| 1 |
On 10/26/22 1:42 AM, Ramon Fischer wrote: |
| 2 |
> and your user is able to synchronise your clock again. |
| 3 |
|
| 4 |
I'm not sure that will work as hoped. See my other reply about PTY and |
| 5 |
testing the commands at the command line for more explanation of what I |
| 6 |
suspect is happening. |
| 7 |
|
| 8 |
> I do not know, what the developers were thinking to encourage the user |
| 9 |
> to edit a default file, which gets potentially overwritten after each |
| 10 |
> package update... |
| 11 |
|
| 12 |
To the sudo developers, the /etc/sudoers file is *SUPPOSED* *TO* /be/ |
| 13 |
/edited/. |
| 14 |
|
| 15 |
The sudo developers provide the sudo (et al.) program(s) for your use |
| 16 |
and /you/ provide the configuration file(s) that it (they) use. |
| 17 |
|
| 18 |
It is natural for the /etc/sudoers file to be edited. |
| 19 |
|
| 20 |
To me the disconnect is when people other than the sudo developers |
| 21 |
distribute the /etc/sudoers file and expect that it will not be edited. |
| 22 |
|
| 23 |
What are end users / systems administrators to do if the default file |
| 24 |
has something like the following enabled in the default /etc/sudoers |
| 25 |
file and the EUs / SAs want it to not be there? |
| 26 |
|
| 27 |
%wheel ALL=(ALL:ALL) ALL |
| 28 |
|
| 29 |
They have no choice but to change (edit / replace) the /etc/sudoers file. |
| 30 |
|
| 31 |
Especially if other parts of the system rely on the wheel group and not |
| 32 |
putting users in it is not an option. -- The above line *MUST* be |
| 33 |
taken out, thus the /etc/sudoers file *MUST* be edited. |
| 34 |
|
| 35 |
Unix has 50 years of editing files to make the system behave as desired. |
| 36 |
Modularization and including other files is nice /when/ /it/ /works/. |
| 37 |
But there are times that modularization doesn't work and files *MUST* be |
| 38 |
edited. |
| 39 |
|
| 40 |
> "etc-update" helps to have an eye on, but muscle memory and fast fingers |
| 41 |
> are sometimes faster. |
| 42 |
|
| 43 |
How many levels of safety do you suggest that we put in place? |
| 44 |
|
| 45 |
What if someone were to put the following into /etc/sudoers.d/zzzzzzzzzz |
| 46 |
|
| 47 |
ALL ALL=(ALL) !ALL |
| 48 |
|
| 49 |
}:-) |
| 50 |
|
| 51 |
> This is the best way. Try to be as precise as possible, but be aware of |
| 52 |
> wildcards![1] |
| 53 |
|
| 54 |
The /etc/sudoers syntax can be tricky to master. But it can also be |
| 55 |
very powerful when done correctly. |
| 56 |
|
| 57 |
|
| 58 |
|
| 59 |
-- |
| 60 |
Grant. . . . |
| 61 |
unix || die |
Archives