[Wylug-discuss] Sudo

Anne Wilson cannewilson at googlemail.com
Fri Apr 11 16:30:44 BST 2008


On Friday 11 April 2008 16:06:29 Smylers wrote:
> Anne Wilson writes:
> > On Friday 11 April 2008 15:21:01 Smylers wrote:
> > > > user  ALL=(ALL) NOPASSWD:ALL
> > > >
> > > > Can this really be safe?
> > >
> > > ... in the context of a home PC it may not be terrible.  Many PCs --
> > > whatever OS they are running -- have only one user, or everybody
> > > logs in as the same user, or everybody has full admin privs anyway
> > > (or knows the root password, or whatever).
> >
> > While probably true on a desktop box, I can't feel happy with that on
> > a laptop, which, to all intents and purposes the EeePC is.  As long as
> > I have to give a separate, different password for root access it does
> > mean that any intruder has to fight twice as hard and long to do the
> > hidden harm.
>
> Possibly.  It depends on the nature of the attack.  If somebody gets
> physical access to a logged-in unlocked laptop then either way the
> attacker needs a single password (which she doesn't have) to get root
> access.
>
> And not being able to log in as root at all ought to make some sorts of
> intrusion more awkward.  It also reduces the chance of you having a root
> shell open, which could have something typed into it accidentally (or
> malicously).
>
> Anyway, you can still get what you want with sudo -- add this line to
> /etc/sudoers:
>
>   Defaults runaspw
>
> That'll make sudo prompt for the root password (or that of which ever
> user is being sudo-ed to) rather than your own.
>
> You can also use:
>
>   Defaults mailto=cannewilson at googlemail.com mail_badpass
>
> if you want to be mailed everytime your attacker wrongly guesses the
> password.
>
> > > The "NOPASSWD:" bit also means that any software you download can
> > > easily run anything as root; without that any human can still choose
> > > to run any command as root, but at least the prompt for his password
> > > would make him aware of it.
> >
> > So should I change that to "PASSWD"?  Or does it require something
> > different?
>
> Just removing "NOPASSWD:" entirely should do it.
>
Thanks.  Some really  useful tips there.

Anne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://list.wylug.org.uk/pipermail/wylug-discuss/attachments/20080411/94ea2ffb/attachment.bin


More information about the Wylug-discuss mailing list