I'm kinda confused by the sudo problem I'm having. I've edited the main file with visudo to include:
## Allow root to run any commands anywhere root ALL=(ALL) ALL markh ALL=(ALL) NOPASSWD: ALL
(obviously only the last line was my addition)
But for some reason, it makes no difference at all. I'm still required to input my password. What gives? I've not had this problem before so I don't know where to start.
On Wed, Mar 28, 2012 at 15:18, Mark Haney markh@abemblem.com wrote:
markh ALL=(ALL) NOPASSWD: ALL
This should be:
%markh ALL=(ALL) NOPASSWD: ALL
Am 28.03.2012 15:26, schrieb suvayu ali:
On Wed, Mar 28, 2012 at 15:18, Mark Haney markh@abemblem.com wrote:
markh ALL=(ALL) NOPASSWD: ALL
This should be:
%markh ALL=(ALL) NOPASSWD: ALL
why? this would mean GROUP markh see examples in /etc/sudoers!
was the change made with "visudo" and are permissions OK? ____________
## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL
## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
On Wed, Mar 28, 2012 at 15:35, Reindl Harald h.reindl@thelounge.net wrote:
Am 28.03.2012 15:26, schrieb suvayu ali:
On Wed, Mar 28, 2012 at 15:18, Mark Haney markh@abemblem.com wrote:
markh ALL=(ALL) NOPASSWD: ALL
This should be:
%markh ALL=(ALL) NOPASSWD: ALL
why? this would mean GROUP markh see examples in /etc/sudoers!
Because I did _mean_ group markh. I had overlooked that you could specify individual users too. Since by default all users belong to a group named after itself, specifying as a group should work too.
On Wed, Mar 28, 2012 at 15:42, Tom Horsley horsley1953@gmail.com wrote:
On Wed, 28 Mar 2012 15:26:27 +0200 suvayu ali wrote:
markh ALL=(ALL) NOPASSWD: ALL
This should be:
%markh ALL=(ALL) NOPASSWD: ALL
There is no % in front of my user name in my sudoers file on f16, yet I have full access with no password required.
As I mention in my next response, I had overlooked that you can specify a single user too. I prefer using groups, but that is personal taste.
Am 28.03.2012 15:43, schrieb suvayu ali:
On Wed, Mar 28, 2012 at 15:35, Reindl Harald h.reindl@thelounge.net wrote:
Am 28.03.2012 15:26, schrieb suvayu ali:
On Wed, Mar 28, 2012 at 15:18, Mark Haney markh@abemblem.com wrote:
markh ALL=(ALL) NOPASSWD: ALL
This should be:
%markh ALL=(ALL) NOPASSWD: ALL
why? this would mean GROUP markh see examples in /etc/sudoers!
Because I did _mean_ group markh. I had overlooked that you could specify individual users too. Since by default all users belong to a group named after itself, specifying as a group should work too.
one of the odd defaults many are not using
why should i have a group with the name of my user if it has only one user - or why should i put the user "caroline" in group "harry" except for chaos
no idea who invented this silly default, however, do not assume all people are using defaults all the time
On 03/28/2012 09:35 AM, Reindl Harald wrote:
Am 28.03.2012 15:26, schrieb suvayu ali:
On Wed, Mar 28, 2012 at 15:18, Mark Haneymarkh@abemblem.com wrote:
markh ALL=(ALL) NOPASSWD: ALL
This should be:
%markh ALL=(ALL) NOPASSWD: ALL
why? this would mean GROUP markh see examples in /etc/sudoers!
was the change made with "visudo" and are permissions OK?
Yes it was changed with visudo which I think I included in the OP. I suppose I can specify a group, but that would be odd for that to work and the user of the same name not to work. '
On 03/28/2012 09:43 AM, suvayu ali wrote:
On Wed, Mar 28, 2012 at 15:35, Reindl Haraldh.reindl@thelounge.net wrote:
Am 28.03.2012 15:26, schrieb suvayu ali:
On Wed, Mar 28, 2012 at 15:18, Mark Haneymarkh@abemblem.com wrote:
markh ALL=(ALL) NOPASSWD: ALL
This should be:
%markh ALL=(ALL) NOPASSWD: ALL
why? this would mean GROUP markh see examples in /etc/sudoers!
Because I did _mean_ group markh. I had overlooked that you could specify individual users too. Since by default all users belong to a group named after itself, specifying as a group should work too.
True, but if that's the case then specifying the user should work as well. It doesn't. (and yes I've logged out and in again. sudoers has been that way for a couple of weeks now so that's not a problem.)
