When i tried this code it says,Code:username HOST=(root)NOPASSWD:MYPROGS
I'm using fedora 13 64 bit OS.bash: syntax error near unexpected token `('
I run this command on kernel on an intension to grant all priveleges to the root user without password prompts.
Since I'm the only person to use my system i want no more password prompts while installing softwares or mounting hard disks.
What will be the optimal solution for this ?
Very useful tutorial, thank you, ibuclaw!
This is an interesting tut, cheers! I'll use this later
He peers into your SOUL
Sorry if I multipost in any help threads I make, I'm an impatient human.
In the sudoers file, I have defined a User_Alias list and a Cmnd_Alias list as follows:
User_Alias ADMINS = lee, vbird
Cmnd_Alias ADMINSCOM = !/usr/bin/passwd, /usr/bin/passwd [a-zA-Z]*, \
ADMINS ALL=(root) ADMINSCOM
My problem is that the Cmnd_Alias ADMINSCOM didn't work. But if I replace ADMINSCOM with !/usr/bin/passwd, it did work!
Can you tell me why? Many Thanks!
Thanks for the article - it made a lot more sense than the man pages! I have a question about the following paragraph:
A more secure method:
%admin ALL=(root) ALL
Where they will be instead denied if they try to run an application as another user.
As I understand it, this will allow a member of the admin group to use sudo to invoke a command as root but not as any other user. This sounds like something we would definitely want to do, but my question is:
Could members of this group bypass this restriction by using sudo to invoke another shell (e.g. sudo xterm)? Because (on my system at least) that new shell launches as root. As root in the second shell you can then run su to become another user.
Just wanted to say that this is one of the best written articles/how-tos on sudoers and sudo. I've been reading a ton of info just to remmember the stuff but for a bookmark I returned to this one, one of the first I've read today.
Good stuff, thank you.
Hi Iain. This is indeed a very nice tutorial which got me started with the sudoers file a while ago. Now it's time for me to give some information back.
I think you should add some information to this part of your tutorial, because /*/sbin/* could also become /etc/passwd. Let me show you the problem:The '*' match is very powerful, and can apply to anything in the command listing part of the configuration line, ie:
This could match anything from all the files in '/usr/sbin/' to '/usr/local/sbin/' and even places such as '/home/user/sbin/' fall into the match. As such, it is advised that you use it wisely.Code:%admin jaunty=(root)NOPASSWD:/*/sbin/*
Here are the relevant part of my sudoers file:
Let me point out that i can only run the /bin/chown command as root:Code:Defaults env_reset # Host alias specification Host_Alias HOST = eniac Host_Alias LAN = 192.168.178.0/255.255.255.0 Host_Alias HOME = HOST,LAN # Cmnd alias specification Cmnd_Alias CHOWN_CMD = /bin/chown zero /home/* # User privilege specification root ALL=(ALL:ALL) ALL zero HOME=(root) NOPASSWD:CHOWN_CMD
One would think that since i got /home/* in my sudoers file, the use of the chown command is restricted to anything that is below /home/Code:0:zero@eniac:~$ sudo ls Password: Sorry, user zero is not allowed to execute '/bin/ls' as root on eniac. 1:zero@eniac:~$
Well, unfortunatelly that is not the case.
To prevent this, you will have to restrict the use of ".." in the argument.Code:0:zero@eniac:~$ ls -l /etc/passwd -rw-r--r-- 1 root root 531 Oct 12 20:51 /etc/passwd 0:zero@eniac:~$ sudo chown zero /home/../etc/passwd 0:zero@eniac:~$ ls -l /etc/passwd -rw-r--r-- 1 zero root 531 Oct 12 20:51 /etc/passwd
Code:Cmnd_Alias CHOWN_CMD = /bin/chown zero /home/*,\ ! /bin/chown zero *..*