HOWTO: sudo

[Lou]

SUDO

Sudo is one of the first things i install and configure, it saves me a lot of time and speeds the way i work. I use Sarge on an old box, PII 266 with 128 MB RAM.

# apt-get install sudo

# visudo

this will create the /etc/sudoers file, once there, add the following
line at the bottom:

luigi ALL = NOPASSWD : ALL

replace luigi with your username, save/exit in your editor, then test
it:

$ sudo apt-get update

voilà!

[osmo]

I just configured sudo on my fresh unstable install.

In /etc/sudoers, I used

Code: Select all

osmo ALL=(ALL) ALL

You can also tweak the Defaults. I, perhaps being paranoid, use

Code: Select all

Defaults tty_tickets,timestamp_timeout=5

Ubuntu uses

Code: Select all

Defaults !lecture,tty_tickets,!fqdn

If you're using GNOME, you'll also need to change /apps/gksu/sudo-mode key to true using the GConf editor. That way all the GNOME administration stuff will accept your user password instead of the root password.

Code: Select all

$ gconftool-2 -t bool -s /apps/gksu/sudo-mode 1

After sudo is configured, can I disable the root account as instructed in the Ubuntu Wiki, or does Debian need it for something? Currently I just set a very long password for root.

[Lou]

"After sudo is configured, can I disable the root account as instructed in the Ubuntu Wiki, or does Debian need it for something? Currently I just set a very long password for root."

I don't use Ubuntu, maybe you should ask for the reason in the Ubuntu forum. IOW, i don't know.

I don't do it because when i use deborphan i need to do it as root. As you can see in my posting i don't have to enter my password, but i also installed bastille to 'harden' my system and firehol as my firewall, just to make sure.

"Only the paranoid survives".

Cheers,

[ajdlinux]

luigi ALL = NOPASSWD : ALL

This is dangerous! NOPASSWD means *anyone* who goes up to your system can execute *anything* as root. Don't use it!

[Lou]

I'm the only user in the house, I like it.

[ajdlinux]

Yes, the problem is other systems are accessible by several users and this also opens a huge security hole from the outside (the internet).

[Guest]

So instead of "user ALL=NOPASSWD" what should I enter in the sudoers file for the sudo command to work exactly like in Ubuntu?
In Ubuntu the root password is kept for about 15 mins but I don't care for this in Debian, even if I have to enter it every time I use sudo.

[osmo]

So instead of "user ALL=NOPASSWD" what should I enter in the sudoers file for the sudo command to work exactly like in Ubuntu?
In Ubuntu the root password is kept for about 15 mins but I don't care for this in Debian, even if I have to enter it every time I use sudo.

I believe Ubuntu uses

Code: Select all

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults

Defaults        !lecture,tty_tickets,!fqdn

# User privilege specification
root    ALL=(ALL) ALL
john    ALL=(ALL) ALL

where you should replace "john" with your username.

If not specified with the "timestamp_timeout" option on the "Defaults" line, the timeout is 15 minutes.

[saphire]

Hey,

I don't know if anyone else is having this issue, this is a problem I have for both debian and Ubuntu and I have posted it in both forums. I have it set to
%wheel ALL=(ALL) ALL
I have tried everything in the man file that I can think of to require a password. My problem is that sudo NEVER requires a password unsless you don't have sudo priviliges(then it says you're not in the sudoers file like it should). I have resorted to using su instead, but sudo is handy for single commands. I have tried overriding the defaults and requiring authentication, I have even tried putting the old PASSWD flag in and it doesn't work.
My FreeBSD system and my Fedora Core system do not have this issue.

[smakfull]

This is lovely, thanks

[ajdlinux]

Hey,

I don't know if anyone else is having this issue, this is a problem I have for both debian and Ubuntu and I have posted it in both forums. I have it set to
%wheel ALL=(ALL) ALL
I have tried everything in the man file that I can think of to require a password. My problem is that sudo NEVER requires a password unsless you don't have sudo priviliges(then it says you're not in the sudoers file like it should). I have resorted to using su instead, but sudo is handy for single commands. I have tried overriding the defaults and requiring authentication, I have even tried putting the old PASSWD flag in and it doesn't work.
My FreeBSD system and my Fedora Core system do not have this issue.

Hmm - on Ubuntu I can see this happening but I haven't noticed it on Debian. Is the NOPASSWD option set at all?

[jobezone]

osmo, thanks for the tip on making gksu (and gnome in general) use sudo by default. Like I had before, was very confusing.

[Taki]

My problem is that sudo NEVER requires a password unsless you don't have sudo priviliges(then it says you're not in the sudoers file like it should).

Hmm - on Ubuntu I can see this happening but I haven't noticed it on Debian. Is the NOPASSWD option set at all?

Reading the man (5) page for sudoers:

exempt_group
Users in this group are exempt from password and PATH requirements. On Debian systems, this is set to the group ’sudo’ by default.

Did you happen to put yourself in the 'sudo' group? If you want to turn this off, either take yourself out of the sudo group and explicitly reference your username in the sudoers file, or on the 'Defaults' line append a new exempt_group entry, e.g.:

Code: Select all

Defaults        !lecture,tty_tickets,!fqdn,exempt_group=""

[Noise85]

Hi!
Sorry, maybe I'm going OT...
Is there any difference between su and sudo? Why should I use su instead of sudo?
Thanks for an answer

Byez

[Grifter]

when you su, you change your user, you launch a new shell as the new user you're su:ing to (typically root, just launched with su, but you can su lusername to change into a different user too)

with sudo, you run a single command as superuser

[Tyler]

I don't understand. I thought sudo was intended to allow regular users to do certain things with root privileges, like when I want to start up my wireless connection. If you set it up to grant root privileges for any command, how is that any different from just logging in as root, with the associated security problems?


Cheers,

Tyler

[thamarok]

I don't understand. I thought sudo was intended to allow regular users to do certain things with root privileges, like when I want to start up my wireless connection. If you set it up to grant root privileges for any command, how is that any different from just logging in as root, with the associated security problems?


Cheers,

Tyler

I think the difference is, when you get attacked form the outside, they will get root privileges easily, because you are logged in as root.
But if you were a normal user, you had to use sudo first. And then the attackers would have one job more to do before actually killing your system.
(I think they would try to crack the sudo password, but as I have read, it is very hard, so you are secured even without a sudo password, unless the attacker is smart enough to execute sudo without a password )

Unless you are arunning a server, attacks are very rare.

[plugwash]

I think they would try to crack the sudo password, but as I have read, it is very hard

not really, its not that hard to write a program that runs another program with its input/output logged.

once they do that they just need to edit your bash profile and then wait a bit.

[sargek]

I would agree with ajdlinux. Setting your sudoers file to:

Code: Select all

luigi ALL = NOPASSWD : ALL

is dangerous, but not perhaps from attacks from outside, but from stupid user actions.

The sudo command was designed to allow SOME actions to be taken by SOME users, not for allowing the normal user to do ALL of the same things as root, all of the time. The point here is in the *nix world, we run with two users. The simple act of using the sudo, or the su command in a terminal or at the cli, makes us think "I am now root, or acting as root", and helps us to be careful.

Making your user as powerful as root leads to the situation Windows is in right now because the normal user there is root. Bottom line is, it's your system, you want to toast it, go right ahead.

[divali]

Will this affect how you logon at startup?