On Wed, Mar 28, 2012 at 16:22, Mark Haney markh@abemblem.com wrote:
True, but if that's the case then specifying the user should work as well. It doesn't. (and yes I've logged out and in again. sudoers has been that way for a couple of weeks now so that's not a problem.)
What does /var/log/secure say for each sudo command you try?
On 03/28/2012 10:28 AM, suvayu ali wrote:
On Wed, Mar 28, 2012 at 16:22, Mark Haneymarkh@abemblem.com wrote:
True, but if that's the case then specifying the user should work as well. It doesn't. (and yes I've logged out and in again. sudoers has been that way for a couple of weeks now so that's not a problem.)
What does /var/log/secure say for each sudo command you try?
Not much:
Mar 28 10:22:48 marius sudo: markh : TTY=pts/0 ; PWD=/home/markh ; USER=root ; COMMAND=/bin/su Mar 28 10:23:59 marius sudo: markh : TTY=pts/5 ; PWD=/home/markh/Documents ; USER=root ; COMMAND=/usr/bin/kate Mar 28 10:25:07 marius sudo: markh : TTY=pts/7 ; PWD=/home/markh ; USER=root ; COMMAND=/bin/su Mar 28 10:46:58 marius sudo: markh : TTY=pts/7 ; PWD=/home/markh ; USER=root ; COMMAND=/bin/cat /var/log/secure
Am 28.03.2012 16:48, schrieb Mark Haney:
On 03/28/2012 10:28 AM, suvayu ali wrote:
On Wed, Mar 28, 2012 at 16:22, Mark Haneymarkh@abemblem.com wrote:
True, but if that's the case then specifying the user should work as well. It doesn't. (and yes I've logged out and in again. sudoers has been that way for a couple of weeks now so that's not a problem.)
What does /var/log/secure say for each sudo command you try?
Not much:
Mar 28 10:22:48 marius sudo: markh : TTY=pts/0 ; PWD=/home/markh ; USER=root ; COMMAND=/bin/su Mar 28 10:23:59 marius sudo: markh : TTY=pts/5 ; PWD=/home/markh/Documents ; USER=root ; COMMAND=/usr/bin/kate Mar 28 10:25:07 marius sudo: markh : TTY=pts/7 ; PWD=/home/markh ; USER=root ; COMMAND=/bin/su Mar 28 10:46:58 marius sudo: markh : TTY=pts/7 ; PWD=/home/markh ; USER=root ; COMMAND=/bin/cat /var/log/secure
and where is now exactly the problem? these are logs with SUCCESS!
see below, this is a test on my buildmachine where "builduser" has exactly this permissions to build/update/build automated a bundle of packages
Mar 28 16:50:02 buildserver sudo: builduser : TTY=pts/0 ; PWD=/home/builduser ; USER=root ; COMMAND=/bin/env PATH=/usr/lib64/qt-3.3/bin:/buildserver/:/usr/local/bin:/bin:/usr/bin date
On 03/28/2012 10:51 AM, Reindl Harald wrote:
Not much:
Mar 28 10:22:48 marius sudo: markh : TTY=pts/0 ; PWD=/home/markh ; USER=root ; COMMAND=/bin/su Mar 28 10:23:59 marius sudo: markh : TTY=pts/5 ; PWD=/home/markh/Documents ; USER=root ; COMMAND=/usr/bin/kate Mar 28 10:25:07 marius sudo: markh : TTY=pts/7 ; PWD=/home/markh ; USER=root ; COMMAND=/bin/su Mar 28 10:46:58 marius sudo: markh : TTY=pts/7 ; PWD=/home/markh ; USER=root ; COMMAND=/bin/cat /var/log/secure
and where is now exactly the problem? these are logs with SUCCESS!
And that's my point. It's a success IF I enter the password. But since I have NOPASSWD in sudoers I shouldn't have to enter the password.
On 28/03/12 14:18, Mark Haney wrote:
## Allow root to run any commands anywhere root ALL=(ALL) ALL markh ALL=(ALL) NOPASSWD: ALL
try removing the space markh ALL=(ALL) NOPASSWD: ALL to: markh ALL=(ALL) NOPASSWD:ALL
But are you certain, no one else has access to your PC?
Am 28.03.2012 17:22, schrieb Frank Murphy:
On 28/03/12 14:18, Mark Haney wrote:
## Allow root to run any commands anywhere root ALL=(ALL) ALL markh ALL=(ALL) NOPASSWD: ALL
try removing the space markh ALL=(ALL) NOPASSWD: ALL to: markh ALL=(ALL) NOPASSWD:ALL
But are you certain, no one else has access to your PC?
the space is not related, no idea why not working for the OP
see line below, this one works on a machine currently F16 since it was installed with F9 in summer 2008
[root@buildserver:~]$ cat /etc/sudoers | grep builduser builduser ALL=(ALL) NOPASSWD: ALL ________________
on a usual desktop PC with a standard-user it is a VERY bad idea because any attacker only needs to try "sudo anything" to get full control over the machine
this should be only used for special accounts on well secured machines where no foreign code is running
On 28/03/12 15:20, Mark Haney wrote:
was the change made with "visudo" and are permissions OK?
