[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: user created at install added in sudoers ?



On Thu, Jun 21, 2007 at 07:35:24AM +0930, n0dalus wrote:
> >We could easily set up the sudoers file like this:
> >  a) for wheel-group members, auth-as-self.
> >  b) for non-wheel-group-members, sudo prompts for the *root* password.
> I'm not sure this is possible to do with sudoers. Please post the

Sure it is. Why would I have suggested it otherwise?

> lines you would expect to see in the file. I think that kind of
> behaviour would require patching sudo, and would be inconsistent with
> the sudo documentation found anywhere on the internet.

What, the man page isn't on the internet? :)


You just need to do this:

  Defaults:ALL,!%wheel rootpw

and optionally

  Defaults        passprompt="Root password:"
  Defaults:%wheel passprompt="Your password:"

and then

  ALL    ALL=(ALL)       ALL

That last line is a bit scary but is as safe as allowing anyone to run the
su command, assuming nothing screws with the Defaults line. There'd be other
ways to accomplish the same goal with a little more complexity in return for
a more fail-safe feeling, but you get the idea.


It *is* unfortunate that there isn't a ROOTPW or ROOTPASSWD "tag" (in sudo
terminology) to match the existing NOPASSWD. (And a TARGETPW, while we're at
it) That'd be a slightly nicer way to do this. The upstream author might
accept a patch to add that, actually. That way, you could do:

  ALL        ALL=(ALL)       ROOTPW: ALL
  wheel      ALL=(ALL)       

instead of the split between the defaults line and "ALL ALL=(ALL) ALL".


-- 
Matthew Miller           mattdm mattdm org          <http://mattdm.org/>
Boston University Linux      ------>              <http://linux.bu.edu/>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]