Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
root ALL=(ALL) ALL what do each of these parts mean I see many people with this whole thing setup differently and I'm concerned about what the proper way of setting it up. So I just got some questions
What do each of the above mean and do (excluding root since I know that thats just to point to a user name there)
How would I get a regular user to be able to run mplayer
how would I do the above but not requiring a password
Does disabling the requirement of a password pose any sort of security risk that I could avoid by requiring the password (I assume yes but idk I seen people post that adding that in makes it no less secure but I'm not sure if i believe it)
root = user kind of thing - if you wanted charlie to run programs as lucy this is where you'd put charlie.
ALL1 = hostname kind of thing - ALL is the easiest way to say this rule applies on this host.
ALL2 = runas kind of thing - if you wanted charlie to run programs as lucy this is where you'd put lucy.
ALL3 = commands kind of thing - if you want someone to run shutdown this is where you'd put /sbin/shutdown
Each of these can be a list rather than a single item, and can include aliases allowing you useful shortcuts as well as scope for making the file overcomplicated.
The default sudoers file contains examples including the NOPASSWD: term.
Worth checking out the man page (man sudoers). There are many other ecamples availible on the net as well.
As for the security risk from asking for a password, I think it depends on the exact situation/who your giving what powers to. If the only people who in the sudoers are increadiby trustworthy (and I don't just mean malicious but constantly vigiliant as well) then there is no real reason to use the password. But if the user has any chance of leaving there terminal/PC unattended and unlocked a nefarious passer bye could have full access to that persons acconunt (i.e. /home/user_who_went_for_coffee) and anything they had sudo access for. They will have to suffer the consiquence of the former but you will have to sought the later. Ofcorse anyone caught doing such a thing should be quietly and firmley reminded that they should not.
I prefer to have have passwords on anyway. It takes me all of 500ms to type and reinforces that I am using sudo. This is especially important if it is a launcher that does gksudo Some_command.
Without knowing the full details of the situation I cannot say if a password is needed but some critical thinking (think of every way someone could get into the system via sudo (not in terms of buffer overflows etc. but in terms of expanding limited access that they have aquired socially).
Not requiring passwords does reduce the danger from sholder surfing (the less times you type in a password the less times the bad guy behind you can try and see what your typing). However I think this is mainly mitigated by making sure passeord feedback is turned off (defualt) some user don't like this but education is better than giving them exactly what they want here. Also Avoid letting users type passwords on tablets (esp Ipads), or any touchscreen device, sholder serfing can be ridculously easy with these devices, again the best way to sought this out is education, there is no reason a sys-admin cannot ssh off there tablet if they are on there own or using a H/W Keyboard.
root ALL=(ALL) ALL what do each of these parts mean I see many people with this whole thing setup differently and I'm concerned about what the proper way of setting it up. So I just got some questions
What do each of the above mean and do (excluding root since I know that thats just to point to a user name there)
You can find extensive info on that with
Code:
man sudoers
man sudo
Quote:
How would I get a regular user to be able to run mplayer
Add him to the video group. This is no use-case for sudo at all. There is absolutely no reason for anyone to run mplayer as root.
Quote:
Does disabling the requirement of a password pose any sort of security risk that I could avoid by requiring the password (I assume yes but idk I seen people post that adding that in makes it no less secure but I'm not sure if i believe it)
It depends. If you use sudo the way it was originally intended (giving some users root access to a few specially chosen applications) it can be pretty safe to configure sudo without password. I use it that way with the commands mount/umount and reboot/shutdown/pm-suspend. Of course you have to think about which commands are allowed for the user. If you give access to using a text-editor as root the user would be able to edit the sudoers file. This is the same as giving the user full root access. When using the NOPASSWD option in the "Ubuntu use-case", which is using the line you mentioned before, giving a user access to all commands as root, anyone that can get access to that users account (maybe if he forgot to lock the system before going to a coffee-break) can do anything on the system.
So I just reinstalled my entire OS
Appartently I have full access as a normal user to alsa now which wasn't happening before and was why I needed to have sudo to use mplayer but now I can run it normally can now run alsamixer and all that now. I don't think I did anything different but whatever I must have (I hope) done something right this time or is this not the way alsa should be?
I did think i was weird I needed special permission to play music cause I never used to but i figured things just changed in the versions I never used
Distribution: Gentoo Hardened using OpenRC not Systemd
Posts: 1,495
Rep:
Here's my notes I took on sudo/visudo from a Linux+ Certification book
Configuring sudo
Run visudo and comment out these two lines that will cause sudo to require using the root password:
#Defaults targetpw
#ALL ALL=(ALL) ALL
Allowing user(s) to only run certain commands with sudo. Add these lines with visudo.
User_Alias PWRUSRS = tux
Cmnd_Alias KILLPROCS = /bin/kill, /usr/bin/killall
Host_Alias MYHSTS = ws1
PWRUSRS MYHSTS = (root) KILLPROCS
Uncomment to allow members of the wheel group to perform any command as root using their own password.
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
Last edited by fakie_flip; 11-25-2012 at 12:56 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.