Yes it was changed with visudo which I think I included in the OP. I suppose I can specify a group, but that would be odd for that to work and the user of the same name not to work. '
ls -l /etc/sudoers
On Wed, Mar 28, 2012 at 9:18 AM, Mark Haney markh@abemblem.com wrote:
I'm kinda confused by the sudo problem I'm having. I've edited the main file with visudo to include:
## Allow root to run any commands anywhere root ALL=(ALL) ALL markh ALL=(ALL) NOPASSWD: ALL
Do any of the other lines match the markh user? I believe sudo goes through the file and uses the last matching entry.
On 03/28/2012 08:29 AM, Reindl Harald wrote:
on a usual desktop PC with a standard-user it is a VERY bad idea because any attacker only needs to try "sudo anything" to get full control over the machine
My thoughts exactly. Except under very unusual circumstances I'm the only person who ever uses this PC, but I don't have sudo set up with nopassword. In fact, as I know the root password (being the person who installed Fedora) I don't have sudo set up at all. AIUI, sudo was written to allow people *who don't have the root password* limited access to administrative commands.
Yes, I understand that there are times you have to use sudo instead of su in a production environment to ensure that everything gets logged, but I've never understood why anybody would do it at home. YMMV and all that jazz, but if this is a home box, I'd suggest asking yourself why you're bothering with sudo in the first place.
On Wed, Mar 28, 2012 at 10:19 AM, Joe Zeff joe@zeff.us wrote:
On 03/28/2012 08:29 AM, Reindl Harald wrote:
on a usual desktop PC with a standard-user it is a VERY bad idea because any attacker only needs to try "sudo anything" to get full control over the machine
My thoughts exactly. Except under very unusual circumstances I'm the only person who ever uses this PC, but I don't have sudo set up with nopassword. In fact, as I know the root password (being the person who installed Fedora) I don't have sudo set up at all. AIUI, sudo was written to allow people *who don't have the root password* limited access to administrative commands.
Yes, I understand that there are times you have to use sudo instead of su in a production environment to ensure that everything gets logged, but I've never understood why anybody would do it at home. YMMV and all that jazz, but if this is a home box, I'd suggest asking yourself why you're bothering with sudo in the first place.
In my case, it's because `sudo yum update` requires 3 less keystrokes `su -c 'yum update'`. ;-)
I generally only need root for one-off commands and IMHO sudo's syntax for that is far nicer than su's.
-T.C.
On Wed, Mar 28, 2012 at 19:19, Joe Zeff joe@zeff.us wrote:
Yes, I understand that there are times you have to use sudo instead of su in a production environment to ensure that everything gets logged, but I've never understood why anybody would do it at home. YMMV and all that jazz, but if this is a home box, I'd suggest asking yourself why you're bothering with sudo in the first place.
Because sudo with a passwd is a healthy mix of security and convenience for a home system.
Am 28.03.2012 19:26, schrieb T.C. Hollingsworth:
On Wed, Mar 28, 2012 at 10:19 AM, Joe Zeff joe@zeff.us wrote:
On 03/28/2012 08:29 AM, Reindl Harald wrote:
on a usual desktop PC with a standard-user it is a VERY bad idea because any attacker only needs to try "sudo anything" to get full control over the machine
My thoughts exactly. Except under very unusual circumstances I'm the only person who ever uses this PC, but I don't have sudo set up with nopassword. In fact, as I know the root password (being the person who installed Fedora) I don't have sudo set up at all. AIUI, sudo was written to allow people *who don't have the root password* limited access to administrative commands.
Yes, I understand that there are times you have to use sudo instead of su in a production environment to ensure that everything gets logged, but I've never understood why anybody would do it at home. YMMV and all that jazz, but if this is a home box, I'd suggest asking yourself why you're bothering with sudo in the first place.
In my case, it's because `sudo yum update` requires 3 less keystrokes `su -c 'yum update'`. ;-)
I generally only need root for one-off commands and IMHO sudo's syntax for that is far nicer than su's.
what about a simple shell-script "/usr/local/bin/sudo" as wrapper?
