| View previous topic :: View next topic |
| Author |
Message |
cwc
Veteran
Joined: 20 Mar 2006
Posts: 1164
Location: Tri-Cities, WA USA
|
 Posted: Wed Jul 29, 2015 1:33 pm Post subject: add user to sudo ? |
 |
|
I edited the sudouesr file using visudo and uncommented :
%sudo ALL=(ALL) ALL
When I issue a :
usermod -a -G sudo me
I get a message sudo does not exist. Do I need to make this group?
_________________
Without diversity there can be no evolution:) |
|
| Back to top |
|
 |
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10459
Location: Somewhere over Atlanta, Georgia
|
| Posted: Wed Jul 29, 2015 1:47 pm Post subject: |
|
|
Do you have app-admin/sudo installed?
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
cwc
Veteran
Joined: 20 Mar 2006
Posts: 1164
Location: Tri-Cities, WA USA
|
| Posted: Wed Jul 29, 2015 1:50 pm Post subject: |
|
|
| John R. Graham wrote: | Do you have app-admin/sudo installed?
- John |
yes
app-admin/sudo
Latest version available: 1.8.12
Latest version installed: 1.8.12
_________________
Without diversity there can be no evolution:) |
|
| Back to top |
|
|
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10459
Location: Somewhere over Atlanta, Georgia
|
| Posted: Wed Jul 29, 2015 1:51 pm Post subject: |
|
|
The normal group for giving the ability to sudo is wheel. If you want to use a sudo group, you'll have to create it.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
Buffoon
Veteran
Joined: 17 Jun 2015
Posts: 1225
Location: EU or US
|
| Posted: Wed Jul 29, 2015 1:57 pm Post subject: |
|
|
| You sure about that? Being in wheel group permits su, if I remember correctly sudo command usage is configured in sudoers file. |
|
| Back to top |
|
|
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10459
Location: Somewhere over Atlanta, Georgia
|
| Posted: Wed Jul 29, 2015 2:42 pm Post subject: |
|
|
Yes, I'm sure that it is at least a normal way. There's even commented out example of this in the default /etc/sudoers file. Adding an additional group provides additional granularity without any security value, because if you have permission to run sudo, then you can run su with that.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
Buffoon
Veteran
Joined: 17 Jun 2015
Posts: 1225
Location: EU or US
|
| Posted: Wed Jul 29, 2015 3:00 pm Post subject: |
|
|
| John R. Graham wrote: | | The normal group for giving the ability to sudo is wheel. |
I still disagree with this statement. Anyone can sudo if they are in sudoers file. Often there is just one single command I want a non-wheel user to be able to issue. So I allow this in sudoers file. |
|
| Back to top |
|
|
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10459
Location: Somewhere over Atlanta, Georgia
|
| Posted: Wed Jul 29, 2015 3:22 pm Post subject: |
|
|
Well, I'm still sure. If wheel isn't the normal group, what group would you say is?
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
cwc
Veteran
Joined: 20 Mar 2006
Posts: 1164
Location: Tri-Cities, WA USA
|
| Posted: Wed Jul 29, 2015 3:30 pm Post subject: |
|
|
| John R. Graham wrote: | The normal group for giving the ability to sudo is wheel. If you want to use a sudo group, you'll have to create it.
