On 09/29/2009 10:46 PM, Bruce Dubbs wrote: > DJ Lucas wrote: > >> Anybody have any objection to providing a sudoers group and adding more >> secure/common example to the sudoers file? Something to the effect of... >> >> groupadd -g<##> sudoers&& >> echo -e "%sudoers\tALL=(ALL)\tALL">> /etc/sudoers&& >> usermod -a -G sudoers<your user name> >> >> ...instead of the current admin user with no password example? >> > I really don't have an objection, but what we have now is just as easy. The > superuser just needs to run visudo and add a name to the ADMIN user alias. > Is that really any harder than adding a user to a group. > Dang it, I knew I was gonna have to read the man page! :-) No...I was going more for what is a common use case today...but I suppose that kind of icks what learning can be done by reading the manual page. For our purposes, we could get the intended result from:
<username> <$hostname>=(ALL) NOPASSWD:ALL > I don't like tabs in configuration files (or source code). > > The (ALL) really doesn't apply to many users any more. I'm not sure if you confused the positions, or if these were two separate thoughts. I'll separate, but answer as if confused/transposed for anybody who reads, as that's how I understood your comments here at first. The '(ALL)' allows the user to choose all users to run the command as...it could also be any previously defined user alias or a valid user name as well. But, yes I agree, very few people lock down commands to specific users anymore, and just run everything that needs elevated privileges as the superuser and change perms if needed when done. I'm guilty as well...an it is because of relaxed sudoers files. ;-) > I'm not even sure how > I'd use sudo to run something on another host. > You can't directly (at least not that I know of), it is intended for shared sudoers files (or included sudoers files) across the network. See the example above 'ALL' before the equal sign just lets it match unconditionally, any host. 'ALL' always matches unconditionally and is actually not really security conscious IMO, but su is not easily scritped, so I can justify it for my own use. ;-) > The sudoers file can be very complex or very easy (like the current example). > I'd prefer to leave it as it is. > > The second point of my original post is that I severely dislike the NOPASSWD option. Granted, an admin shouldn't leave a console unattended, but in the event that she does, then she has some form of protection. Having now reviewed the manual page fully, the default timeout is 5 minutes (before you have to enter your password again). I really don't care for the generous use of 'ALL', but I can live with it. -- DJ Lucas -- This message has been scanned for viruses and dangerous content, and is believed to be clean. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