Am 28.03.2012 19:28, schrieb suvayu ali:
On Wed, Mar 28, 2012 at 19:19, Joe Zeff joe@zeff.us wrote:
Yes, I understand that there are times you have to use sudo instead of su in a production environment to ensure that everything gets logged, but I've never understood why anybody would do it at home. YMMV and all that jazz, but if this is a home box, I'd suggest asking yourself why you're bothering with sudo in the first place.
Because sudo with a passwd is a healthy mix of security and convenience for a home system.
but the topic is about sudo WITHOUT a pwassword!
and as said in my last post:
/usr/local/bin/sudo: #!/bin/bash su -c "$1"
On Wed, Mar 28, 2012 at 09:18:50AM -0400, Mark Haney wrote:
I'm kinda confused by the sudo problem I'm having. I've edited the main file with visudo to include:
## Allow root to run any commands anywhere root ALL=(ALL) ALL markh ALL=(ALL) NOPASSWD: ALL
I have this, using the group, not the user.
%wheel ALL=(ALL) NOPASSWD: ALL
However, sometimes a space makes all the difference (silly, I know). Have you tried adding spaces like so: markh ALL = (ALL) NOPASSWD: ALL
(obviously only the last line was my addition)
But for some reason, it makes no difference at all. I'm still required to input my password. What gives? I've not had this problem before so I don't know where to start.
--
Mark Haney Software Developer/Consultant AB Emblem markh@abemblem.com Linux marius.homelinux 3.3.0-4.fc16.x86_64 GNU/Linux -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On Wed, Mar 28, 2012 at 05:29:25PM +0200, Reindl Harald wrote:
Am 28.03.2012 17:22, schrieb Frank Murphy:
On 28/03/12 14:18, Mark Haney wrote:
## Allow root to run any commands anywhere root ALL=(ALL) ALL markh ALL=(ALL) NOPASSWD: ALL
try removing the space markh ALL=(ALL) NOPASSWD: ALL to: markh ALL=(ALL) NOPASSWD:ALL
But are you certain, no one else has access to your PC?
the space is not related, no idea why not working for the OP
see line below, this one works on a machine currently F16 since it was installed with F9 in summer 2008
[root@buildserver:~]$ cat /etc/sudoers | grep builduser builduser ALL=(ALL) NOPASSWD: ALL ________________
I had an installation once where you had to add spaces around the 'equal' sign. FWIW dept. :)
on a usual desktop PC with a standard-user it is a VERY bad idea because any attacker only needs to try "sudo anything" to get full control over the machine
this should be only used for special accounts on well secured machines where no foreign code is running
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Reindl Harald wrote:
one of the odd defaults many are not using
why should i have a group with the name of my user if it has only one user - or why should i put the user "caroline" in group "harry" except for chaos
no idea who invented this silly default, however, do not assume all people are using defaults all the time
For what it’s worth, the Red Hat Linux 7.3 manual at ftp://archive.download.redhat.com/pub/redhat/linux/7.3/en/doc/RH-DOCS/pdf-en/rhl-rg-en.pdf section 6.4.1 gives the official rationale. It’s definitely a Red Hat-ism, but there is some thought behind it.
Briefly, it’s because if you have a group shared directory (where users in that group can edit all the files in the directory), you want the default umask to be 002, which makes new files get rw-rw-r-- permissions by default, and new subdirectories get rwxrwxr-x. (If the directory has the group SUID bit set, then by default everything created in that directory will inherit the same group).
But that means that files in your home directory also get rw-rw-r-- permissions, which is Not a Good Thing if anyone else is in the same group. So you need a per-user group to keep home directories safe.
James.
Mark Haney wrote:
I'm kinda confused by the sudo problem I'm having. I've edited the main file with visudo to include:
## Allow root to run any commands anywhere root ALL=(ALL) ALL markh ALL=(ALL) NOPASSWD: ALL
(obviously only the last line was my addition)
But for some reason, it makes no difference at all. I'm still required to input my password. What gives? I've not had this problem before so I don't know where to start.
Wild guess: try cat -vet /etc/sudoers This should show if you have any unexpected control characters in your file (tab is shown as ^I, and the line feed at the end of a line by $).
Hope this helps,
James.
On 03/28/2012 12:02 PM, William Hooper wrote:
On Wed, Mar 28, 2012 at 9:18 AM, Mark Haneymarkh@abemblem.com wrote:
I'm kinda confused by the sudo problem I'm having. I've edited the main file with visudo to include:
## Allow root to run any commands anywhere root ALL=(ALL) ALL markh ALL=(ALL) NOPASSWD: ALL
Do any of the other lines match the markh user? I believe sudo goes through the file and uses the last matching entry.
Hmm, no, not that I can see. That's the only entry with my username in it.
