Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
add user to sudo ?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1079
Location: Tri-Cities, WA USA

PostPosted: Wed Jul 29, 2015 1:33 pm    Post subject: add user to sudo ? Reply with quote

I edited the sudouesr file using visudo and uncommented :
%sudo ALL=(ALL) ALL

When I issue a :
usermod -a -G sudo me

I get a message sudo does not exist. Do I need to make this group?
_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Wed Jul 29, 2015 1:47 pm    Post subject: Reply with quote

Do you have app-admin/sudo installed?

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1079
Location: Tri-Cities, WA USA

PostPosted: Wed Jul 29, 2015 1:50 pm    Post subject: Reply with quote

John R. Graham wrote:
Do you have app-admin/sudo installed?

- John


yes

app-admin/sudo
Latest version available: 1.8.12
Latest version installed: 1.8.12
_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Wed Jul 29, 2015 1:51 pm    Post subject: Reply with quote

The normal group for giving the ability to sudo is wheel. If you want to use a sudo group, you'll have to create it.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1074
Location: EU or US

PostPosted: Wed Jul 29, 2015 1:57 pm    Post subject: Reply with quote

You sure about that? Being in wheel group permits su, if I remember correctly sudo command usage is configured in sudoers file.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Wed Jul 29, 2015 2:42 pm    Post subject: Reply with quote

Yes, I'm sure that it is at least a normal way. There's even commented out example of this in the default /etc/sudoers file. Adding an additional group provides additional granularity without any security value, because if you have permission to run sudo, then you can run su with that.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1074
Location: EU or US

PostPosted: Wed Jul 29, 2015 3:00 pm    Post subject: Reply with quote

John R. Graham wrote:
The normal group for giving the ability to sudo is wheel.

I still disagree with this statement. Anyone can sudo if they are in sudoers file. Often there is just one single command I want a non-wheel user to be able to issue. So I allow this in sudoers file.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Wed Jul 29, 2015 3:22 pm    Post subject: Reply with quote

Well, I'm still sure. If wheel isn't the normal group, what group would you say is?

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1079
Location: Tri-Cities, WA USA

PostPosted: Wed Jul 29, 2015 3:30 pm    Post subject: Reply with quote

John R. Graham wrote:
The normal group for giving the ability to sudo is wheel. If you want to use a sudo group, you'll have to create it.

- John


I am part of the wheel group:

$ groups
root tty wheel uucp audio cdrom dialout ftp video cdrw apache users wireshark plugdev polkituser vboxguest cwc
_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1074
Location: EU or US

PostPosted: Wed Jul 29, 2015 3:31 pm    Post subject: Reply with quote

There is no membership of any group required to sudo. You can create a shutdown group for instance and allow shutdown group members to run sudo halt -p if you like.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Wed Jul 29, 2015 3:33 pm    Post subject: Reply with quote

cwc wrote:
I am part of the wheel group:

$ groups
root tty wheel uucp audio cdrom dialout ftp video cdrw apache users wireshark plugdev polkituser vboxguest cwc
If it's acceptable to you to use wheel group membership to bestow sudo privlege, then uncomment this line in /etc/sudoers:
Code:
## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL
and you should be all set.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
limn
l33t
l33t


Joined: 13 May 2005
Posts: 997

PostPosted: Wed Jul 29, 2015 3:35 pm    Post subject: Reply with quote

cwc
Code:
grep sudo /etc/group || emerge sudo
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Wed Jul 29, 2015 3:35 pm    Post subject: Reply with quote

Buffoon wrote:
There is no membership of any group required to sudo. You can create a shutdown group for instance and allow shutdown group members to run sudo halt -p if you like.
I'm going to plead nolo contendere at this point.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1074
Location: EU or US

PostPosted: Wed Jul 29, 2015 3:48 pm    Post subject: Re: add user to sudo ? Reply with quote

cwc wrote:
I edited the sudouesr file using visudo and uncommented :
%sudo ALL=(ALL) ALL


You understand this is effectively giving root rights to all users?
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Wed Jul 29, 2015 3:57 pm    Post subject: Reply with quote

No, it's not. It's giving the ability to acquire root privileges to members of the sudo group. Without the creation of that group and the addition of particular users to that group, it's giving nothing to nobody. ;)

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1074
Location: EU or US

PostPosted: Wed Jul 29, 2015 4:05 pm    Post subject: Reply with quote

Yes, this time I was wrong. 8O

@cwc

You need to create sudo group for this to work.
Back to top
View user's profile Send private message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1079
Location: Tri-Cities, WA USA

PostPosted: Thu Jul 30, 2015 1:20 am    Post subject: Reply with quote

limn wrote:
cwc
Code:
grep sudo /etc/group || emerge sudo


Thanks for all the lines! Very enjoyable.

I did the following:
#grep sudo /etc/group || emerge sudo
then
#visudo

and uncommented
%wheel ALL=(ALL) ALL

I am the only one (I know of) that uses my gentoo system so there is no worry.
_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6276

PostPosted: Thu Jul 30, 2015 7:35 am    Post subject: Reply with quote

cwc wrote:
I am the only one (I know of) that uses my gentoo system so there is no worry.

There is a huge reason to worry (only exception: If the machine is physically never connected to the internet). Just for example, imagine that you are browsing a compromised page (even a trusted page can be compromised) which uses one of the bazillions browser security holes to execute some code. Then this site can effectively execute anything on your machine (and easily hide its traces so that you will never recognize that somethnig has happened if e.g. your machine has become part of a botnet or of a child-porn storage area).
Doing such an utterly stupid thing as allowing any user root access might even make you reliable by law for not taking care more (it certainly depends on your country and the lawyers which you will have, but I would not risk it).
Back to top
View user's profile Send private message
limn
l33t
l33t


Joined: 13 May 2005
Posts: 997

PostPosted: Thu Jul 30, 2015 12:01 pm    Post subject: Reply with quote

cwc

Sorry about that.
I thought that emerging sudo would create the sudo group.
When sudo is compiled/installed it will create this group if on a Debian box.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum