1 |
On 10/26/22 1:42 AM, Ramon Fischer wrote: |
2 |
> and your user is able to synchronise your clock again. |
3 |
|
4 |
I'm not sure that will work as hoped. See my other reply about PTY and |
5 |
testing the commands at the command line for more explanation of what I |
6 |
suspect is happening. |
7 |
|
8 |
> I do not know, what the developers were thinking to encourage the user |
9 |
> to edit a default file, which gets potentially overwritten after each |
10 |
> package update... |
11 |
|
12 |
To the sudo developers, the /etc/sudoers file is *SUPPOSED* *TO* /be/ |
13 |
/edited/. |
14 |
|
15 |
The sudo developers provide the sudo (et al.) program(s) for your use |
16 |
and /you/ provide the configuration file(s) that it (they) use. |
17 |
|
18 |
It is natural for the /etc/sudoers file to be edited. |
19 |
|
20 |
To me the disconnect is when people other than the sudo developers |
21 |
distribute the /etc/sudoers file and expect that it will not be edited. |
22 |
|
23 |
What are end users / systems administrators to do if the default file |
24 |
has something like the following enabled in the default /etc/sudoers |
25 |
file and the EUs / SAs want it to not be there? |
26 |
|
27 |
%wheel ALL=(ALL:ALL) ALL |
28 |
|
29 |
They have no choice but to change (edit / replace) the /etc/sudoers file. |
30 |
|
31 |
Especially if other parts of the system rely on the wheel group and not |
32 |
putting users in it is not an option. -- The above line *MUST* be |
33 |
taken out, thus the /etc/sudoers file *MUST* be edited. |
34 |
|
35 |
Unix has 50 years of editing files to make the system behave as desired. |
36 |
Modularization and including other files is nice /when/ /it/ /works/. |
37 |
But there are times that modularization doesn't work and files *MUST* be |
38 |
edited. |
39 |
|
40 |
> "etc-update" helps to have an eye on, but muscle memory and fast fingers |
41 |
> are sometimes faster. |
42 |
|
43 |
How many levels of safety do you suggest that we put in place? |
44 |
|
45 |
What if someone were to put the following into /etc/sudoers.d/zzzzzzzzzz |
46 |
|
47 |
ALL ALL=(ALL) !ALL |
48 |
|
49 |
}:-) |
50 |
|
51 |
> This is the best way. Try to be as precise as possible, but be aware of |
52 |
> wildcards![1] |
53 |
|
54 |
The /etc/sudoers syntax can be tricky to master. But it can also be |
55 |
very powerful when done correctly. |
56 |
|
57 |
|
58 |
|
59 |
-- |
60 |
Grant. . . . |
61 |
unix || die |