On 03/28/2012 01:19 PM, Joe Zeff wrote:
On 03/28/2012 08:29 AM, Reindl Harald wrote:
on a usual desktop PC with a standard-user it is a VERY bad idea because any attacker only needs to try "sudo anything" to get full control over the machine
My thoughts exactly. Except under very unusual circumstances I'm the only person who ever uses this PC, but I don't have sudo set up with nopassword. In fact, as I know the root password (being the person who installed Fedora) I don't have sudo set up at all. AIUI, sudo was written to allow people *who don't have the root password* limited access to administrative commands.
Yes, I understand that there are times you have to use sudo instead of su in a production environment to ensure that everything gets logged, but I've never understood why anybody would do it at home. YMMV and all that jazz, but if this is a home box, I'd suggest asking yourself why you're bothering with sudo in the first place.
The only real issue there is I'm usually running multiple consoles and I don't always pay enough attention to keep track of which console is running root. If I use sudo I know that I can't do anything stupid in a console that will trash the system. I may blow up my own crap, but that's why we have backups. And that's why sudo is much safer to use than logging in as root, at least from the command line.
On 03/28/2012 01:44 PM, ny6p01@gmail.com wrote:
On Wed, Mar 28, 2012 at 05:29:25PM +0200, Reindl Harald wrote:
Am 28.03.2012 17:22, schrieb Frank Murphy:
On 28/03/12 14:18, Mark Haney wrote:
## Allow root to run any commands anywhere root ALL=(ALL) ALL markh ALL=(ALL) NOPASSWD: ALL
try removing the space markh ALL=(ALL) NOPASSWD: ALL to: markh ALL=(ALL) NOPASSWD:ALL
But are you certain, no one else has access to your PC?
I had an installation once where you had to add spaces around the 'equal' sign. FWIW dept. :)
I'll certainly try all the variations, but it seems kinda silly when other people with F16 don't seem to need that kind of babysitting.
On Wed, Mar 28, 2012 at 19:31, Reindl Harald h.reindl@thelounge.net wrote:
Am 28.03.2012 19:28, schrieb suvayu ali:
On Wed, Mar 28, 2012 at 19:19, Joe Zeff joe@zeff.us wrote:
Yes, I understand that there are times you have to use sudo instead of su in a production environment to ensure that everything gets logged, but I've never understood why anybody would do it at home. YMMV and all that jazz, but if this is a home box, I'd suggest asking yourself why you're bothering with sudo in the first place.
Because sudo with a passwd is a healthy mix of security and convenience for a home system.
but the topic is about sudo WITHOUT a pwassword!
I was responding to Joe's comment about "why bother with sudo when I can use su", not to the OP's problem of NOPASSWD not working.
elp
On Wed, Mar 28, 2012 at 1:17 PM, Mark Haney markh@abemblem.com wrote:
On 03/28/2012 12:02 PM, William Hooper wrote:
On Wed, Mar 28, 2012 at 9:18 AM, Mark Haneymarkh@abemblem.com wrote:
I'm kinda confused by the sudo problem I'm having. I've edited the main file with visudo to include:
## Allow root to run any commands anywhere root ALL=(ALL) ALL markh ALL=(ALL) NOPASSWD: ALL
Do any of the other lines match the markh user? I believe sudo goes through the file and uses the last matching entry.
Hmm, no, not that I can see. That's the only entry with my username in it.
Are you a member of the "wheel" group? (You are added to this group when you check the "Administrator" checkbox on the user account setup screen that appears on the first reboot after installation.) Check with the `groups` command.
If so, Fedora's default sudoers enables sudo for the wheel group (look for a line starting with %wheel). Try commenting out this line.
-T.C.
Am 28.03.2012 22:20, schrieb Mark Haney:
The only real issue there is I'm usually running multiple consoles and I don't always pay enough attention to keep track of which console is running root. If I use sudo I know that I can't do anything stupid in a console that will trash the system. I may blow up my own crap, but that's why we have backups. And that's why sudo is much safer to use than logging in as root, at least from the command line.
the promt in linux supports colors since long ago which is smarter than guess by error messages that it was a root command happily with not enough permissions
/root/.basrhc (red prompt): PS1="[\033[1;31m][\u@\h:\w]$[\033[0m] "
~/.bashrc (green prompt) PS1="[\033[1;32m][\u@\h:\w]$[\033[0m] " ______________________________
i use the follwoing schema since many years
RED: root on production servers ORANGE: root on my machines YELOW: root on backup.machines GREEN: my user LIGHTBLUE: buildusers DARKBLUE: vm hosts
no, i have no good documentation, i googled around for colors i searched :-)
On Wed, 2012-03-28 at 09:18 -0400, Mark Haney wrote:
I'm kinda confused by the sudo problem I'm having. I've edited the main file with visudo to include:
## Allow root to run any commands anywhere root ALL=(ALL) ALL markh ALL=(ALL) NOPASSWD: ALL
Instead your last line above I have: akonstam All=(root) NOPASSWD: ALL
and I can issue root commands without a password needed to be entered.
