| 1 |
Stroller schrieb: |
| 2 |
> Hi there, |
| 3 |
> |
| 4 |
> I'm just in the process of setting up my lovely new system :D, in the |
| 5 |
> very first post-install steps. |
| 6 |
> |
| 7 |
> I install sudo, give my user wide sudo rights and then set |
| 8 |
> "PermitRootLogin no" in /etc/ssh/sshd_config. |
| 9 |
> (Critique of this measure welcomed). |
| 10 |
> |
| 11 |
> Anyway, as root I started to edit /etc/sudoers and vim complained |
| 12 |
> "editing a read-only file". |
| 13 |
The file /etc/sudoers should always be edited with visudo. visudo uses |
| 14 |
file locking, provides basic sanity checks and checks for parse errors. |
| 15 |
|
| 16 |
> |
| 17 |
> Sure enough, /etc/sudoers has permissions 440, so I had to `chmod 640 |
| 18 |
> /etc/sudoers` before editing it & changing it back. |
| 19 |
|
| 20 |
440 is ok. |
| 21 |
> |
| 22 |
> I am sure I did not have to do this last time I installed a system, |
| 23 |
> although that would have been at least a couple of years ago. |
| 24 |
> |
| 25 |
> Obviously /etc/sudoers is a security-critical file and one wishes to |
| 26 |
> prevent attackers from editing it, but surely if a file belongs to |
| 27 |
> root there's not much point (??) in preventing root from writing to |
| 28 |
> it, because root can always change the permissions and edit the file, |
| 29 |
> just as I have done. |
| 30 |
> |
| 31 |
> I see from some Googling that sudo complains if the permissions on |
| 32 |
> this file are greater than 4xx - can anyone explain why, please? |
| 33 |
> |
| 34 |
> I'm sure there is something I am not understanding, but my naive |
| 35 |
> analysis suggests the only reason for this behaviour is to |
| 36 |
> inconvenience administrators! |
| 37 |
> |
| 38 |
> Stroller. |
| 39 |
> |
| 40 |
> |
| 41 |
> |
Archives