Results 1 to 6 of 6

Thread: sudo configuration: do or don't delete ALL ALL = (ALL) ALL OS 11.2

  1. #1

    Default sudo configuration: do or don't delete ALL ALL = (ALL) ALL OS 11.2

    /etc/sudoers

    has the following
    ...

    # In the default (unconfigured) configuration, sudo asks for the root password.
    # This allows use of an ordinary user account for administration of a freshly
    # installed system. When configuring sudo, delete the two
    # following lines:
    Defaults targetpw
    ALL ALL = (ALL) ALL

    ...

    ################## EOF ################

    Using yast2 to configure sudo, I get a warning:

    "This rule is a system rule necessary for the correct functionality of sudo. After deleting it some applications may no longer work. Really delete? [ Yes ] [ No ] "

    My goal is to have certain users be able to run certain commands with root privileges. When they do this, I want them required to enter the OWN password, and not the root password.

    Should I remove this line or not?

  2. #2
    Join Date
    Jun 2008
    Location
    Earth - Denmark
    Posts
    10,730

    Default Re: sudo configuration: do or don't delete ALL ALL = (ALL) ALL OS11.2

    hattons wrote:
    > Should I remove this line or not?


    the second and third line in my /etc/sudoers file reads: "This file
    MUST be edited with the 'visudo' command as root. See the sudoers man
    page for the details on how to write a sudoers file." does yours also?

    i do not know the answer to your question, but if i were gonna remove
    that line to see if it does what you expecte/want, i would have saved
    an original copy of the file, read the sudoers man, and used visudo to
    do the deed..

    --
    DenverD
    CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

  3. #3

    Default Re: sudo configuration: do or don't delete ALL ALL = (ALL) ALL OS11.2

    Quote Originally Posted by DenverD View Post
    hattons wrote:
    > Should I remove this line or not?


    the second and third line in my /etc/sudoers file reads: "This file
    MUST be edited with the 'visudo' command as root. See the sudoers man
    page for the details on how to write a sudoers file." does yours also?

    i do not know the answer to your question, but if i were gonna remove
    that line to see if it does what you expecte/want, i would have saved
    an original copy of the file, read the sudoers man, and used visudo to
    do the deed..

    --
    DenverD
    CAVEAT: C A V E A T [posted via NNTP w/openSUSE 10.3]
    visudo let me comment out the line. The problem is that "After deleting it some applications may no longer work" may mean that everything appears to work correctly until I try something new six months from now - after editing /etc/sudoers is long-forgotten.

    Changing `Defaults targetpw' to `Defaults !targetpw' did what I wanted regarding user authentication using the initiator's password.

    Now I need to figure out if there is a way to use auditd to determine who touched a file while using sudo as root. From reading the documentation, it seems that a process run through sudo as root will not preserve the identity of the initiating user.

    The SLE Documentation doesn't say much about sudo, and most of what it does say is negative.

    PolicyKit is an application framework that acts as a negotiator between the unprivileged user session and the privileged system context. Whenever a process from the user session tries to carry out an action in the system context, PolicyKit is queried. Based on its configurationspecified in a so-called "policy"the answer could be "yes", "no", or needs authentication. Unlike classical privilege authorization programs such as sudo, PolicyKit does not grant root permissions to an entire process, following the "least privilege" concept.

  4. #4

    Default Re: sudo configuration: do or don't delete ALL ALL = (ALL) ALL OS11.2

    Doesn't users using a sudo command show up in /var/log/messages ?
    Box 1: OpenSuse 11.1/Win7 | Linux 2.6.27 Gnome | AMD 64 X2 6000+ | nVidia 8600GT | 2GB RAM
    Box 2: OpenSuse 11.2 | Linux 2.6.31 Gnome | AMD 64 3000+ | ATI X800 Pro | 1GB RAM
    Box 3: Win7 Premium Home | Intel P4 3.0Gz | ATI AIW 2006 | 2GB RAM

  5. #5

    Default Re: sudo configuration: do or don't delete ALL ALL = (ALL) ALL OS11.2

    Quote Originally Posted by tararpharazon View Post
    Doesn't users using a sudo command show up in /var/log/messages ?
    Yes, but that isn't that hard to circumvent if the user has access to sufficiently powerful resources such as vi or emacs. If launching them through sudo makes them appear to be running as root with no indication of who launched them, then the user can shell out with root credentials and do whatever root can do without leaving direct fingerprints. I believe visudo addresses that specific problem, but I'm sure there are other exploits available.

    I don't know how easy it would be to merge the audit logs to figure out who did what when, if there are concurrent sudoers.

    Unfortunately the customer requirements are "Audit everything done by root on my Linux servers, and make it as easy to do as it is on Windoze." Of course they want me to tell them this upfront for an environment I have no futher information about. My response is going to be - in more polite terms - 'don't be stupid'. Limit the use of, and access to the root user to a bear minimum. Then audit what other, more restricted admin accounts do.

    After looking at sudo, it seems like something to use sparingly, and carefully.

  6. #6
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,580

    Default Re: sudo configuration: do or don't delete ALL ALL = (ALL) ALL OS11.2

    You might want to look at SELinux if you want detail access logs.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •