LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-28-2012, 09:38 AM   #1
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Rep: Reputation: 0
Can sudoer see root password?


Hi all,

I added one of my users to the wheel group then in the sudoer file gave the group wheel access to everything:

%wheel ALL=(ALL) NOPASSWD: ALL

Does this mean that user can see what the root password is, etc? How dangerous could it be?

Thanks
 
Old 03-28-2012, 09:45 AM   #2
ozanbaba
Member
 
Registered: May 2003
Location: Tengiz
Distribution: Slackware64 14.1
Posts: 673

Rep: Reputation: 94
Sudoer can't see the password. At most he can reach to encrypted password. But giving full root access with NOPASSWORD is much dangerous than he finding out root password. In the first place, he can do anything root can.
 
Old 03-28-2012, 10:28 AM   #3
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,148
Blog Entries: 2

Rep: Reputation: 4852Reputation: 4852Reputation: 4852Reputation: 4852Reputation: 4852Reputation: 4852Reputation: 4852Reputation: 4852Reputation: 4852Reputation: 4852Reputation: 4852
Regardless if you use NOPASSWD or not, giving sudo rights to an user in the "Ubuntu way", like you did, basically makes that user root. While he can't see the root password it is absolutely no problem for the user to change that password. If you want a user to just do some administrative tasks you have to restrict the user to the applications he need for that task. But keep in mind that this can be quite difficult. For example, if you enable a user to start vim for editing configuration files as root it is no problem to start a shell as root from within vim.
 
Old 03-28-2012, 12:34 PM   #4
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0
Thanks, will remove him immediately and change all the passwords.
 
Old 03-28-2012, 01:32 PM   #5
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 9,777

Rep: Reputation: 2888Reputation: 2888Reputation: 2888Reputation: 2888Reputation: 2888Reputation: 2888Reputation: 2888Reputation: 2888Reputation: 2888Reputation: 2888Reputation: 2888
just to add some points: a root has right to do anything, for example to install a keylogger, to add special rights to a given user, to change passwords, modify crontab and a lot of other things (what I have already seen). So actually even the root user cannot see his own password, but it will not restrict him anyway.
If someone needs additional rights, you would better extend it by only allowing to execute the given file...
 
Old 04-03-2012, 09:13 AM   #6
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by pan64 View Post
just to add some points: a root has right to do anything, for example to install a keylogger, to add special rights to a given user, to change passwords, modify crontab and a lot of other things (what I have already seen). So actually even the root user cannot see his own password, but it will not restrict him anyway.
If someone needs additional rights, you would better extend it by only allowing to execute the given file...
Thank you. I took that person off of the sudoer list and changed all the passwords. Hope he hasn't created any other users or ways to get into the system.
 
Old 04-03-2012, 09:37 AM   #7
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,629

Rep: Reputation: Disabled
Dont hope or assume. Check it for yourself and confirm. If someone had full sudo access to your server with NOPASSWD option, you are at his mercy and that user showed mercy to you by not changing any passwords or very critical system files and folders or permissions. Check the system for unwanted users or services. And dont be at mercy of someone else.
 
Old 04-05-2012, 12:57 PM   #8
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by linuxlover.chaitanya View Post
Dont hope or assume. Check it for yourself and confirm. If someone had full sudo access to your server with NOPASSWD option, you are at his mercy and that user showed mercy to you by not changing any passwords or very critical system files and folders or permissions. Check the system for unwanted users or services. And dont be at mercy of someone else.
You're right. But how can I check that? The password stayed the same, the sudoer file was not chaged, I disabled the wheel group. his username is inside the sudoer file and shows the same thing as before: ALL = (DB) NOPASSWD: ALL

How can I see if he created a new username or have changed any of the files?

This is the /etc/password file. Two of the users already left the company so I marked them as OLD USERS for this post and just deleted them now. Also, you can see his username, not sure what permissions he has right now.