(obviously only the last line was my addition)
But for some reason, it makes no difference at all. I'm still required to input my password. What gives? I've not had this problem before so I don't know where to start.
--
Mark Haney Software Developer/Consultant AB Emblem markh@abemblem.com Linux marius.homelinux 3.3.0-4.fc16.x86_64 GNU/Linux
On Wed, 2012-03-28 at 16:03 -0500, Aaron Konstam wrote:
On Wed, 2012-03-28 at 09:18 -0400, Mark Haney wrote:
I'm kinda confused by the sudo problem I'm having. I've edited the main file with visudo to include:
## Allow root to run any commands anywhere root ALL=(ALL) ALL markh ALL=(ALL) NOPASSWD: ALL
Instead your last line above I have: akonstam All=(root) NOPASSWD: ALL
but: akonstam All=(ALL) NOPASSWD: ALL also works so your file should work.
and I can issue root commands without a password needed to be entered.
(obviously only the last line was my addition)
--
I have many CHARTS and DIAGRAMS..
Aaron Konstam telephone: (210) 656-0355 e-mail: akonstam@sbcglobal.net
On 03/28/2012 03:58 PM, James Wilkinson wrote:
Wild guess: try cat -vet /etc/sudoers This should show if you have any unexpected control characters in your file (tab is shown as ^I, and the line feed at the end of a line by $).
Hope this helps,
James.
This is the output of that command. I see nothing odd here:
## Allow root to run any commands anywhere $ root^IALL=(ALL) ^IALL$ markh^IALL=(ALL)^INOPASSWD: ALL$ $
## Same thing without a password$ # %wheel^IALL=(ALL)^INOPASSWD: ALL$
I included the last two lines to show the comparison of the 'NOPASSWD' lines and that they match up.
On 03/28/2012 04:26 PM, T.C. Hollingsworth wrote:
Hmm, no, not that I can see. That's the only entry with my username in it.
Are you a member of the "wheel" group? (You are added to this group when you check the "Administrator" checkbox on the user account setup screen that appears on the first reboot after installation.) Check with the `groups` command.
If so, Fedora's default sudoers enables sudo for the wheel group (look for a line starting with %wheel). Try commenting out this line.
-T.C.
Yes I'm a member of the wheel group. And yes, editing that line with NOPASSWD works. However, that doesn't fix my problem with just my username. I can live with using the group for that, but this problem is bugging me all to hell.
On 03/28/2012 04:27 PM, Reindl Harald wrote:
the promt in linux supports colors since long ago which is smarter than guess by error messages that it was a root command happily with not enough permissions
/root/.basrhc (red prompt): PS1="[\033[1;31m][\u@\h:\w]$[\033[0m] "
~/.bashrc (green prompt) PS1="[\033[1;32m][\u@\h:\w]$[\033[0m] " ______________________________
i use the follwoing schema since many years
RED: root on production servers ORANGE: root on my machines YELOW: root on backup.machines GREEN: my user LIGHTBLUE: buildusers DARKBLUE: vm hosts
no, i have no good documentation, i googled around for colors i searched :-)
I'm aware of BASH's use of colors, but, I'm not always at a console that displays colors. (I've not found an Android app that will display them on my Galaxy Tab for instance.)
Besides, I think a healthy dose of paranoia is not a bad thing. If it works for you, that's great. I've found that it's not always good to rely on things like that if you have to access consoles from odd devices like mobile phones.
On 29/03/12 13:53, Mark Haney wrote:
Besides, I think a healthy dose of paranoia is not a bad thing. If it works for you, that's great. I've found that it's not always good to rely on things like that if you have to access consoles from odd devices like mobile phones.
in the short term: whaoami
On Thu, 29 Mar 2012 08:48:47 -0400, Mark Haney wrote:
On 03/28/2012 04:26 PM, T.C. Hollingsworth wrote:
Hmm, no, not that I can see. That's the only entry with my username in it.
Are you a member of the "wheel" group? (You are added to this group when you check the "Administrator" checkbox on the user account setup screen that appears on the first reboot after installation.) Check with the `groups` command.
If so, Fedora's default sudoers enables sudo for the wheel group (look for a line starting with %wheel). Try commenting out this line.
-T.C.