- John |
I am part of the wheel group:
$ groups
root tty wheel uucp audio cdrom dialout ftp video cdrw apache users wireshark plugdev polkituser vboxguest cwc
_________________
Without diversity there can be no evolution:) |
|
| Back to top |
|
|
Buffoon
Veteran
Joined: 17 Jun 2015
Posts: 1225
Location: EU or US
|
| Posted: Wed Jul 29, 2015 3:31 pm Post subject: |
|
|
| There is no membership of any group required to sudo. You can create a shutdown group for instance and allow shutdown group members to run sudo halt -p if you like. |
|
| Back to top |
|
|
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10459
Location: Somewhere over Atlanta, Georgia
|
| Posted: Wed Jul 29, 2015 3:33 pm Post subject: |
|
|
| cwc wrote: | I am part of the wheel group:
$ groups
root tty wheel uucp audio cdrom dialout ftp video cdrw apache users wireshark plugdev polkituser vboxguest cwc |
If it's acceptable to you to use wheel group membership to bestow sudo privlege, then uncomment this line in /etc/sudoers: | Code: | ## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL |
and you should be all set.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
limn
l33t
Joined: 13 May 2005
Posts: 997
|
| Posted: Wed Jul 29, 2015 3:35 pm Post subject: |
|
|
cwc
| Code: | | grep sudo /etc/group || emerge sudo |
|
|
| Back to top |
|
|
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10459
Location: Somewhere over Atlanta, Georgia
|
| Posted: Wed Jul 29, 2015 3:35 pm Post subject: |
|
|
| Buffoon wrote: | | There is no membership of any group required to sudo. You can create a shutdown group for instance and allow shutdown group members to run sudo halt -p if you like. |
I'm going to plead nolo contendere at this point.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
Buffoon
Veteran
Joined: 17 Jun 2015
Posts: 1225
Location: EU or US
|
| Posted: Wed Jul 29, 2015 3:48 pm Post subject: Re: add user to sudo ? |
|
|
| cwc wrote: | I edited the sudouesr file using visudo and uncommented :
%sudo ALL=(ALL) ALL |
You understand this is effectively giving root rights to all users? |
|
| Back to top |
|
|
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10459
Location: Somewhere over Atlanta, Georgia
|
| Posted: Wed Jul 29, 2015 3:57 pm Post subject: |
|
|
No, it's not. It's giving the ability to acquire root privileges to members of the sudo group. Without the creation of that group and the addition of particular users to that group, it's giving nothing to nobody. 
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
Buffoon
Veteran
Joined: 17 Jun 2015
Posts: 1225
Location: EU or US
|
| Posted: Wed Jul 29, 2015 4:05 pm Post subject: |
|
|
Yes, this time I was wrong. 
@cwc
You need to create sudo group for this to work. |
|
| Back to top |
|
|
cwc
Veteran
Joined: 20 Mar 2006
Posts: 1164
Location: Tri-Cities, WA USA
|
| Posted: Thu Jul 30, 2015 1:20 am Post subject: |
|
|
| limn wrote: | cwc
| Code: | | grep sudo /etc/group || emerge sudo |
|
Thanks for all the lines! Very enjoyable.
I did the following:
#grep sudo /etc/group || emerge sudo
then
#visudo
and uncommented
%wheel ALL=(ALL) ALL
I am the only one (I know of) that uses my gentoo system so there is no worry.
_________________
Without diversity there can be no evolution:) |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6396
|
| Posted: Thu Jul 30, 2015 7:35 am Post subject: |
|
|
| cwc wrote: | | I am the only one (I know of) that uses my gentoo system so there is no worry. |
There is a huge reason to worry (only exception: If the machine is physically never connected to the internet). Just for example, imagine that you are browsing a compromised page (even a trusted page can be compromised) which uses one of the bazillions browser security holes to execute some code. Then this site can effectively execute anything on your machine (and easily hide its traces so that you will never recognize that somethnig has happened if e.g. your machine has become part of a botnet or of a child-porn storage area).
Doing such an utterly stupid thing as allowing any user root access might even make you reliable by law for not taking care more (it certainly depends on your country and the lawyers which you will have, but I would not risk it). |
|
| Back to top |
|
|
limn
l33t
Joined: 13 May 2005
Posts: 997
|
| Posted: Thu Jul 30, 2015 12:01 pm Post subject: |
|
|
cwc
Sorry about that.
I thought that emerging sudo would create the sudo group.
When sudo is compiled/installed it will create this group if on a Debian box. |
|
| Back to top |
|
|
|
Networking & Security
