Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
A UID of 0 is root; you can't give that to a normal user. Pretty much what you are saying is to log in as root.... Adding your user to the sudoers file is the way to go.
Seem the last one is the most relevant answer. Maybe I am just paranoid. I think just adding the user to /etc/sudoers is not enough, you must write it properly to give it all privileges.
Although usermod cannot change a normal user's UID to 0, editing /etc/passwd directly can do this. Logout and login, the normal user just becomes root. So, the second answer may also be correct?
I see this question from Redhat Skills Assessment from their web page.
Yes, but now you need to think about this.... Why give someone else full system rights, when you have root that does already? Can't you share the root account if you need two system administrators? To do what you want to do is technically pointless.
But I do see what you are saying though; If you really want to do that, you could edit the /etc/passwd directly like you said and drop 0 UID to each user you need to.
And I posted for a second time right before you posted that, not sure if you read that or not.
That question is not from my needs, but a question from Redhat Skills Assessments.
I mean I won't change a normal user's UID to 0 even if I can. You might mean the whole question. I think it is still useful to do that. In practice, I grant all privileges to a normal user in /etc/sudoers to avoid always logining as root. Maybe there are better and safer practices?
i personally use the /etc/sudoers and have a group i have created in there and only assign the user that need the rights to that group saves me from having to go in to the file every time and give me better control over who there as i can quickly and easily see who is in the group and i know that group and that group only has rights to use sudo. mind you this may be a bit high on the admin side setting up a group but i feel this would be the safer way and i might be wrong about it and if i am please someone correct me. also for any one that interested you might want to read up on the best practices for sudo
Thanks for the link. I see the default configuration for Ubuntu and Fedora both using a group for sudoers. Only user in that group can gain root privileges, respectively admin and wheel group. But privileges are not fine-grained. I think that should be enough for Desktop usages, but may not for a cluster of servers.
But privileges are not fine-grained. I think that should be enough for Desktop usages, but may not for a cluster of servers.
That is right by default the sudoers file is set up to give the group admin all however you can Specify what commands a user is aloud to run. For instance if i was to make a group called tech i could say they aloud to run all commands except for the su command as sudo i would put the following in my sudoers file.
this will restrict users in the tech group from using sudo to run the su command but can be further specified you could specify only the commands you want the user to use but this will become a big job for your admin team.
Why doesn't this work? sysop can still visudo or su.
Code:
# User alias specification
User_Alias OPERATOR = sysop, ljw
# Cmnd alias specification
Cmnd_Alias ADMIN = !/bin/su, !/usr/sbin/visudo
# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL
pyz ALL=(ALL) ALL
OPERATOR 1.2.3.4 = ALL, ADMIN
But if I changed to below, it will work:
Code:
# User alias specification
User_Alias OPERATOR = sysop, ljw
# Cmnd alias specification
Cmnd_Alias ADMIN = /bin/su, /usr/sbin/visudo
# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL
pyz ALL=(ALL) ALL
OPERATOR 1.2.3.4 = ALL, !ADMIN
Please give me a bit to go over this and look at my system see why this would not work. i will edit once i come back with a answer that is a strange issue just for reference what dist are you using. what groups do you have sysop in as well.sorry about the delay i took the weekend off to go surf.
I been testing it a bit please ignore the user name being misspell i had gotten the user created and well i did not feel like deleting it and recreating it just for a misspelling since it only a test.
i set up a user sysyop and put this user in the admin group giving it all sudo commands then changed the sudoers file as shown below.
first code i tried just a a proof of concept.
this worked
Code:
# User alias specification
User_Alias OPERATOR = sysyop
# Cmnd alias specification
Cmnd_Alias OP = !/bin/su, !/usr/sbin/visudo
# User privilege specification
root ALL=(ALL) ALL
# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%sysyop ALL = (ALL) OP
result is that the user can run sudo vi but cant run sudo visudo.
Quote:
sysyop@test-server1:~$ sudo vi test
sysyop@test-server1:~$ sudo visudo
Sorry, user sysyop is not allowed to execute '/usr/sbin/visudo' as root on test-server1.
sysyop@test-server1:~$
Code:
# User alias specification
User_Alias OPERATOR = sysyop
# Cmnd alias specification
Cmnd_Alias OP = !/bin/su, !/usr/sbin/visudo
# User privilege specification
root ALL=(ALL) ALL
# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
OPERATOR ALL = (ALL) OP
Appears to work.
Quote:
sysyop@test-server1:~$ sudo vi test
sysyop@test-server1:~$ sudo visudo
Sorry, user sysyop is not allowed to execute '/usr/sbin/visudo' as root on test-server1.
sysyop@test-server1:~$
The next code i have tried was this.
Code:
# User alias specification
User_Alias OPERATOR = sysyop
# Cmnd alias specification
Cmnd_Alias OP = /bin/su, /usr/sbin/visudo
# User privilege specification
root ALL=(ALL) ALL
# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
OPERATOR ALL = (ALL) !OP
The result for this is user still cant run visudo.
Quote:
sysyop@test-server1:~$ sudo visudo
Sorry, user sysyop is not allowed to execute '/usr/sbin/visudo' as root on test-server1.
sysyop@test-server1:~$
This seemed to work for me as well hopefully all this helps
Code:
# User alias specification
User_Alias OPERATOR = sysyop
# Cmnd alias specification
Cmnd_Alias OP = !/bin/su, !/usr/sbin/visudo, /usr/bin/
# User privilege specification
root ALL=(ALL) ALL
# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
OPERATOR ALL = (ALL) OP
i still doing some testing but if this has helped let me know .
Anyone looking at this please note this was only tested on ubuntu i can not say how it will react on different system.
Last edited by doomloard; 03-14-2011 at 09:42 AM.
Reason: Tested and new info
I tested your examples and they work like your results. Have you tested my first example? It won't prevent sysop to sudo or su. My sysop is not in any special group. I retested with a more generic sudoers file:
Code:
Defaults env_reset
User_Alias OPERATOR = sysop
Cmnd_Alias ADMIN = !/bin/su, !/usr/sbin/visudo
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
OPERATOR ALL = (ALL) ALL, ADMIN
But if you move the "!" before "ADMIN" in the last line will prevent sysop to sudo or su.
I noticed in sudoers(7) that Cmnd_list does accept "!" symbol. So the syntax is correct. I also noticed in the examples of sudoers(7) all the command aliases do not use "!", they use "!" in user specification lines, and this just works OK.
I have not read the whole man page of sudoers. Looking into the source code may help?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
