Change password just for sudo

scarleo · April 6, 2010, 5:48pm

Hi, I’m using Debian and openSUSE 11.2 and the sudo-ing is a bit different in Debian. It actually makes more sense to enter your own password like in Debian to achieve sudo status than have to use the root password for sudo status. If I for example would like to give someone on my system sudo rights, I can’t give them the root password. Thats just like giving them root access. Or is there a way to change that behaviour, or just change sudo password, in openSUSE? Or maybe any other best pracitce for giving users sudo rights?

Thanks in advance

syampillai · April 6, 2010, 5:52pm

You can set up sudo for specific commands. But, generally, noone should hand over a system to someone else just like that!

man sudo

Akoellh · April 6, 2010, 6:05pm

Run

su -c visudo

Read comments carefully
Edit to your needs

Chrysantine · April 6, 2010, 6:46pm

And what is giving them sudo rights other than giving them low level access to your system?

Enjoy your placebo security.

scarleo · April 6, 2010, 6:48pm

Thanks, now it’s working as I expect it to. Not sure witch one is more secure though… any thoughts?

You can set up sudo for specific commands. But, generally, noone should hand over a system to someone else just like that!

I thought that was the reason of sudo’s existence, to let some chosen users do some chosen things with root privileges… I mean of course under strict control. Am I wrong, are there any other reasons?

Akoellh · April 6, 2010, 6:53pm

The most secure is not to allow anybody but the admin (aka “the guy who knows the root pw”) to gain elevated privileges, no matter if via sudo or su.

If that is not possible, then using sudo only for those commands that should be allowed with the user’s password being asked for is only little less secure.

That IMHO is the reason why openSUSE uses the default settings for sudo, meaning nobody can use sudo without knowing the root password which should be “nobody else than the person who configured the system and added this password”.

Anything else will need user’s (in this case “root’s”) interaction.

VampirD · April 6, 2010, 7:22pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

su -c visudo and see the following lines:

In the default (unconfigured) configuration, sudo asks for the root

password.

This allows use of an ordinary user account for administration of a

freshly

installed system. When configuring sudo, delete the two

following lines:

Defaults targetpw # ask for the password of the target user i.e. root
ALL ALL=(ALL) ALL # WARNING! Only use this together with ‘Defaults
targetpw’!

delete the last two

VampirD

Microsoft Windows is like air conditioning
Stops working when you open a window.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAku7blYACgkQJQ+0ABWtaVnTywCdEJJz2agoxwTR+j8Zryaz4VAP
ekIAni79N3jYeoiFHHLScaR9GJGDG+BO
=5rZB
-----END PGP SIGNATURE-----