editing sudoers?

loand · November 29, 2011, 11:19am

hi,

wonder how to edit /etc/sudoers to give a permision to users to mount / unmount commands also to give a permission to add a new group?
I am aware that if I add something like that :

fred		ALL = (all) NOPASSWD: ALL

fred will have a root privileges but I want him to be able to add new users and mount/unmount only.

gldickens3 · November 29, 2011, 12:32pm

Try something like this:

fred ALL = NOPASSWD: /usr/sbin/useradd, /bin/mount, /bin/umount

ken_yap · November 29, 2011, 12:43pm

But remember that with this simple scheme fred can come along with a USB HD containing a suid root shell and then it’s game over.

loand · November 29, 2011, 1:31pm

thanks gldickens,

ken, suid root good to know , actually its just my curiosity of editing /etc/sudoers and fred is just random picked name so only I can do harm to my opensuse

robin_listas · November 29, 2011, 2:08pm

On 2011-11-29 12:46, gldickens3 wrote:
>
> Try something like this:
>
> fred ALL = NOPASSWD: /usr/sbin/useradd, /bin/mount, /bin/umount

Sudo needs you to define the commands and the parameters you pass. As it
is, fred can not pass any parameters to those commands.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

gldickens3 · November 29, 2011, 2:34pm

Not sure what you mean by that. I tested that line in /etc/sudoers and it works fine for me.

ken_yap · November 29, 2011, 2:58pm

Not so. Specifying just a pathname allows the user to append any arguments after. See the man page for sudoers. That’s why it’s so dangerous.

robin_listas · November 29, 2011, 11:08pm

On 2011-11-29 15:06, ken yap wrote:
>
> robin_listas;2412018 Wrote:
>> Sudo needs you to define the commands and the parameters you pass. As it
>> is, fred can not pass any parameters to those commands.
>
> Not so. Specifying just a pathname allows the user to append any
> arguments after. See the man page for sudoers. That’s why it’s so
> dangerous.

Maybe I’m using different options and it doesn’t work for me.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

gldickens3 · November 30, 2011, 12:02am

I agree about your point regarding the security risk of sudoer. However, practically speaking, the security risk is no worse than other risks that we accept in our installations in general. After all, the only thing that anyone needs to completely compromise an existing installation is an installation CD or DVD. So, anybody can come along with any distro’s boot disk, boot any linux system from that installation media, mount the hard drive and access/delete/modify the entire hard drive’s file system. Game completely over…

ken_yap · November 30, 2011, 1:07am

Yes, but this kind of sudo hole can be exploited remotely, and so more serious than access to the physical machine. How? Just mount an image containing a suid root shell using loopback.

gldickens3 · November 30, 2011, 1:34am

This isn’t a fair argument. You are now arguing that the sudo vulnerability can be exploited remotely, however, you are also requiring that a local image be mounted and your initial argument required a local USB drive. You can’t have it both ways. Pick your poison…

loand · November 30, 2011, 3:10pm

have another question on editing suoders file, its beyond security, can I edit suoders that way to allow myself copy files between different partitions without asking for root password?

gldickens3 · November 30, 2011, 3:38pm

Just add the cp command to the line in /etc/sudoers such as:

fred ALL = NOPASSWD: /usr/sbin/useradd, /bin/mount, /bin/umount, /bin/cp

loand · November 30, 2011, 3:41pm

will do that

loand · November 30, 2011, 3:59pm

ok, the :

/bin/cp works when I copy files within the same partition but getting

andre@andrzej:~/Documents/Scripts> cp -r Copy1/ /windows/D/
cp: cannot create directory `/windows/D/Copy1': Permission denied

when I try to copy between linux-windows partition

gldickens3 · November 30, 2011, 4:20pm

I’m not sure what’s going on there. What is the result of:

ls -l /windows/D

also:

ls -ld /windows/D

robin_listas · December 1, 2011, 12:43am

On 2011-11-30 16:26, gldickens3 wrote:
>
> I’m not sure what’s going on there.

It is known and documented.

Hint: you can not have linux permissions on fstab/ntfs partitions, they are
faked from mount time. You define them in fstab.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

robin_listas · December 1, 2011, 12:48am

On 2011-11-30 15:46, gldickens3 wrote:

> Just add the cp command to the line in /etc/sudoers such as:
>
> fred ALL = NOPASSWD: /usr/sbin/useradd, /bin/mount, /bin/umount,
> /bin/cp

You could as well print the root password on a postit on the display.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

loand · December 1, 2011, 1:01am

hi and apologies for late response,

the strange thing is that I added lines in my sudoers file and it worked perfectly, but rebooted system and it looks like permissions are gone now.

## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d

andre   ALL = NOPASSWD: /bin/mount, /bin/umount, /bin/dolphin,
/bin/cp

should anything else be added to /etc/sudoers to keep that permissions permanently?