Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: editing sudoers?

  1. #1
    Join Date
    May 2011
    Location
    here
    Posts
    180

    Default editing sudoers?

    hi,

    wonder how to edit /etc/sudoers to give a permision to users to mount / unmount commands also to give a permission to add a new group?
    I am aware that if I add something like that :
    Code:
    fred		ALL = (all) NOPASSWD: ALL
    fred will have a root privileges but I want him to be able to add new users and mount/unmount only.

  2. #2
    Join Date
    Jul 2011
    Location
    Alpharetta, Georgia, USA
    Posts
    289

    Default Re: editing sudoers?

    Try something like this:

    fred ALL = NOPASSWD: /usr/sbin/useradd, /bin/mount, /bin/umount

  3. #3
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: editing sudoers?

    But remember that with this simple scheme fred can come along with a USB HD containing a suid root shell and then it's game over.

  4. #4
    Join Date
    May 2011
    Location
    here
    Posts
    180

    Default Re: editing sudoers?

    Quote Originally Posted by ken_yap View Post
    But remember that with this simple scheme fred can come along with a USB HD containing a suid root shell and then it's game over.
    thanks gldickens,

    ken, suid root good to know , actually its just my curiosity of editing /etc/sudoers and fred is just random picked name so only I can do harm to my opensuse

  5. #5
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: editing sudoers?

    On 2011-11-29 12:46, gldickens3 wrote:
    >
    > Try something like this:
    >
    > fred ALL = NOPASSWD: /usr/sbin/useradd, /bin/mount, /bin/umount


    Sudo needs you to define the commands and the parameters you pass. As it
    is, fred can not pass any parameters to those commands.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  6. #6
    Join Date
    Jul 2011
    Location
    Alpharetta, Georgia, USA
    Posts
    289

    Default Re: editing sudoers?

    Quote Originally Posted by robin_listas View Post
    On 2011-11-29 12:46, gldickens3 wrote:
    >
    > Try something like this:
    >
    > fred ALL = NOPASSWD: /usr/sbin/useradd, /bin/mount, /bin/umount


    Sudo needs you to define the commands and the parameters you pass. As it
    is, fred can not pass any parameters to those commands.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)
    Not sure what you mean by that. I tested that line in /etc/sudoers and it works fine for me.

  7. #7
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: editing sudoers?

    Quote Originally Posted by robin_listas View Post
    Sudo needs you to define the commands and the parameters you pass. As it
    is, fred can not pass any parameters to those commands.
    Not so. Specifying just a pathname allows the user to append any arguments after. See the man page for sudoers. That's why it's so dangerous.

  8. #8
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: editing sudoers?

    On 2011-11-29 15:06, ken yap wrote:
    >
    > robin_listas;2412018 Wrote:
    >> Sudo needs you to define the commands and the parameters you pass. As it
    >> is, fred can not pass any parameters to those commands.

    >
    > Not so. Specifying just a pathname allows the user to append any
    > arguments after. See the man page for sudoers. That's why it's so
    > dangerous.


    Maybe I'm using different options and it doesn't work for me.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  9. #9
    Join Date
    Jul 2011
    Location
    Alpharetta, Georgia, USA
    Posts
    289

    Default Re: editing sudoers?

    Quote Originally Posted by ken_yap View Post
    But remember that with this simple scheme fred can come along with a USB HD containing a suid root shell and then it's game over.
    I agree about your point regarding the security risk of sudoer. However, practically speaking, the security risk is no worse than other risks that we accept in our installations in general. After all, the only thing that anyone needs to completely compromise an existing installation is an installation CD or DVD. So, anybody can come along with any distro's boot disk, boot any linux system from that installation media, mount the hard drive and access/delete/modify the entire hard drive's file system. Game completely over.....

  10. #10
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: editing sudoers?

    Quote Originally Posted by gldickens3 View Post
    I agree about your point regarding the security risk of sudoer. However, practically speaking, the security risk is no worse than other risks that we accept in our installations in general. After all, the only thing that anyone needs to completely compromise an existing installation is an installation CD or DVD. So, anybody can come along with any distro's boot disk, boot any linux system from that installation media, mount the hard drive and access/delete/modify the entire hard drive's file system. Game completely over.....
    Yes, but this kind of sudo hole can be exploited remotely, and so more serious than access to the physical machine. How? Just mount an image containing a suid root shell using loopback.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •