DJ Lucas wrote: > On 09/29/2009 10:46 PM, Bruce Dubbs wrote: >> DJ Lucas wrote: >> >>> Anybody have any objection to providing a sudoers group and adding more >>> secure/common example to the sudoers file? Something to the effect of... >>> >>> groupadd -g<##> sudoers&& >>> echo -e "%sudoers\tALL=(ALL)\tALL">> /etc/sudoers&& >>> usermod -a -G sudoers<your user name> >>> >>> ...instead of the current admin user with no password example? >>> >> I really don't have an objection, but what we have now is just as easy. The >> superuser just needs to run visudo and add a name to the ADMIN user alias. >> Is that really any harder than adding a user to a group. >> > Dang it, I knew I was gonna have to read the man page! :-) No...I was > going more for what is a common use case today...but I suppose that kind > of icks what learning can be done by reading the manual page. For our > purposes, we could get the intended result from: > > <username> <$hostname>=(ALL) NOPASSWD:ALL >> I don't like tabs in configuration files (or source code). >> >> The (ALL) really doesn't apply to many users any more. > > I'm not sure if you confused the positions, or if these were two > separate thoughts.
Two separate thoughts. You had \t in the echo. > I'll separate, but answer as if confused/transposed > for anybody who reads, as that's how I understood your comments here at > first. The '(ALL)' allows the user to choose all users to run the > command as...it could also be any previously defined user alias or a > valid user name as well. I did not remember correctly. What we have is: user hostlist = (userlist) commandlist * user is the name of the user or group to which this rule applies * hostlist is a list of hosts this rule applies to * userlist is a list of users that this rule can be run as. and must be enclosed in ( ) * commandlist is a list of commands that this rule states can be executed The userlist token is optional – if excluded, it defaults to root I had swapped userlist and hostlist in my memory. ALL and (ALL) are a bit ambiguous. :) > But, yes I agree, very few people lock down commands to specific users > anymore, and just run everything that needs elevated privileges as the > superuser and change perms if needed when done. I'm guilty as well...an > it is because of relaxed sudoers files. ;-) > >> I'm not even sure how >> I'd use sudo to run something on another host. >> > You can't directly (at least not that I know of), it is intended for > shared sudoers files (or included sudoers files) across the network. OK. I sorta see. The sudoer file is in /etc which is never shared AFAIK, but if the sudoer file includes a shared file, then it could be appropriate. > See the example above 'ALL' before the equal sign just lets it match > unconditionally, any host. 'ALL' always matches unconditionally and is > actually not really security conscious IMO, but su is not easily > scritped, so I can justify it for my own use. ;-) > > >> The sudoers file can be very complex or very easy (like the current example). >> I'd prefer to leave it as it is. >> >> > The second point of my original post is that I severely dislike the > NOPASSWD option. Granted, an admin shouldn't leave a console > unattended, but in the event that she does, then she has some form of > protection. Having now reviewed the manual page fully, the default > timeout is 5 minutes (before you have to enter your password again). I > really don't care for the generous use of 'ALL', but I can live with it. I don't have a problem with removing the NOPASSWD option. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
