[Wylug-discuss] Sudo

[Smylers]

j.lander at leeds.ac.uk writes:

> > > [Changing sudo to prompt for the target user password] *might*
> > > also go things with groups to further restrict access.
> >
> > What do you mean by "go things with groups"?
>
> Fingers and brain not communicating. "do things with groups".
>
> I recall an Ubuntu user who - while attempting to use usermod to add
> himself to a group - accidentally removed himself all other
> suplementary  groups.

Ah, yes; accidentally removing sudo access from yourself would be a
problem.

> All sorts of things stopped working, including, I seem to recall,
> Sudo.

Yup, cos by default Ubuntu users have sudo access through being in the
admin group.  However that wouldn't be a problem for Anne for several
reasons:

* The snippet of /etc/sudoers that Anne quoted clearly shows the
  existing permissions on her Eee (which isn't running Ubuntu) are for a
  named user, so not dependent on group membership.

* Even if they were, removing yourself from the admin group would only
  be a problem if you didn't have a root password (such that you
  couldn't fix the situation by logging in as root).  Given that we're
  discussing changing sudo to _require_ using the root password, this
  configuration requires having one, so it's actually less risky from an
  'accidentally locking yourself out' point of view.

* Changing which password sudo prompts for doesn't have anything to do
  with using group membership to determine who has permission to do
  what.  I know you only said above that it "might", and it's reasonable
  to be cautionary in things like this, but the group config is
  completely separate; both are known quantities, and changing one isn't
  going to have any unexpected effects on t'other.

So Anne, if you want to make sudo prompt for the root password instead
of your own then please use runaspw without being concerned about it
doing anything with groups.  Cheers.

Smylers