LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Can sudoer see root password? (https://www.linuxquestions.org/questions/linux-newbie-8/can-sudoer-see-root-password-936878/)

tezarin 03-28-2012 08:38 AM
Can sudoer see root password?
 
Hi all,

I added one of my users to the wheel group then in the sudoer file gave the group wheel access to everything:

%wheel ALL=(ALL) NOPASSWD: ALL

Does this mean that user can see what the root password is, etc? How dangerous could it be?

Thanks

ozanbaba 03-28-2012 08:45 AM
Sudoer can't see the password. At most he can reach to encrypted password. But giving full root access with NOPASSWORD is much dangerous than he finding out root password. In the first place, he can do anything root can.

TobiSGD 03-28-2012 09:28 AM
Regardless if you use NOPASSWD or not, giving sudo rights to an user in the "Ubuntu way", like you did, basically makes that user root. While he can't see the root password it is absolutely no problem for the user to change that password. If you want a user to just do some administrative tasks you have to restrict the user to the applications he need for that task. But keep in mind that this can be quite difficult. For example, if you enable a user to start vim for editing configuration files as root it is no problem to start a shell as root from within vim.

tezarin 03-28-2012 11:34 AM
Thanks, will remove him immediately and change all the passwords.

pan64 03-28-2012 12:32 PM
just to add some points: a root has right to do anything, for example to install a keylogger, to add special rights to a given user, to change passwords, modify crontab and a lot of other things (what I have already seen). So actually even the root user cannot see his own password, but it will not restrict him anyway.
If someone needs additional rights, you would better extend it by only allowing to execute the given file...

tezarin 04-03-2012 08:13 AM
Quote:
Originally Posted by pan64 (Post 4638935)
just to add some points: a root has right to do anything, for example to install a keylogger, to add special rights to a given user, to change passwords, modify crontab and a lot of other things (what I have already seen). So actually even the root user cannot see his own password, but it will not restrict him anyway.
If someone needs additional rights, you would better extend it by only allowing to execute the given file...
Thank you. I took that person off of the sudoer list and changed all the passwords. Hope he hasn't created any other users or ways to get into the system.

linuxlover.chaitanya 04-03-2012 08:37 AM
Dont hope or assume. Check it for yourself and confirm. If someone had full sudo access to your server with NOPASSWD option, you are at his mercy and that user showed mercy to you by not changing any passwords or very critical system files and folders or permissions. Check the system for unwanted users or services. And dont be at mercy of someone else.

tezarin 04-05-2012 11:57 AM
Quote:
Originally Posted by linuxlover.chaitanya (Post 4643630)
Dont hope or assume. Check it for yourself and confirm. If someone had full sudo access to your server with NOPASSWD option, you are at his mercy and that user showed mercy to you by not changing any passwords or very critical system files and folders or permissions. Check the system for unwanted users or services. And dont be at mercy of someone else.
You're right. But how can I check that? The password stayed the same, the sudoer file was not chaged, I disabled the wheel group. his username is inside the sudoer file and shows the same thing as before: ALL = (DB) NOPASSWD: ALL

How can I see if he created a new username or have changed any of the files?

This is the /etc/password file. Two of the users already left the company so I marked them as OLD USERS for this post and just deleted them now. Also, you can see his username, not sure what permissions he has right now.

Code:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
pvm:x:24:24::/usr/share/pvm3:/bin/bash
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
OLD USER1:x:500:500:John Wiley:/home/jw:/bin/tcsh
OLD USER2:x:501:100::/home/chad:/bin/tcsh
HIS USERNAME:x:502:100::/home/jparikh:/bin/tcsh
ANOTHER USERNAME:x:503:100::/home/vnguyen:/bin/tcsh

linuxlover.chaitanya 04-05-2012 10:40 PM
If you have already deleted the users, then dont worry. They wont have any more access to your system with their logins. And if you are sure that they have not changed any password or there are no users created or unwanted services running, you should be fine. BUT using sudo with NOPASSWD option is really very dangerous. And that too for all the commands. You could configure sudo to allow only certain commands with no password. I would suggest you make sure that user actually needs full root access on the server before granting the rights.

tezarin 04-06-2012 08:20 AM
Quote:
Originally Posted by linuxlover.chaitanya (Post 4645965)
If you have already deleted the users, then dont worry. They wont have any more access to your system with their logins. And if you are sure that they have not changed any password or there are no users created or unwanted services running, you should be fine. BUT using sudo with NOPASSWD option is really very dangerous. And that too for all the commands. You could configure sudo to allow only certain commands with no password. I would suggest you make sure that user actually needs full root access on the server before granting the rights.
Thanks. Can you please have a look at the users list I posted above and see if you see any user aside from root and system users? And how can I check for unwanted services?

Thanks

linuxlover.chaitanya 04-06-2012 08:25 AM
From the list above that I can see, only bottom four users are the one I cant identify and most probably they are manually added. You should be fine with. As for the services, you could check your system with ps and top command to find out what services are running.

tezarin 04-06-2012 08:51 AM
Quote:
Originally Posted by linuxlover.chaitanya (Post 4646389)
From the list above that I can see, only bottom four users are the one I cant identify and most probably they are manually added. You should be fine with. As for the services, you could check your system with ps and top command to find out what services are running.
Thanks much. I have deleted all those manually-added users. Ran ps and got nothing fishy:
Code:
[root@servername~]# ps
  PID TTY          TIME CMD
26408 pts/1    00:00:00 bash
26442 pts/1    00:00:00 ps
The top command also showed only normal stuff.

Thanks to you, I feel safe now.

Regards

linuxlover.chaitanya 04-07-2012 07:52 AM
Good to hear that.

tezarin 04-11-2012 08:09 AM
Thanks for your help.

That user asked me to create a username for a co-worker and give him permission to:

1) Run MySQL
2) Read /var/www

This is what I did:

[CODE]
useradd david -D /home/david -G users
passwd david
[CODE]
Then tried to su as david and got this error:

Code:
bash: /home/david/.bashrc: Permission denied
And then I would get the bash and not shell.

I fixed it by running this:
Code:
chmod 777 /home/david

Now, will adding this
Code:
ALL = (DB) NOPASSWD: ALL
to the sudoer file take care of the first requirement which is running mysql?

Also, how can I give him access to read a directory? I'm showint the directory he has requested to read has already these permissions: lrwxrwxrwx 1 root root 16 Feb 27 2005 www -> /depot/raid0/www

Thanks,
t


All times are GMT -5. The time now is 03:35 AM.