Yes I'm a member of the wheel group. And yes, editing that line with NOPASSWD works. However, that doesn't fix my problem with just my username. I can live with using the group for that, but this problem is bugging me all to hell.
I think William Hooper has explained that sudo will look through the conf file and use the line that matches. So it is quite possible that the line with %wheel comes after the line with your user name, so the conf for wheel (which default to password needed) takes precedence.
To fix your issue, you probably should move the line with your user name below the line with %wheel. However, if you have enabled wheel group, uncomment the line containing '%wheel ... NOPASSWD' might also be OK. No need to add an additional line.
Am 29.03.2012 14:53, schrieb Mark Haney:
On 03/28/2012 04:27 PM, Reindl Harald wrote:
the promt in linux supports colors since long ago which is smarter than guess by error messages that it was a root command happily with not enough permissions
/root/.basrhc (red prompt): PS1="[\033[1;31m][\u@\h:\w]$[\033[0m] "
~/.bashrc (green prompt) PS1="[\033[1;32m][\u@\h:\w]$[\033[0m] " ______________________________
i use the follwoing schema since many years
RED: root on production servers ORANGE: root on my machines YELOW: root on backup.machines GREEN: my user LIGHTBLUE: buildusers DARKBLUE: vm hosts
no, i have no good documentation, i googled around for colors i searched :-)
I'm aware of BASH's use of colors, but, I'm not always at a console that displays colors. (I've not found an Android app that will display them on my Galaxy Tab for instance.)
ConnectBot can it on HTC Hero and HTC Desire i would wonder if not on Galaxy
On 03/29/2012 08:59 AM, Frank Murphy wrote:
On 29/03/12 13:53, Mark Haney wrote:
in the short term: whaoami
Yep. Use that a lot. Still doesn't mean I'll always think to run it before doing something. Trust me, I'm one of those 'oooh, something shiny' kinda people. Better safe than sorry. :)
On 03/29/2012 09:13 AM, Alick Zhao wrote:
On Thu, 29 Mar 2012 08:48:47 -0400, Mark Haney wrote:
I think William Hooper has explained that sudo will look through the conf file and use the line that matches. So it is quite possible that the line with %wheel comes after the line with your user name, so the conf for wheel (which default to password needed) takes precedence.
To fix your issue, you probably should move the line with your user name below the line with %wheel. However, if you have enabled wheel group, uncomment the line containing '%wheel ... NOPASSWD' might also be OK. No need to add an additional line.
That's true. However, as I've explained, that line is commented out while I'm debugging the issue with the username. I suppose, push comes to shove that I can use an empty sudoers file except for that one line in order to make absolutely certain nothing else is interfering, but since Aaron Konstam verified that is /should/ work as I have it (as well as others) I don't think I need to go that drastic.
The one thing I haven't done is post my entire sudoers file. I will if anyone thinks it'll help.
I'm really not trying to be difficult here, but this is driving me nuts.
On 03/29/2012 09:17 AM, Reindl Harald wrote:
no, i have no good documentation, i googled around for colors i searched :-)
I'm aware of BASH's use of colors, but, I'm not always at a console that displays colors. (I've not found an Android app that will display them on my Galaxy Tab for instance.)
ConnectBot can it on HTC Hero and HTC Desire i would wonder if not on Galaxy
The older versions of CB couldn't. It probably can now, and I might actually try it, but I'm comfortable with things as they are, so it's not a showstopper for me.
On 03/29/2012 06:23 AM, Mark Haney wrote:
Yep. Use that a lot. Still doesn't mean I'll always think to run it before doing something. Trust me, I'm one of those 'oooh, something shiny' kinda people. Better safe than sorry. :)
Put the host name into the prompt as well as the username.
On Wed, Mar 28, 2012 at 10:48 PM, Reindl Harald h.reindl@thelounge.net wrote:
Am 28.03.2012 15:43, schrieb suvayu ali:
On Wed, Mar 28, 2012 at 15:35, Reindl Harald h.reindl@thelounge.net wrote:
Am 28.03.2012 15:26, schrieb suvayu ali:
On Wed, Mar 28, 2012 at 15:18, Mark Haney markh@abemblem.com wrote:
markh ALL=(ALL) NOPASSWD: ALL
This should be:
%markh ALL=(ALL) NOPASSWD: ALL
why? this would mean GROUP markh see examples in /etc/sudoers!
Because I did _mean_ group markh. I had overlooked that you could specify individual users too. Since by default all users belong to a group named after itself, specifying as a group should work too.
one of the odd defaults many are not using
why should i have a group with the name of my user if it has only one user - or why should i put the user "caroline" in group "harry" except for chaos
no idea who invented this silly default, however, do not assume all people are using defaults all the time
It was "invented" by a number of people who understood how to get along without ACLs and capabilities and all the stupid machinery necessary to support them.
