PDA

View Full Version : a question about sudo



albumns
09-Sep-2011, 08:36
Hello:
I found that the command sudo in SLES can only work based on root
password. So, I am wondering, is it possible to add common user and
their own passsword to use sudo?


--
albumns
------------------------------------------------------------------------
albumns's Profile: http://forums.novell.com/member.php?userid=48883
View this thread: http://forums.novell.com/showthread.php?t=444454

jmozdzen
09-Sep-2011, 14:56
Hi albumns,

I'm not sure I understand what you're trying to achieve... If a regular
user invokes "sudo" and the configuration does not specify "NOPASSWD:"
for the command to be run, then AFAIK the user will be prompted for
her/his password.

Regards,
Jens


--
from the times when today's "old school" was "new school" :eek:
------------------------------------------------------------------------
jmozdzen's Profile: http://forums.novell.com/member.php?userid=32246
View this thread: http://forums.novell.com/showthread.php?t=444454

ab
09-Sep-2011, 15:43
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No, this is not completely accurate. There are two default setups I've
seen... the SUSE way and the Ubuntu (and probably Debian) way. The SUSE
way is that anytime sudo is called the target user (the user you want to
run the command as) must put in THEIR password. In most cases this is
the root user and so as a result the user running 'sudo' must also know
the root user's password.

The other way of setting things up, the Debian way, is to require the
user running 'sudo' to put in their OWN password to change and become
another user.

Each way has its benefits.... the former way lets anybody use sudo out
of the box as long as they know the 'root' user's password. The latter
way means an admin can ensure nobody knows the root password (except the
admin of course) but requires that admin to setup which commands people
can run since, presumably, they do not know the root user's password.

This is all controlled via the following line which is set in SUSE installs:

Defaults targetpw # ask for the password of the target user i.e. root

and it is important to note the following line which should only be
present if the previous line is there:

ALL ALL=(ALL) ALL #WARNING! Only use this together with 'Defaults targetpw

This line lets anybody run anything anywhere as anybody else.... as long
as the other sudo requirements are met (in this case, that you know the
destination user's password).

None of this has to do with NOPASSWD really, which lets sudo be used
without putting in any passwords as long as the other rules are met.

Good luck.



- --
Want to yell at me in person?
Come to BrainShare 2011 in October: http://tinyurl.com/brainshare2011
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOaiXqAAoJEF+XTK08PnB5SiEP/iy+8QuqRlLZmOoT4FDlyvkm
+ZKqfwMEawZEmXrAmuMF72Q6e1iCipOG6e8nKuX0S9MAjZUjwN +dg9/Jevu3IY5z
YL/DUN/AJqBeJYJuLXEgRgdlp5X3Z6mg0CYdxK6jQoZY+877jPqQEPfKw VTYnLbU
moH3xo5EzE8dOrQpBWOwXMsJvNWwDqbHUfpffClHHsZPhU7loO A0PDo9xbJfSPQh
b6+VnfOuy5/2AQRR7gfEWnmDWUS6nY1JcE0HgURfsdL+rGZhq9b+Kr98lmff2 fQF
z7s3oGdyEf/6NJ6GBSRTOJ1C6F1VAEApfvAQEEEYdGCmgJ9Hz2QUzN++69Kcm r55
h2eWwHTpGDGWEBGjcb14TZsAdIlbfzPCqFGDfPIpVet+DzX3xo TCqw0UVEJCk3ny
FuKRSElo8f7L1j3UogSOqGfG6PLfW/3ET334t1ZzuOrg9tpeU6+4GzU2Xnzz0d64
unua35T0gC0RuVno2nKSpe4ZD8I7xeGjA5qcUpnrksVzlBffYC LsSp6pE+0AU/tz
of48CRT3tQzIxrKQpUj6uXbE8NyMKkG+7pj8KrmC64WfiHxPh4 7ofjyf4ILSQFsU
fUO36JcQFU6aSMU8+EqWRccVmweLW9brHtdJ/cWklGS58sWzp9eVemSSEwjO+lrj
86ZKUNl0UUCGD36EXPBk
=Dcsb
-----END PGP SIGNATURE-----

Thorsten Kampe
10-Sep-2011, 11:58
* ab (Fri, 09 Sep 2011 14:43:00 GMT)
> The SUSE way is that anytime sudo is called the target user (the user
> you want to run the command as) must put in THEIR password. In most
> cases this is the root user and so as a result the user running 'sudo'
> must also know the root user's password.
>
> The other way of setting things up, the Debian way, is to require the
> user running 'sudo' to put in their OWN password to change and become
> another user.
>
> Each way has its benefits.... the former way lets anybody use sudo out
> of the box as long as they know the 'root' user's password. The latter
> way means an admin can ensure nobody knows the root password (except
> the admin of course) but requires that admin to setup which commands
> people can run since, presumably, they do not know the root user's
> password.

Sudo has two main security relevant advantages in comparison to "su":
the ability to specify who can do what and no need to know the root
password.

If you use "targetpw" (what you describe as the SUSE way) you lose both:
the user who is restricted to run a specific command can simply use su.

Thorsten