[Wylug-discuss] Sudo

[Smylers]

Anne Wilson writes:

> On Friday 11 April 2008 15:21:01 Smylers wrote:
> 
> > > user  ALL=(ALL) NOPASSWD:ALL
> > >
> > > Can this really be safe?
> >
> > ... in the context of a home PC it may not be terrible.  Many PCs --
> > whatever OS they are running -- have only one user, or everybody
> > logs in as the same user, or everybody has full admin privs anyway
> > (or knows the root password, or whatever).
> 
> While probably true on a desktop box, I can't feel happy with that on
> a laptop, which, to all intents and purposes the EeePC is.  As long as
> I have to give a separate, different password for root access it does
> mean that any intruder has to fight twice as hard and long to do the
> hidden harm.

Possibly.  It depends on the nature of the attack.  If somebody gets
physical access to a logged-in unlocked laptop then either way the
attacker needs a single password (which she doesn't have) to get root
access.

And not being able to log in as root at all ought to make some sorts of
intrusion more awkward.  It also reduces the chance of you having a root
shell open, which could have something typed into it accidentally (or
malicously).

Anyway, you can still get what you want with sudo -- add this line to
/etc/sudoers:

  Defaults runaspw

That'll make sudo prompt for the root password (or that of which ever
user is being sudo-ed to) rather than your own.

You can also use:

  Defaults mailto=cannewilson at googlemail.com mail_badpass

if you want to be mailed everytime your attacker wrongly guesses the
password.

> > The "NOPASSWD:" bit also means that any software you download can
> > easily run anything as root; without that any human can still choose
> > to run any command as root, but at least the prompt for his password
> > would make him aware of it.
> 
> So should I change that to "PASSWD"?  Or does it require something
> different?

Just removing "NOPASSWD:" entirely should do it.

Smylers