Code:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
pvm:x:24:24::/usr/share/pvm3:/bin/bash
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
OLD USER1:x:500:500:John Wiley:/home/jw:/bin/tcsh
OLD USER2:x:501:100::/home/chad:/bin/tcsh
HIS USERNAME:x:502:100::/home/jparikh:/bin/tcsh
ANOTHER USERNAME:x:503:100::/home/vnguyen:/bin/tcsh
 
Old 04-05-2012, 11:40 PM   #9
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,629

Rep: Reputation: Disabled
If you have already deleted the users, then dont worry. They wont have any more access to your system with their logins. And if you are sure that they have not changed any password or there are no users created or unwanted services running, you should be fine. BUT using sudo with NOPASSWD option is really very dangerous. And that too for all the commands. You could configure sudo to allow only certain commands with no password. I would suggest you make sure that user actually needs full root access on the server before granting the rights.
 
Old 04-06-2012, 09:20 AM   #10
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by linuxlover.chaitanya View Post
If you have already deleted the users, then dont worry. They wont have any more access to your system with their logins. And if you are sure that they have not changed any password or there are no users created or unwanted services running, you should be fine. BUT using sudo with NOPASSWD option is really very dangerous. And that too for all the commands. You could configure sudo to allow only certain commands with no password. I would suggest you make sure that user actually needs full root access on the server before granting the rights.
Thanks. Can you please have a look at the users list I posted above and see if you see any user aside from root and system users? And how can I check for unwanted services?

Thanks
 
Old 04-06-2012, 09:25 AM   #11
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,629

Rep: Reputation: Disabled
From the list above that I can see, only bottom four users are the one I cant identify and most probably they are manually added. You should be fine with. As for the services, you could check your system with ps and top command to find out what services are running.
 
Old 04-06-2012, 09:51 AM   #12
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by linuxlover.chaitanya View Post
From the list above that I can see, only bottom four users are the one I cant identify and most probably they are manually added. You should be fine with. As for the services, you could check your system with ps and top command to find out what services are running.
Thanks much. I have deleted all those manually-added users. Ran ps and got nothing fishy:
Code:
[root@servername~]# ps
  PID TTY          TIME CMD
26408 pts/1    00:00:00 bash
26442 pts/1    00:00:00 ps
The top command also showed only normal stuff.

Thanks to you, I feel safe now.

Regards
 
Old 04-07-2012, 08:52 AM   #13
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,629

Rep: Reputation: Disabled
Good to hear that.
 
Old 04-11-2012, 09:09 AM   #14
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0
Thanks for your help.

That user asked me to create a username for a co-worker and give him permission to:

1) Run MySQL
2) Read /var/www

This is what I did:

[CODE]
useradd david -D /home/david -G users
passwd david
[CODE]
Then tried to su as david and got this error:

Code:
bash: /home/david/.bashrc: Permission denied
And then I would get the bash and not shell.

I fixed it by running this:
Code:
chmod 777 /home/david

Now, will adding this
Code:
 ALL = (DB) NOPASSWD: ALL
to the sudoer file take care of the first requirement which is running mysql?

Also, how can I give him access to read a directory? I'm showint the directory he has requested to read has already these permissions: lrwxrwxrwx 1 root root 16 Feb 27 2005 www -> /depot/raid0/www

Thanks,
t

Last edited by tezarin; 04-11-2012 at 09:33 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Logging as root / sudoer problem AceCraft Linux - Newbie 10 07-13-2009 09:43 AM
How could normal user obtain root password or change root password ckamheng Debian 18 02-18-2009 11:28 PM
Add user to sudoer list but cannot use root commands vitalstrike82 Slackware 3 12-31-2008 08:27 AM
root not a sudoer??? LinuxNewbie999 Fedora 8 03-03-2008 04:38 PM
Is it possible to view root password if you are a sudoer? depam Linux - Security 15 05-09-2007 12:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration