1 |
On Wed, Oct 26, 2022 at 05:04:35AM +0200, Ramon Fischer wrote |
2 |
> Hello Walter, |
3 |
> |
4 |
> I do not think, that this is a bug, since it is the default file, which |
5 |
> should not be edited by the user. |
6 |
|
7 |
Firstly "grep -i uncomment /etc/sudoers" results in... |
8 |
|
9 |
## Uncomment to enable special input methods. Care should be taken as |
10 |
## Uncomment to use a hard-coded PATH instead of the user's to find commands |
11 |
## Uncomment to send mail if the user does not enter the correct password. |
12 |
## Uncomment to enable logging of a command's output, except for |
13 |
## Uncomment to allow members of group wheel to execute any command |
14 |
## Uncomment to allow members of group sudo to execute any command |
15 |
## Uncomment to allow any user to run sudo if they know the password |
16 |
|
17 |
...I.e. the file is explicitly telling you to edit it if required!!! |
18 |
|
19 |
> All changes should be done in "/etc/sudoers.d/" to avoid such cases. |
20 |
|
21 |
My regular user has script "settime" in ${HOME}/bin |
22 |
|
23 |
#!/bin/bash |
24 |
date |
25 |
/usr/bin/sudo /usr/bin/rdate -nsv ca.pool.ntp.org |
26 |
/usr/bin/sudo /sbin/hwclock --systohc |
27 |
date |
28 |
|
29 |
/etc/sudoers.d/001 has, amongst other things, two lines... |
30 |
|
31 |
waltdnes x8940 = (root) NOPASSWD: /sbin/hwclock --systohc |
32 |
waltdnes x8940 = (root) NOPASSWD: /usr/bin/rdate -nsv ca.pool.ntp.org |
33 |
|
34 |
User "waltdnes" is a member of "wheel". If the "wheel" line is |
35 |
uncommented in /etc/sudoers, sudo works for me. If the "wheel" line is |
36 |
commented, then sudo breaks for my regular user. |
37 |
|
38 |
> I kept mine unchanged from 2nd October and only have two uncommented lines: |
39 |
> |
40 |
> [...] |
41 |
> root ALL=(ALL:AlL) ALL |
42 |
> [...] |
43 |
> @includedir /etc/sudoers.d |
44 |
> |
45 |
> I am using version "1.9.11_p3-r1". |
46 |
|
47 |
Me too. |
48 |
|
49 |
There seem to be two different approaches here. The loose approach is |
50 |
to allow a user to run "sudo <whatever I damn well want>". A more locked |
51 |
down approach allows regular users to run "sudo <very specific command>". |
52 |
This guards against "fat-finger-syndrome". I go with the more locked |
53 |
down approach |
54 |
|
55 |
-- |
56 |
I've seen things, you people wouldn't believe; Gopher, Netscape with |
57 |
frames, the first Browser Wars. Searching for pages with AltaVista, |
58 |
pop-up windows self-replicating, trying to uninstall RealPlayer. All |
59 |
those moments, will be lost in time like tears in rain... time to die. |