Results 1 to 8 of 8

Thread: Default sudo config does not follow /etc/sudoers.d entries

  1. #1

    Question Default sudo config does not follow /etc/sudoers.d entries

    Hi Folks,

    We add an exemptions file to /etc/sudoers.d on Linux platforms to enable elevated permissions for users in the sudoers or wheel groups. However, it appears that the sudo package, as configured by default in LEAP, does not follow these added exemptions even if the user is added to the wheel group.

    If I select the sudo settings in YaST, my exemptions file entries are not present in the information presented in the GUI.

    I have verified that the last entry in the /etc/sudoers file is the #includedir /etc/sudoers.d directive.

    What do we need to modify so that the system properly recognizes the entries added into /etc/sudoers.d?

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,384

    Default Re: Default sudo config does not follow /etc/sudoers.d entries

    The openSUSE way of running things that should be run by root is different. It e.g. does not use the wheel group.

    AFAIK the sudo configuration is by default that "running as root" always asks for he root password. (This is the same as what su does, thus I never use sudo, but that is of course a personal way of living).

    So, when you want to change the security philosofy of an openSUSE system to that as used by several other distributions, I assume the best thing to do is to mimic what they do, like copying there suduers config, etc.

    Or, when you realy think their way is better, use one of those instead of openSUSE
    Henk van Velden

  3. #3

    Default Re: Default sudo config does not follow /etc/sudoers.d entries

    Quote Originally Posted by hcvv View Post
    The openSUSE way of running things that should be run by root is different. It e.g. does not use the wheel group.

    [snip]
    Or, when you realy think their way is better, use one of those instead of openSUSE
    Not helpful, but okay, I understand defensive responses. We run all principle distros in the lab and have since Linus' 0.99pl12 in 1993, so we already understand this. What I'm looking for is the user experience and what we as developers need to do to provide a similar user experience on all distros.

    Since openSuSE uses the standard sudo package and the sudoers file is normal with the exception of the default changes to secure_path, targetpw, and env_keep, this should all just work as expected. Unfortunately, the sudo settings in YaST do not expose these changed settings and I believe that it should.

  4. #4
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,384

    Default Re: Default sudo config does not follow /etc/sudoers.d entries

    Quote Originally Posted by tolistim View Post
    What I'm looking for is the user experience and what we as developers need to do to provide a similar user experience on all distros.
    I understand my post was not realy helpful in that it offered you no direct solution to what your goal is.

    What I tried is to explain that the "user experience" of most openSUSE users is the deafult as installed.

    While it may be possible that someone with enough experience in both worlds turns up to help you, I tried to explain that not many here ever looked in what you want.
    Henk van Velden

  5. #5

    Default Re: Default sudo config does not follow /etc/sudoers.d entries

    @tolistim:

    Quote Originally Posted by tolistim View Post
    What do we need to modify so that the system properly recognizes the entries added into /etc/sudoers.d?
    Change file permissions?

    Code:
    # ls -ld /etc/sudoers.d{,/nrpe}
    drwxr-x--- 2 root root 4096 Oct  4  2018 /etc/sudoers.d
    -r--r----- 1 root root  360 Jun  2  2018 /etc/sudoers.d/nrpe
    My /etc/sudoers is default (same timestamp as /usr/sbin/visudo).

    Kind regards,

    Leen

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,475
    Blog Entries
    2

    Default Re: Default sudo config does not follow /etc/sudoers.d entries

    Although I absolutely do not support use of the wheel group by interactive Users,

    It's been my experience that you don't really need to "sudo" to gain access to the wheel group because in openSUSE we aren't forbidden from using root directly (su or su-) which is the case in may other distros...

    So, why deal with sudo at all?
    If you're going to grant root permissions to Users, just make them members of the wheel group directly... both cross-distro command lines and YaST supports this.

    And, of course I have to remind all others that this practice is highly, highly discouraged. Although a standard documented configuration in some other distros, this opens an enormous security vulnerability you can drive a MAC truck through...

    Compare our common procedure in openSUSE which is to support elevated permissions in a console or application session for only as long as that console or app is open...
    To making a User a member of the wheel group which makes any activity by that User using elevated permissions, not restricted by running only within a console or specific app.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #7
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,886
    Blog Entries
    3

    Default Re: Default sudo config does not follow /etc/sudoers.d entries

    Quote Originally Posted by tolistim View Post
    What I'm looking for is the user experience and what we as developers need to do to provide a similar user experience on all distros.
    My user experience, is that I almost never use "sudo" on openSUSE. I use "su" or "su -", or I use
    Code:
    ssh root@localhost
    with public key authentication. I never much cared for "sudo".

    If I'm stuck on Ubuntu, then I may use "sudo bash" to get a root shell. That Ubuntu forces one to use "sudo" is one of the reasons that I use openSUSE rather than Ubuntu.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  8. #8
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    20,043
    Blog Entries
    14

    Default Re: Default sudo config does not follow /etc/sudoers.d entries

    Quote Originally Posted by tolistim View Post
    I have verified that the last entry in the /etc/sudoers file is the #includedir /etc/sudoers.d directive.
    Looking at the rest of the entries in /etc/sudoers, shouldn't the # be removed from that line? I.e. make the last line
    Code:
    includedir /etc/sudoers.d
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •