Linux - DesktopThis forum is for the discussion of all Linux Software used in a desktop context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Have you made no progress in your learning since your first question? And you do realize what you're asking for is pointless, right?? Because if you give a user you don't trust with OTHER root commands the ability to change root's password, you have essentially given them FULL ACCESS TO THE SYSETM, whenever they want it. They can just run "sudo passwd root", put in a new password, then log in AS ROOT. From there, they can remove ALL traces of what they did, and do whatever they want...including editing the sudoers file, creating new root-level users, etc.
...which will let them change anyone ELSES passwd but root. Still, though...horribly insecure, and if you don't trust the user to do other root functions, giving them ANY root privileges at all is risky.
...which will let them change anyone ELSES passwd but root. Still, though...horribly insecure, and if you don't trust the user to do other root functions, giving them ANY root privileges at all is risky.
1. I don't see any reason to use the NOPASSWD option.
2. The whole point of using sudo is to give a user only some privileges that usually belong to root. May you please explain why this is horribly insecure?
1. I don't see any reason to use the NOPASSWD option.
Well, that was the option I had in the example I posted. No real REASON to, and it's totally optional.
Quote:
2. The whole point of using sudo is to give a user only some privileges that usually belong to root. May you please explain why this is horribly insecure?
To me (and I'm fully prepared to admit I may be paranoid about such things), is that the above setup will let the user change ANYONE'S password, except root. If another user is in the sudoers file with more access, the user can now log in as THEM, get a root shell/run other commands, and have a field day. There may be others users set up as group 0 (I know...but it COULD happen), and the same applies.
I *NEVER* give sudo rights to ANYONE for ANYTHING, unless I know I can trust them on the system. It does create more work at times, but keeps me from having to undo damage and answer questions to auditors...I feel it's worth the tradeoff.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
wants to provide sudo access
