Sudo does not allow access to root commands
In order to allow me to shutdown my PC from within fluxbox without being root I ran "visudo" and added the following line:
Code:
psionl0 ALL=(ALL) NOPASSWD: ALL Code:
bash-4.1$ sudo -l Code:
bash-4.1$ sudo pkgtool |
Hello,
Where did you put that line in the sudoers file? The order of the statements is very important. I think you'll have a line like Code:
%sudo ALL=(ALL) ALL Kind regards, Eric |
The statement is at the bottom of the file - effectively just after the "root ALL=(ALL) ALL" statement since all of the lines in between are just comments.
|
Nothing related to your problem, but may I ask why you allow your user to run all commands without passwords (which is a very bad idea), if you only want to grant rights for exactly one command?
|
Quote:
It is essential that sudo can be run without a password so that I can include the sudo command in the menu (or wbar). |
@psionl0: The key to your problem is "command not found". The $PATH of your user does not include /sbin.
For example I would assume the following will work: Code:
sudo /sbin/pkgtool If you use bash as your shell you could add these to your $PATH as follows. Code:
echo "export PATH=/usr/local/sbin:/sbin:/usr/sbin:\$PATH" >> ~/.bashrc Code:
export PATH=/usr/local/sbin:/sbin:/usr/sbin:$PATH |
You didn't ask for it but you might also want to add the following to your ~/.bashrc (if you use bash):
Code:
complete -cf sudo |
Quote:
cheers psionl0 |
Quote:
Wow, I would never hire you as an administrator. |
Quote:
Sure, if more people were likely to have access to my computer, I would tighten up security but everybody in my household is afraid to go near my computer (and I'm such a nice guy too ;) ). If it makes you feel any better, I have decided not to modify my $PATH environment. That should help protect my computer if I happen to be a TFI at times. BTW I have clobbered the permissions on this computer's "guest" account. |
Quote:
This way, there is also no need to get physical access to your computer. Not setting the path to prevent things like that is the same as closing your eyes to not be seen by anyone else. I mean, it is your system, and you can do what you want with it, I just want to say that the way you set it up is an invitation for any script-kiddie to make evil things with it. |
Interesting point about "script-kiddie". I was under the impression that a properly setup firewall provided adequate protection on a linux system (even though the PC still responds to "ping" requests).
Since you have made such an eloquent case against unrestricted sudo access, I have limited myself to just shutdown, mount and umount. I can no longer sudo pkgtool anymore. cheers psionl0 |
pros and cons:
- script kiddies are not likely to run your special commands via sudo; those script kiddies probably know about Linux by then and even then it's only targeted at those people who actually have a sudoers file setup and then only those that have the permissions like ALL ALL NOPASSWD. Unlikely for script kiddies, not that unlikely for malicious malware. - firewalls are only protection for assaults from the outside world, attempts to enter your system. Such a thing is not necessary if you provide the information yourself by visiting bad websites. - question is how bad it is if a person gets access to the root account of someone's personal system compared to the actual user's account. Given that you keep your sensitive information on said user's account. Financial information, credit cards etc are the things they're most intersted in. That's where your damage will be. That your system reboots once or twice is something you'll notice, but hardly grind you down. That's different for companies who rely on their website (a defaced website is bad publicity for most companies who do something on the web, as well as limiting the means their customers can do business with them, etc...) Aside from that, with the root account you can do worse things there than just that, overriding everything (discarding SELinux at this moment for I am lazy too) That said: I think it's bad practice to have the sudoers as stated above in a company situation. My system rebooting or my website defaced are the least of my problems if my system's security is compromised. So a password-less sudo in a personal computer situation is not something I'd advocate against so strongly as against professional use. |
All times are GMT -5. The time now is 10:46 AM. |