Is this a bug?
I *STRONGLY* /OBJECT/ to the notion that users should not edit
configuration files.
I do not think, that this is a bug, since it is the default file, which should not be edited by the user.
All changes should be done in "/etc/sudoers.d/" to avoid such cases.
Hello Walter,
I do not think, that this is a bug, since it is the default file, which should not be edited by the user.
All changes should be done in "/etc/sudoers.d/" to avoid such cases.
I kept mine unchanged from 2nd October and only have two uncommented lines:
[...]
root ALL=(ALL:AlL) ALL
[...]
@includedir /etc/sudoers.d
I am using version "1.9.11_p3-r1".
I do not know, what the developers were thinking to encourage the user
to edit a default file, which gets potentially overwritten after each
package update...
"etc-update" helps to have an eye on, but muscle memory and fast fingers
are sometimes faster.
Calm down.
Nobody said you can't.
I do.
Just know what you're doing and pay attention to what portage does
with package-managed configuration files.
dispatch-conf even gives you the opportunity to edit it before
applying.
and your user is able to synchronise your clock again.
I do not know, what the developers were thinking to encourage the user
to edit a default file, which gets potentially overwritten after each
package update...
"etc-update" helps to have an eye on, but muscle memory and fast fingers
are sometimes faster.
This is the best way. Try to be as precise as possible, but be aware of wildcards![1]
My regular user has script "settime" in ${HOME}/bin
#!/bin/bash
date
/usr/bin/sudo /usr/bin/rdate -nsv ca.pool.ntp.org
/usr/bin/sudo /sbin/hwclock --systohc
date
/etc/sudoers.d/001 has, amongst other things, two lines...
waltdnes x8940 = (root) NOPASSWD: /sbin/hwclock --systohc
waltdnes x8940 = (root) NOPASSWD: /usr/bin/rdate -nsv ca.pool.ntp.org
User "waltdnes" is a member of "wheel". If the "wheel" line is
uncommented in /etc/sudoers, sudo works for me. If the "wheel"
line is commented, then sudo breaks for my regular user.
There seem to be two different approaches here. The loose approach
is to allow a user to run "sudo <whatever I damn well want>".
A more locked down approach allows regular users to run "sudo <very
specific command>".
This guards against "fat-finger-syndrome".
I go with the more locked down approach
dispatch-conf even gives you the opportunity to edit it before
applying.
Yep.
I almost always reject the changes suggested on config files that I've modified and accept them on files that I've not modified.
I really do wish that there was a better way to manage this, likely involving diffs / deltas. E.g. what changed between the N distribution
file and the N+1 distribution file. Can that same change be safely
applied to the N' distribution file to create the N'+1 file?
On Wed, 26 Oct 2022 10:21:06 -0600, Grant Taylor wrote:
dispatch-conf even gives you the opportunity to edit it before
applying.
Yep.
I almost always reject the changes suggested on config files that I've modified and accept them on files that I've not modified.
I really do wish that there was a better way to manage this, likely involving diffs / deltas. E.g. what changed between the N distribution file and the N+1 distribution file. Can that same change be safely
applied to the N' distribution file to create the N'+1 file?
conf-update allows you to merge the new and old files, prompting you to
pick which to use on each differing section, with a further option to
edit the lines. That way you can keep your changed lines but still add
lines relating to new config options.
Also a very interesting question!Could you not interrupt grup and append "single" or "init=/bin/bash"
I just tested this with "visudo" and it does not intercept this.
If "su" is disabled, you are locked out and you are forced to enter
your system via a live USB stick and a "chroot" in order to edit "/etc/shadow" to set a root password via "mkpasswd" and enable "su".
Nice. :D
-Ramon
On 26/10/2022 18:52, Grant Taylor wrote:
What if someone were to put the following into
/etc/sudoers.d/zzzzzzzzzz
ALL ALL=(ALL) !ALL
}:-)
--
GPG public key: 5983 98DA 5F4D A464 38FD CF87 155B E264 13E6 99BF
Also a very interesting question!
I just tested this with "visudo" and it does not intercept this.
If "su" is disabled, you are locked out and you are forced to enter
your system via a live USB stick and a "chroot" in order to edit "/etc/shadow" to set a root password via "mkpasswd" and enable "su".
Nice. :D
-Ramon
On 26/10/2022 18:52, Grant Taylor wrote:
What if someone were to put the following into
/etc/sudoers.d/zzzzzzzzzz
  ALL ALL=(ALL) !ALL
}:-)
You need to be root to write to /etc/sudoers.d. If someone has that
access, you are already doomed!
Also a very interesting question!
I just tested this with "visudo" and it does not intercept this.
If "su" is disabled, you are locked out and you are forced to enter your system via a live USB stick and a "chroot" in order to edit
"/etc/shadow" to set a root password via "mkpasswd" and enable "su".
Could you not interrupt grup and append "single" or "init=/bin/bash" to
the kernel command line?
You need to be root to write to /etc/sudoers.d. If someone has that
access, you are already doomed!
And what happens if someone uses the existing root-via-sudo access to
break sudo?
I thought in a too complicated way.
Why not just remove the entry from "/etc/sudoers.d/zzzzzzz", while
being in a "chroot"?
So they have root access, nothing has changed. How they get root
access is irrelevant, just that they have it.
On 10/26/22 2:08 PM, Neil Bothwick wrote:
So they have root access, nothing has changed. How they get root
access is irrelevant, just that they have it.
No, how they get root access is not irrelevant.
If your only access to root is via sudo and you break sudo you no
longer have root access.
If you don't have root access through something other than sudo, you
can't fix your sudo (from your existing system).
They and you are different people. You are looking at it from the
perspective of a user accidentally locking themself out of the system,
so su is the best way to be able to fix it. I agree with you there. I
was looking at it from the perspective of a third party changing sudo
right without your consent. We were at cross purposes.
Why was I thinking of a chroot?
Maybe because of reading "grup/grub" a few e-mails before and thinking
of "grub-mkconfig"...
I have created an issue at their Git repository. Maybe there will be
solution for this:
  https://github.com/sudo-project/sudo/issues/190
Sure, you cannot cover everything, but mitigating at least a little bit
would be OK or not? :)
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 302 |
Nodes: | 16 (2 / 14) |
Uptime: | 98:54:45 |
Calls: | 6,767 |
Calls today: | 5 |
Files: | 12,295 |
Messages: | 5,376,396 |
Posted today: | 1 |