Can sudoer see root password?
Hi all,
I added one of my users to the wheel group then in the sudoer file gave the group wheel access to everything: %wheel ALL=(ALL) NOPASSWD: ALL Does this mean that user can see what the root password is, etc? How dangerous could it be? Thanks |
Sudoer can't see the password. At most he can reach to encrypted password. But giving full root access with NOPASSWORD is much dangerous than he finding out root password. In the first place, he can do anything root can.
|
Regardless if you use NOPASSWD or not, giving sudo rights to an user in the "Ubuntu way", like you did, basically makes that user root. While he can't see the root password it is absolutely no problem for the user to change that password. If you want a user to just do some administrative tasks you have to restrict the user to the applications he need for that task. But keep in mind that this can be quite difficult. For example, if you enable a user to start vim for editing configuration files as root it is no problem to start a shell as root from within vim.
|
Thanks, will remove him immediately and change all the passwords.
|
just to add some points: a root has right to do anything, for example to install a keylogger, to add special rights to a given user, to change passwords, modify crontab and a lot of other things (what I have already seen). So actually even the root user cannot see his own password, but it will not restrict him anyway.
If someone needs additional rights, you would better extend it by only allowing to execute the given file... |
Quote:
|
Dont hope or assume. Check it for yourself and confirm. If someone had full sudo access to your server with NOPASSWD option, you are at his mercy and that user showed mercy to you by not changing any passwords or very critical system files and folders or permissions. Check the system for unwanted users or services. And dont be at mercy of someone else.
|
Quote:
How can I see if he created a new username or have changed any of the files? This is the /etc/password file. Two of the users already left the company so I marked them as OLD USERS for this post and just deleted them now. Also, you can see his username, not sure what permissions he has right now. Code:
root:x:0:0:root:/root:/bin/bash |
If you have already deleted the users, then dont worry. They wont have any more access to your system with their logins. And if you are sure that they have not changed any password or there are no users created or unwanted services running, you should be fine. BUT using sudo with NOPASSWD option is really very dangerous. And that too for all the commands. You could configure sudo to allow only certain commands with no password. I would suggest you make sure that user actually needs full root access on the server before granting the rights.
|
Quote:
Thanks |
From the list above that I can see, only bottom four users are the one I cant identify and most probably they are manually added. You should be fine with. As for the services, you could check your system with ps and top command to find out what services are running.
|
Quote:
Code:
[root@servername~]# ps Thanks to you, I feel safe now. Regards |
Good to hear that.
|
Thanks for your help.
That user asked me to create a username for a co-worker and give him permission to: 1) Run MySQL 2) Read /var/www This is what I did: [CODE] useradd david -D /home/david -G users passwd david [CODE] Then tried to su as david and got this error: Code:
bash: /home/david/.bashrc: Permission denied I fixed it by running this: Code:
chmod 777 /home/david Now, will adding this Code:
ALL = (DB) NOPASSWD: ALL Also, how can I give him access to read a directory? I'm showint the directory he has requested to read has already these permissions: lrwxrwxrwx 1 root root 16 Feb 27 2005 www -> /depot/raid0/www Thanks, t |
All times are GMT -5. The time now is 03:35 AM. |