visudo

James Mcphee jmcphe at gmail.com
Wed Jun 11 10:01:24 MST 2014 

That's pretty much the basic "root can't login" variant.  Login as normal
user, become root, and off you go.  It is far more secure than having an
exposed root, but the advantage of sudo is granularity.  This has been
attempted in various ways through the years.  Sun's RBAC was fun, each
"role" being a non-loginable user that you became to run the limited
commands it was allowed.  I prefer sudo, where I can specify exactly the
commands each person can run.

The thing about security, is that anyone with much experience knows that
root is a state of mind.  It's a tradeoff between difficulty in using and
difficulty in bypassing.


On Tue, Jun 10, 2014 at 8:38 AM, <techlists at phpcoderusa.com> wrote:

>
> I was taught to use a two layer login and sudo.  The first user can login
> to SSH and is not sudo.  The second user is sudo and cannot log in.  I was
> told long ago this was a way to protect the system.
>
>
>
> On 2014-06-10 02:16, Michael Havens wrote:
>
>> however, in my notes I and add a line like this:
>>
>>       %sudo ALL=(ALL)  NOPASSWD:  ALL
>>
>> and then add my user to the sudo group.
>> What does the percent sign mean? does it indicate the next string of
>> characters is the name of a group?
>>
>> :-)~MIKE~(-:
>>
>> On Mon, Jun 9, 2014 at 9:41 PM, Michael Havens <bmike1 at gmail.com>
>> wrote:
>>
>>  how embarrasing! I already wrote myself notes on how to do this.....
>>> sorry to waste the brain power with my taxing question. lol
>>>
>>> :-)~MIKE~(-:
>>>
>>> On Mon, Jun 9, 2014 at 4:31 PM, Michael Havens <bmike1 at gmail.com>
>>> wrote:
>>>
>>> Why is the format so different? Meaning the examples I have to look
>>> at are 'ALL=(ALL:ALL) ALL' but the way the computer accepts it is
>>> without the parentheses and withot the cast three characters.
>>>
>>> :-)~MIKE~(-:
>>>
>>> On Mon, Jun 9, 2014 at 2:51 PM, Jon Ernster <jon.ernster at gmail.com>
>>> wrote:
>>>
>>> ALL just gives you the ability to run sudo on all binaries.  If you
>>> don't want to give your password every time you use sudo then you
>>> need to use the NOPASSWD option.
>>>
>>> ie:  exampleuser    ALL=NOPASSWD: ALL
>>>
>>> On Mon, Jun 9, 2014 at 3:42 PM, Michael Havens <bmike1 at gmail.com>
>>> wrote:
>>>
>>> I just tried saving it as sudoers rather than as the .tmp file but
>>> still it requires a password. Please tell me what I am doing wrong?
>>> Here is the file <user is ***>
>>>
>>> # Cmnd alias specification
>>>
>>> # User privilege specification
>>> root    ALL=(ALL:ALL) ALL
>>> ***  ALL=(ALL:ALL) ALL
>>>
>>> # Members of the admin group may gain root privileges
>>> admin ALL=(ALL) ALL
>>> ***  ALL=(ALL:ALL) ALL
>>>
>>> # Allow members of group sudo to execute any command
>>> sudo    ALL=(ALL:ALL) ALL
>>> ***  ALL=(ALL:ALL) ALL
>>>
>>> :-)~MIKE~(-:
>>>
>>> On Mon, Jun 9, 2014 at 2:23 PM, James Mcphee <jmcphe at gmail.com>
>>> wrote:
>>>
>>> sudoers.tmp is the lock file visudo uses to make sure there aren't
>>> multiple edits going on at the same time.
>>>
>>> On Mon, Jun 9, 2014 at 1:53 PM, Michael Havens <bmike1 at gmail.com>
>>> wrote:
>>>
>>> I am trying to add my user to 'sudoers'. After I do I press cntrl-X
>>> and it says the file it is going to save is 'sudoers.tmp' . So I
>>> save it like that and my user still requires a password. should I
>>> not save it as the .tmp file but rather as 'sudoers'. I don't
>>> remember it being like that last time I did this!
>>>
>>> :-)~MIKE~(-:
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss [1]
>>>
>>>
>>> --
>>> James McPhee
>>> jmcphe at gmail.com
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss [1]
>>>
>>
>> ---------------------------------------------------
>>  PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>  To subscribe, unsubscribe, or to change your mail settings:
>>  http://lists.phxlinux.org/mailman/listinfo/plug-discuss [1]
>>
>>
>> ---------------------------------------------------
>>  PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>  To subscribe, unsubscribe, or to change your mail settings:
>>  http://lists.phxlinux.org/mailman/listinfo/plug-discuss [1]
>>
>>
>>
>> Links:
>> ------
>> [1] http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>



-- 
James McPhee
jmcphe at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20140611/3feff014/attachment.html>

More information about the PLUG-discuss mailing list