Stroller schrieb:
Hi there,
I'm just in the process of setting up my lovely new system :D, in the
very first post-install steps.
I install sudo, give my user wide sudo rights and then set
"PermitRootLogin no" in /etc/ssh/sshd_config.
(Critique of this measure welcomed).
Anyway, as root I started to edit /etc/sudoers and vim complained
"editing a read-only file".
The file /etc/sudoers should always be edited with visudo. visudo uses
file locking, provides basic sanity checks and checks for parse errors.
Sure enough, /etc/sudoers has permissions 440, so I had to `chmod 640
/etc/sudoers` before editing it & changing it back.
440 is ok.
I am sure I did not have to do this last time I installed a system,
although that would have been at least a couple of years ago.
Obviously /etc/sudoers is a security-critical file and one wishes to
prevent attackers from editing it, but surely if a file belongs to
root there's not much point (??) in preventing root from writing to
it, because root can always change the permissions and edit the file,
just as I have done.
I see from some Googling that sudo complains if the permissions on
this file are greater than 4xx - can anyone explain why, please?
I'm sure there is something I am not understanding, but my naive
analysis suggests the only reason for this behaviour is to
inconvenience administrators!
Stroller.
