Gentoo Archives: gentoo-user

From: Grant Taylor <gtaylor@×××××××××××××××××××××.net>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Update to /etc/sudoers disables wheel users!!!
Date: Wed, 26 Oct 2022 16:39:54
In Reply to: Re: [gentoo-user] Update to /etc/sudoers disables wheel users!!! by Walter Dnes
1 On 10/26/22 12:31 AM, Walter Dnes wrote:
2 > My regular user has script "settime" in ${HOME}/bin
3 >
4 > #!/bin/bash
5 > date
6 > /usr/bin/sudo /usr/bin/rdate -nsv
7 > /usr/bin/sudo /sbin/hwclock --systohc
8 > date
9 >
10 > /etc/sudoers.d/001 has, amongst other things, two lines...
11 >
12 > waltdnes x8940 = (root) NOPASSWD: /sbin/hwclock --systohc
13 > waltdnes x8940 = (root) NOPASSWD: /usr/bin/rdate -nsv
14 >
15 > User "waltdnes" is a member of "wheel". If the "wheel" line is
16 > uncommented in /etc/sudoers, sudo works for me. If the "wheel"
17 > line is commented, then sudo breaks for my regular user.
19 Please try running the two sudo lines from the script as is on the
20 command line as the waltdnes user. I'm wondering if the problem is
21 potentially related to something else, namely sudo wanting to read from
22 a terminal (PTY) in some configurations.
24 I believe there is a non-zero chance that the commands allowed via the
25 /etc/sudoers.d/001 file will work as entered. But that running sudo
26 from within a script, as opposed to on the command line, /may/ be the
27 source of problems. -- Divide and conquer the problem.
29 > There seem to be two different approaches here. The loose approach
30 > is to allow a user to run "sudo <whatever I damn well want>".
32 This seems to be -- what I refer to as -- the distribution default.
33 E.g. get people to run things through sudo vs running things through su
34 or running directly as root.
36 > A more locked down approach allows regular users to run "sudo <very
37 > specific command>".
39 This is -- what I refer to as -- the (more) enterprise approach. It
40 also seems to be the next evolution of the distribution default wherein
41 people want to start restricting what can and can't be run via sudo.
43 The enterprise approach also tends to come more into play as you use
44 sudo to run things as users other than root; e.g. run RDBMS commands as
45 the Oracle user or backup commands as the Tivoli user.
47 > This guards against "fat-finger-syndrome".
49 I think it's more than protection against fat-finger-syndrome. After
50 all, unless the sudoers file(s) is (are) *EXTREMELY* specific down to
51 and including command parameters / options, you can still fat-finger
52 command parameters / options.
54 When you start separating duties and who is allowed to do what is when
55 you start to see the more locked down enterprise methodology.
57 > I go with the more locked down approach
59 I use the distribution default on my personal systems where I'm 95% of
60 the use case.
62 I use the enterprise method on work systems where we have multiple
63 people with different skill levels doing different tasks.
65 Aside: One advantage of the enterprise method is that you can allow a
66 command as one target user (Oracle) but not the (default) root user.
67 Thus helping protect against people omitting a critical option. --
68 Many things, e.g. Oracle RDBMS, get rather upset when commands
69 (accidentally) change the ownership of files when run as the wrong user.
73 --
74 Grant. . . .
75 unix || die