[Eug-lug] Sudoers question

aomighty at gmail.com aomighty at gmail.com
Tue Apr 3 10:51:03 PDT 2007 

1) My system allows everyone to become root. It's Debian Etch, btw.

2) The man page doesn't say anything about syntax... already checked.

3) Thanks, I'll use sudo -l.

On 4/3/07, Neil Parker <nparker at lyl.llx.com> wrote:
> Ben Barrett wrote,
> >IIRC, wheel was intended to match the GID on su, so that non-group
> >members cannot even become root, a hardening tactic that goes along
> >with disallowing any direct root logins.
> >
> >Why not make wheel?  You'll feel so evolved; groupadd wheel and grunt
> >with glee ;)
> >(then again, what good is wheel if you don't use it?)
>
> Problem:  Not all systems treat the wheel group as special.  I believe GNU
> su allows anybody to try to become root regardless of membership in wheel.
>
> If your system has a /etc/login.defs file, it might contain an option
> SU_WHEEL_ONLY that controls whether or not "su root" is restricted to
> members of wheel.
>
> Also beware:  The privileged group, if your system supports it, might not
> be called "wheel".  The name actually doesn't matter--what matters is
> whether the group ID number is 0.  You might find that your group 0 is
> called "root", or maybe some other name entirely.  ("grep :0: /etc/group"
> will tell you the magic name.)
>
> I recommend NOT doing "groupadd wheel".  If you don't already have a group
> called "wheel", that will give you one, but its group ID won't be 0, and it
> will (confusingly) have no special privileges.
>
> If your system already has a group with ID 0, you don't need a new one.
> If you don't already have such a group, it was probably left out for a
> reason, and again you probably don't need to add one.
>
>
>
> Getting back to the original subject, "man sudo" says that "sudo -l" will
> tell you what commands /etc/sudoers allows or forbids you to use.  This
> will probably be quite useful for debugging your edits of /etc/sudoers.
>
>               - Neil Parker
> _______________________________________________
> EUGLUG mailing list
> euglug at euglug.org
> http://www.euglug.org/mailman/listinfo/euglug
>

More information about the EUGLUG mailing list