Re: [gentoo-user] Permissions of /etc/sudoers
Michael Hentsch ha scritto: The file /etc/sudoers should always be edited with visudo. visudo uses file locking, provides basic sanity checks and checks for parse errors. This always made me crazy. Why, why, why should I use a specialized editor to edit a system file? It's not like we have vixorgconf, vifstab. You are welcome to edit these files with any editor you like. Why is /etc/sudoers special? m.
Re: [gentoo-user] Permissions of /etc/sudoers
On Thu, 12 Feb 2009 00:52:22 +0100, b.n. wrote: The file /etc/sudoers should always be edited with visudo. visudo uses file locking, provides basic sanity checks and checks for parse errors. This always made me crazy. Why, why, why should I use a specialized editor to edit a system file? It's not like we have vixorgconf, vifstab. You are welcome to edit these files with any editor you like. Why is /etc/sudoers special? It's no more special than /etc/passwd, which should be edited with vipw. And it's not a specialised editor, these are just wrappers that call $EDITOR, so you end up using the same program to edit the files, but with a safety net. Remember that some systems restrict root access, so a fscked /etc/sudoers could lock you out. It's not like you HAVE to use the wrapper either, there's nothing to stop you using any editor you like, directly, and it's the best choice if you want to be free to screw up the file. -- Neil Bothwick Procedure: (n.) a method of performing a program sub-task in an inefficient way by extensively using the stack instead of a GOTO. signature.asc Description: PGP signature
Re: [gentoo-user] Permissions of /etc/sudoers
On Wed, Feb 11, 2009 at 5:52 PM, b.n. brullonu...@gmail.com wrote: Michael Hentsch ha scritto: The file /etc/sudoers should always be edited with visudo. visudo uses file locking, provides basic sanity checks and checks for parse errors. This always made me crazy. Why, why, why should I use a specialized editor to edit a system file? It's not like we have vixorgconf, vifstab. You are welcome to edit these files with any editor you like. Why is /etc/sudoers special? I guess an error in sudoers could allow the whole world to use sudo, and someone decided to give this special cushion to this program and none of the others that can also ruin your system in various other ways. :) Paul
Re: [gentoo-user] Permissions of /etc/sudoers
On Wed, 11 Feb 2009 18:01:36 -0600, Paul Hartman wrote: I guess an error in sudoers could allow the whole world to use sudo, and someone decided to give this special cushion to this program and none of the others that can also ruin your system in various other ways. :) You could also lock yourself out, and some of the other files also have editor wrappers. -- Neil Bothwick Bother, said Christopher Robin, as Pooh got out the vaseline. signature.asc Description: PGP signature
Re: [gentoo-user] Permissions of /etc/sudoers
On 12 Feb 2009, at 00:01, Neil Bothwick wrote: ... there's nothing to stop you using any editor you like, directly, and it's the best choice if you want to be free to screw up the file. It's the Unix way! Stroller.
[gentoo-user] Permissions of /etc/sudoers
Hi there, I'm just in the process of setting up my lovely new system :D, in the very first post-install steps. I install sudo, give my user wide sudo rights and then set PermitRootLogin no in /etc/ssh/sshd_config. (Critique of this measure welcomed). Anyway, as root I started to edit /etc/sudoers and vim complained editing a read-only file. Sure enough, /etc/sudoers has permissions 440, so I had to `chmod 640 / etc/sudoers` before editing it changing it back. I am sure I did not have to do this last time I installed a system, although that would have been at least a couple of years ago. Obviously /etc/sudoers is a security-critical file and one wishes to prevent attackers from editing it, but surely if a file belongs to root there's not much point (??) in preventing root from writing to it, because root can always change the permissions and edit the file, just as I have done. I see from some Googling that sudo complains if the permissions on this file are greater than 4xx - can anyone explain why, please? I'm sure there is something I am not understanding, but my naive analysis suggests the only reason for this behaviour is to inconvenience administrators! Stroller.
Re: [gentoo-user] Permissions of /etc/sudoers
Stroller schrieb: Hi there, I'm just in the process of setting up my lovely new system :D, in the very first post-install steps. I install sudo, give my user wide sudo rights and then set PermitRootLogin no in /etc/ssh/sshd_config. (Critique of this measure welcomed). Anyway, as root I started to edit /etc/sudoers and vim complained editing a read-only file. The file /etc/sudoers should always be edited with visudo. visudo uses file locking, provides basic sanity checks and checks for parse errors. Sure enough, /etc/sudoers has permissions 440, so I had to `chmod 640 /etc/sudoers` before editing it changing it back. 440 is ok. I am sure I did not have to do this last time I installed a system, although that would have been at least a couple of years ago. Obviously /etc/sudoers is a security-critical file and one wishes to prevent attackers from editing it, but surely if a file belongs to root there's not much point (??) in preventing root from writing to it, because root can always change the permissions and edit the file, just as I have done. I see from some Googling that sudo complains if the permissions on this file are greater than 4xx - can anyone explain why, please? I'm sure there is something I am not understanding, but my naive analysis suggests the only reason for this behaviour is to inconvenience administrators! Stroller.