Adding ACLs and capabilities to a *nix system is like giving the car owner a rope to tie his car door shut when there's already a perfectly good lock on the door. Or screen doors on a submarine, take your pick.
-- Joel Rees
Am 30.03.2012 13:51, schrieb Joel Rees:
On Wed, Mar 28, 2012 at 10:48 PM, Reindl Harald h.reindl@thelounge.net wrote:
one of the odd defaults many are not using
why should i have a group with the name of my user if it has only one user - or why should i put the user "caroline" in group "harry" except for chaos
no idea who invented this silly default, however, do not assume all people are using defaults all the time
It was "invented" by a number of people who understood how to get along without ACLs and capabilities and all the stupid machinery necessary to support them
sounds more you do not understand what ACLs are for
how could a private user group replace ACLs? if you have different users and groups which needs defined permissions you will always need ACLs because chmod can only reflect the primary group
for restrict access to a single user you need no ACL chmod 600 does this for you
Reindl Harald wrote:
sounds more you do not understand what ACLs are for
how could a private user group replace ACLs? if you have different users and groups which needs defined permissions you will always need ACLs because chmod can only reflect the primary group
for restrict access to a single user you need no ACL chmod 600 does this for you
It was in the old Red Hat Linux manuals (for example, section 6.4.1 of ftp://archive.download.redhat.com/pub/redhat/linux/7.3/en/doc/RH-DOCS/pdf-en/rhl-rg-en.pdf):
IF you want a shared directory (say a project directory) writeable by some but not all users, AND IF you don’t want to use ACLs¹, THEN you need to have that directory and everything in it owned by a suitable group (and set to be group-writeable).
IF you don’t want to have users having to play around with ownership and permissions all the time, THEN you need to have the setgid bit on the folder set (which makes all new files and directories automatically have the appropriate group) AND you need to have umask set to 002 (which makes all new files and directories group-writeable).
From there, it follows that the easiest way to do this is to make 002 the default umask, which means that all new files and directories created by normal users have these permissions. That means that if you want files that only their owner can write to, you need a per-user group.
It makes perfect sense.
James.
¹ This predated Linux ACLs, anyway.
On Sat, Mar 31, 2012 at 4:39 AM, James Wilkinson fedora@aprilcottage.co.uk wrote:
Reindl Harald wrote:
sounds more you do not understand what ACLs are for
how could a private user group replace ACLs? if you have different users and groups which needs defined permissions you will always need ACLs because chmod can only reflect the primary group
for restrict access to a single user you need no ACL chmod 600 does this for you
It was in the old Red Hat Linux manuals (for example, section 6.4.1 of ftp://archive.download.redhat.com/pub/redhat/linux/7.3/en/doc/RH-DOCS/pdf-en/rhl-rg-en.pdf):
IF you want a shared directory (say a project directory) writeable by some but not all users, AND IF you don’t want to use ACLs¹, THEN you need to have that directory and everything in it owned by a suitable group (and set to be group-writeable).
IF you don’t want to have users having to play around with ownership and permissions all the time, THEN you need to have the setgid bit on the folder set (which makes all new files and directories automatically have the appropriate group) AND you need to have umask set to 002 (which makes all new files and directories group-writeable).
From there, it follows that the easiest way to do this is to make 002 the default umask, which means that all new files and directories created by normal users have these permissions. That means that if you want files that only their owner can write to, you need a per-user group.
It makes perfect sense.
James.
¹ This predated Linux ACLs, anyway.
And, of course, there are plenty of other ways to use per-user groups, once you get your head around the idea that there is no one-to-one relationship between user-ids and physical users.
One thing we didn't write back then, that we should have, was a sub-user tool similar to the user tool --
subuser add/edit/delete/etc
It would have to incorporate user types, implicit/default quota heuristics and other stuff that we didn't want to deal with then, but find ourselves dealing with now, and it would use the setuid bit, so each user could set up and get rid of his/her own private user/group combos. Combine that with sudo, and we could have had sandboxed apps years and years ago. (With a bit of work, but not near what ACLs and their ilk cost us.)
That was the unix way, and we have parted from it to our detriment.
-- Joel Rees
On Fri, 2012-03-30 at 20:39 +0100, James Wilkinson wrote:
From there, it follows that the easiest way to do this is to make 002 the default umask, which means that all new files and directories created by normal users have these permissions. That means that if you want files that only their owner can write to, you need a per-user group.
It always struck me that personal files ought to have no group or world permissions set by default. If you wanted your files to have those extra permission set, then it ought to be done as a deliberate choice.