sudoers mistake

James Dugger james.dugger at gmail.com
Sat Jul 6 15:59:20 MST 2013 

Mike, Try login out and logging back in.

Also regarding the sudo file it helps to understand the basic parts of the
stanza:  Take the following 2 examples for a user named frank and a group
named coolusers:

Example 1 - groups

%coolusers ALL=(ALL) ALL

%coolusers    The % designates coolusers as a group and not a user.
ALL=             This means on all hosts, or any computer with this sudoer
file that can connect.
(ALL)             This means 'all target users' , or in other words these
privileges can be run as any user.
ALL               This means that all privileges are allowed.

You could limit the permissions above in several ways.  for instance if you
had three computers with hostnames office, home, kids, you could change the
stanza to limit the computer named kids from root privileges by:

%coolusers office,home=(ALL) ALL  this means that office and home have all
privileges, but kids does not.
%coolusers ALL=(root) ALL   This means all hosts have access but commands
are run as root not as another user.
%coolusers ALL=(ALL) path/to/program   This means that all users in
cooluser group only have access to the program listed in the path.

Example 2 - user

frank ALL=(ALL) ALL  This means frank has privileges to do everything from
all hosts and can do it as any user.
frank ALL=(root) ALL  This means frank has privileges to do everything from
all hosts but can only do so as the root user.
frank ALL=(root) NOPASSWD: path/to/program1, path/to/program2  > This means
that frank has privileges to program1 and program2 only as root but on all
hosts and without a password.

There are a lot more possible combinations and options, you could list them
by typing man sudo at the command prompt in terminal to access them all.


On Sat, Jul 6, 2013 at 9:53 AM, Michael Havens <bmike1 at gmail.com> wrote:

> well I just 'vi /etc/group' and deleted <user>. Then <cnt><alt>T, sudo
> visudo  but it didn't ask for a pass word.
> :-)~MIKE~(-:
>
>
> On Sat, Jul 6, 2013 at 9:42 AM, Michael Havens <bmike1 at gmail.com> wrote:
>
>> What do I run? I run an ubuntu derivative, Mint.
>> I only created one account on this computer (if I remember right).
>> this is a home used system. I only have one computer I can do this with
>> so I am stuck with testing on it.
>> I don't think root's account has been locked in mint as I can 'su root'
>> <password> and I am super user. Am I assuming correctly?
>> :-)~MIKE~(-:
>>
>>
>> On Sat, Jul 6, 2013 at 9:22 AM, James Dugger <james.dugger at gmail.com>wrote:
>>
>>> A few questions:
>>>
>>> -What distro  are you using?
>>> -Do you have more than one user account created on the system?
>>> -Is your computer/system (the one you are doing this on) for testing
>>> only or is this a work/home used computer /system?
>>>
>>> The reason that I ask is that it is good practice to test changes to a
>>> system that is not critical to your daily uses. This is especially true for
>>> Ubuntu where by default the root account is locked.  If you don't have a
>>> test system and you are using your daily useable system, then you should be
>>> testing these changes with a test user account not your only actual user
>>> account.
>>>
>>> As to the reason that sudo still works without a password, I am not
>>> entirely sure but my guess is that the '#' in the /etc/group is being
>>> ignored.  Usually you remove the user from the group either by:
>>>
>>>     gpasswd -d username group
>>>
>>> or
>>>
>>>   editing the /etc/group and deleting the user from the sudo group.
>>>
>>> Caution:  I would test this out with a test user rather than your
>>> personal user account if you are the only user on the system and root
>>> account has been disabled.
>>>
>>>
>>>
>>> On Sat, Jul 6, 2013 at 7:28 AM, Michael Havens <bmike1 at gmail.com> wrote:
>>>
>>>> Okay, so I have <user> added to group sudo in /etc/group.
>>>> tape:x:26:
>>>> sudo:x:27:bmike1
>>>> audio:x:29:pulse
>>>>
>>>> I have the lines:
>>>>
>>>> # Allow members of group sudo to execute any command
>>>> #sudo   ALL=(ALL:ALL) ALL
>>>> %sudo ALL=(ALL)  NOPASSWD:  ALL
>>>>
>>>> in /etc/sudoers and as a result sudo no longer requires a password for
>>>> my user. I then figured I would test this so I commented out my user in
>>>> /etc/group (sudo:x:27:#<user>) and then opened a new terminal and typed in
>>>>  'sudo visudo' fully expecting it to ask for a password but no password was
>>>> requested. So what's up?
>>>> :-)~MIKE~(-:
>>>>
>>>>
>>>> On Fri, Jul 5, 2013 at 11:08 PM, James Dugger <james.dugger at gmail.com>wrote:
>>>>
>>>>> Either create a new group or use an exiting group that is not being
>>>>> used.  and then add the group to the sido script.  so for a new group:
>>>>>
>>>>> 1.  Add a new group to /etc/group with the following command:
>>>>>
>>>>>     groupadd groupname (where groupname is a single word)
>>>>>
>>>>> 2.  Open the /etc/group file and add your username to your new group
>>>>> as discussed before.
>>>>>
>>>>> 3.  Open the sudo script file with visudo and add the groupname
>>>>> following stanza to the file:
>>>>>
>>>>> %groupname ALL=(ALL) NOPASSWD:  ALL
>>>>>
>>>>> This is basically the same thing.  If you are the only user or admin
>>>>> on your system than this is overkill and you could just use the %sudo group
>>>>> stanza as discussed before.  However if you are planning or have serveral
>>>>> administrators that will have different permissions than it would be best
>>>>> to re-think not using passwords.
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>
>>>
>>>
>>>
>>> --
>>> James
>>>
>>> *Linkedin <http://www.linkedin.com/pub/james-h-dugger/15/64b/74a/>*
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>
>>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>



-- 
James

*Linkedin <http://www.linkedin.com/pub/james-h-dugger/15/64b/74a/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20130706/d472b492/attachment.html>

More information about the PLUG-discuss mailing list