. (Being noisy because sudo is on my mind at the moment.) > [I would've have thought that there ought to be a space between > "(ALL:ALL)" and "NOPASSWD:" but since it worked for the OP before he > edited polkit files, I guess not.] Yeah, since I'm checking, man 5 sudoers, around line 480 on the Fedora 15 system I have booted right now, "whitespace optional". Good study for the test I have to take pretty soon. -- Joel Rees -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caar43ip9ndm2dsvraslt945alsrbnn68fd79hwgr9s+ym2r...@mail.gmail.com