Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 06-13-2011, 11:11 AM   #1
LQ Newbie
Registered: May 2011
Distribution: Ubuntu
Posts: 24

Rep: Reputation: 12
Post limit program use with sudo

I am the owner (ie-"root") for my organization's linux system. The other day, one of my administrators came to me and complained that it is too tedious to type their password every time they sudo a command, especially when running common commands such as apt-get, shutdown, and the like. For security reasons, I have their sudo timestamp timeout set to 3. Without modifying the timeout, is there a way to use NOPASSWD in sudoers to allow them to run those commands, without requiring password?

I tried something similar to this, but it didn't work:
# /etc/sudoers
# ...
Host_Alias      HOMEMACHINE=current_pc_HP_PC
# ...
User_Alias      FOOBAR=foo,bar
# ...
Defaults      timestamp_timeout=3
Defaults      passwd_timeout=1
# ...

root ALL=(ALL) ALL

# Members of administrators group may use all commands on this machine only
%admin HOMEMACHINE=(root) PASSWD:All

# group "foobar" may use selected commands without password
FOOBAR HOMEMACHINE=(root) NOPASSWD:/sbin/shutdpwn {-h -P,-r}*,/usr/bin/apt-get {install,update}
Old 06-13-2011, 11:30 AM   #2
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,064
Blog Entries: 14

Rep: Reputation: 1248Reputation: 1248Reputation: 1248Reputation: 1248Reputation: 1248Reputation: 1248Reputation: 1248Reputation: 1248Reputation: 1248
You have a typo - it should be shutdown rather than shutdpwn I think unless you've written a script called shutdpwn.

How in your view is it more secure to use NOPASSWD than to increase the timeout limit? With the timeout limit they at least have to re-enter the password periodically - with NOPASSWD they never have to enter it.
Old 06-13-2011, 07:47 PM   #3
LQ Newbie
Registered: May 2011
Distribution: Ubuntu
Posts: 24

Original Poster
Rep: Reputation: 12
yes, that one was a typo from when I copied it to here.. no sleep can do that to ya.

The timeout will still be enforced on all but a very, VERY narrow group of commands. And the commands that would no longer require a password are those that update the system- specifically apt-get update and apt-get install. I know there are a few options in apt-get that could allow you to do damage to the system, but all it takes to lock users out of using them is explicitly NOT mention them in sudoers.

Out of the fifty or so users I have, about five or so are administrators in their specific areas of OS/network expertise. the other 40-some-odd users are clueless when it comes to command line. Only my administrators (who I trust, and who know what they are doing) can run sudo...
sudo is there mainly to keep users from poking around where they belong. For my administrators, the passsword check is more of a sanity thing than anything else- it makes them think about whether they are sure they want to execute that command. And if another user should get access to their machine (ie- walk away without locking it), it is just another safeguard.

I'm just trying to idiot proof my system, not tamper proof it. To quote Arthur Clarke: "You can proof things against stupidity and carelessness, but there is no mechanism that can exist to prevent deliberate malice." (2001: A Space Odyssey)

I am aware that using NOPASSWD is a security risk, but a manageable one.

Last edited by lazerking9; 06-14-2011 at 09:19 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Limit sudo access - No Password Prompt idny Linux - Security 6 02-18-2011 10:49 PM
need sudo priviledges in c program jcwkyl Programming 6 02-11-2011 08:38 AM
pam_limits(sudo:session): wrong limit value 'unlimited' for limit type 'soft' pankajd Linux - Software 3 12-28-2010 10:59 PM
limit sudo darkarcon2015 Linux - Security 3 09-06-2006 05:39 AM
sudo and permissions limit mfeoli Linux - General 2 05-05-2005 07:51 PM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:18 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration