sudoers mistake

Michael Havens bmike1 at gmail.com
Sat Jul 6 16:16:05 MST 2013 

oh man... you are great. That is what I was wondering. I was thinking I
could satisfy what I wanted to do by:

<user> ALL=(ALL) ALL

but I guess I will just leave it as is.
:-)~MIKE~(-:


On Sat, Jul 6, 2013 at 3:59 PM, James Dugger <james.dugger at gmail.com> wrote:

> Mike, Try login out and logging back in.
>
> Also regarding the sudo file it helps to understand the basic parts of the
> stanza:  Take the following 2 examples for a user named frank and a group
> named coolusers:
>
> Example 1 - groups
>
> %coolusers ALL=(ALL) ALL
>
> %coolusers    The % designates coolusers as a group and not a user.
> ALL=             This means on all hosts, or any computer with this sudoer
> file that can connect.
> (ALL)             This means 'all target users' , or in other words these
> privileges can be run as any user.
> ALL               This means that all privileges are allowed.
>
> You could limit the permissions above in several ways.  for instance if
> you had three computers with hostnames office, home, kids, you could change
> the stanza to limit the computer named kids from root privileges by:
>
> %coolusers office,home=(ALL) ALL  this means that office and home have all
> privileges, but kids does not.
> %coolusers ALL=(root) ALL   This means all hosts have access but commands
> are run as root not as another user.
> %coolusers ALL=(ALL) path/to/program   This means that all users in
> cooluser group only have access to the program listed in the path.
>
> Example 2 - user
>
> frank ALL=(ALL) ALL  This means frank has privileges to do everything from
> all hosts and can do it as any user.
> frank ALL=(root) ALL  This means frank has privileges to do everything
> from all hosts but can only do so as the root user.
> frank ALL=(root) NOPASSWD: path/to/program1, path/to/program2  > This
> means that frank has privileges to program1 and program2 only as root but
> on all hosts and without a password.
>
> There are a lot more possible combinations and options, you could list
> them by typing man sudo at the command prompt in terminal to access them
> all.
>
>
> On Sat, Jul 6, 2013 at 9:53 AM, Michael Havens <bmike1 at gmail.com> wrote:
>
>> well I just 'vi /etc/group' and deleted <user>. Then <cnt><alt>T, sudo
>> visudo  but it didn't ask for a pass word.
>> :-)~MIKE~(-:
>>
>>
>> On Sat, Jul 6, 2013 at 9:42 AM, Michael Havens <bmike1 at gmail.com> wrote:
>>
>>> What do I run? I run an ubuntu derivative, Mint.
>>> I only created one account on this computer (if I remember right).
>>> this is a home used system. I only have one computer I can do this with
>>> so I am stuck with testing on it.
>>> I don't think root's account has been locked in mint as I can 'su root'
>>> <password> and I am super user. Am I assuming correctly?
>>> :-)~MIKE~(-:
>>>
>>>
>>> On Sat, Jul 6, 2013 at 9:22 AM, James Dugger <james.dugger at gmail.com>wrote:
>>>
>>>> A few questions:
>>>>
>>>> -What distro  are you using?
>>>> -Do you have more than one user account created on the system?
>>>> -Is your computer/system (the one you are doing this on) for testing
>>>> only or is this a work/home used computer /system?
>>>>
>>>> The reason that I ask is that it is good practice to test changes to a
>>>> system that is not critical to your daily uses. This is especially true for
>>>> Ubuntu where by default the root account is locked.  If you don't have a
>>>> test system and you are using your daily useable system, then you should be
>>>> testing these changes with a test user account not your only actual user
>>>> account.
>>>>
>>>> As to the reason that sudo still works without a password, I am not
>>>> entirely sure but my guess is that the '#' in the /etc/group is being
>>>> ignored.  Usually you remove the user from the group either by:
>>>>
>>>>     gpasswd -d username group
>>>>
>>>> or
>>>>
>>>>   editing the /etc/group and deleting the user from the sudo group.
>>>>
>>>> Caution:  I would test this out with a test user rather than your
>>>> personal user account if you are the only user on the system and root
>>>> account has been disabled.
>>>>
>>>>
>>>>
>>>> On Sat, Jul 6, 2013 at 7:28 AM, Michael Havens <bmike1 at gmail.com>wrote:
>>>>
>>>>> Okay, so I have <user> added to group sudo in /etc/group.
>>>>> tape:x:26:
>>>>> sudo:x:27:bmike1
>>>>> audio:x:29:pulse
>>>>>
>>>>> I have the lines:
>>>>>
>>>>> # Allow members of group sudo to execute any command
>>>>> #sudo   ALL=(ALL:ALL) ALL
>>>>> %sudo ALL=(ALL)  NOPASSWD:  ALL
>>>>>
>>>>> in /etc/sudoers and as a result sudo no longer requires a password for
>>>>> my user. I then figured I would test this so I commented out my user in
>>>>> /etc/group (sudo:x:27:#<user>) and then opened a new terminal and typed in
>>>>>  'sudo visudo' fully expecting it to ask for a password but no password was
>>>>> requested. So what's up?
>>>>> :-)~MIKE~(-:
>>>>>
>>>>>
>>>>> On Fri, Jul 5, 2013 at 11:08 PM, James Dugger <james.dugger at gmail.com>wrote:
>>>>>
>>>>>> Either create a new group or use an exiting group that is not being
>>>>>> used.  and then add the group to the sido script.  so for a new group:
>>>>>>
>>>>>> 1.  Add a new group to /etc/group with the following command:
>>>>>>
>>>>>>     groupadd groupname (where groupname is a single word)
>>>>>>
>>>>>> 2.  Open the /etc/group file and add your username to your new group
>>>>>> as discussed before.
>>>>>>
>>>>>> 3.  Open the sudo script file with visudo and add the groupname
>>>>>> following stanza to the file:
>>>>>>
>>>>>> %groupname ALL=(ALL) NOPASSWD:  ALL
>>>>>>
>>>>>> This is basically the same thing.  If you are the only user or admin
>>>>>> on your system than this is overkill and you could just use the %sudo group
>>>>>> stanza as discussed before.  However if you are planning or have serveral
>>>>>> administrators that will have different permissions than it would be best
>>>>>> to re-think not using passwords.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> James
>>>>
>>>> *Linkedin <http://www.linkedin.com/pub/james-h-dugger/15/64b/74a/>*
>>>>
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>
>>>
>>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> James
>
> *Linkedin <http://www.linkedin.com/pub/james-h-dugger/15/64b/74a/>*
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20130706/a0a0fb5b/attachment.html>

More information about the PLUG-discuss mailing list