Bayard Bell wrote:
To quote the last line on --with-exempt from the INSTALL file for sudo:
"You should probably use NOPASSWD in sudoers instead."
Is your claim that NOPASSWD is in fact dependent on the compile-time value of
--with-exempt and that the sudo documentation has this backwards? It seems far
more likely that the problem is having rules that are ordered in the
expectation that the first rather than the last match is used. The diff between
Apple's sudo build and the stock 1.7.0 base from which it was built isn't that
considerable, so any code underlying the difference in behaviour you're
suggesting really should jump out.
Yes. see 'man sudoers' from the original source.
"
Users in the group specified by the exempt_group option are not affected by
secure_path. This option is not set by default.
"
"exempt_group Users in this group are exempt from password and PATH
requirements. This is not set by default.
"
Sort of, DUH!
In any case I find it difficult to see why the NOPASSWD behaviour is ever
desirable because it makes an account essentially root-equivalent without
requiring knowledge of the password. With such a config, you're relying on
safety because not so many people are trying to target OS X (i.e. there's
safety in relatively small numbers) rather than security in terms of the
ability to resist determined attack.
Well, it is there for some purpose. If you don't like it, don't use it. I kind
of like it on my little one user box hiding behind three firewalls.
On 28 Apr 2011, at 20:42, John B Brown wrote:
Dear Alex,
In the original source for sudo there is a configure condition that
must be met for group members;
"--with-exempt=group no passwd needed for users in this group"
Which condition do you think Apple set for this? Your group 'sudoers'
or 'wheel' or some other condition? I suspect this condition is unset as
delivered by Apple.
Or, possibly, this original configuration is unnecessary? Just a waste
of programming space?
Some errors come from reworking an original program for proprietary
motives, and ignoring the original configuration conditions. The group I use
for purposes of system maintenance is 'wheel.' The original version includes in
a sudoers script;
"
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
"
Uncommenting the wheel lines in sudoers using the Apple delivered sudo
does not provide NOPASSWD action for group 'wheel.' Compiling original source
with '--with-exempt=wheel' provides wheel with NOPASSWD action. Under that
condition /etc/sudoers seems to work correctly. Apples compile seems not to
provide that correct action.
Myself, I don't use those 'wheel' lines in sudoers. I set my user for
the second condition above. That way, as member of group wheel, I get to use
sudo without a password because I compile sudo source using
--with-exempt=wheel. Otherwise, I will be asked for a password.
Or maybe its an Apple OS group permissions thing and mine are not
correctly set?
Shalom,
John B. Brown.
[[email protected]]
358 High Street,
Buffalo, Wyoming
82834
"Freedom is not worth having if it does not include
the freedom to make mistakes" Mahatma Gandhi
"There was never a good war, or a bad peace."
Benjamin Franklin
"I wonder whether the world is being run
by smart people who are putting us on
or by imbeciles who really mean it." Mark Twain
1-307-684-9068
Alexander Skwar wrote:
John,
I manually created the 666/sudoers group. And I added my user to this
group as well.
This allowed me to use the original Apple sudo using my user without
being prompted for a password.
And THIS shows, that your statement simply is wrong. sudoers does work
as advertised.
Best regards,
Alexander
On Tue, Apr 19, 2011 at 18:59, John B Brown <[email protected]> wrote:
Dear Alex,
There is no sudoers group on my machine, there is no group with the
number 666 as group number, being a member of wheel group with 'NOPASSWD'
allowed still didn't work.
I simply compiled back in the original options for sudo. Only then
did I get 'NOPASSWD' privilege as a wheel group member for real.
Shalom,
John B. Brown.
[[email protected]]
358 High Street,
Buffalo, Wyoming
82834
"Freedom is not worth having if it does not include
the freedom to make mistakes" Mahatma Gandhi
"There was never a good war, or a bad peace."
Benjamin Franklin
"I wonder whether the world is being run
by smart people who are putting us on
or by imbeciles who really mean it." Mark Twain
1-307-684-9068
Alexander Skwar wrote:
John,
That's not true. Sudoers does work as advertised. My non-admin user is
in a custom "sudoers" group and I *am* able to use sudo. Without
having to use su first. I am using the apple sudo.
From my sudoers http://nopaste.dk/p3153 :
# Defaults specification
Defaults env_reset
Defaults env_keep += "BLOCKSIZE"
Defaults env_keep += "COLORFGBG COLORTERM"
Defaults env_keep += "__CF_USER_TEXT_ENCODING"
Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE
LC_CTYPE"
Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults env_keep += "LINES COLUMNS"
Defaults env_keep += "LSCOLORS"
Defaults env_keep += "SSH_AUTH_SOCK"
Defaults env_keep += "TZ"
Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults env_keep += "EDITOR VISUAL"
# Runas alias specification
# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
%sudoers ALL=(ALL) NOPASSWD: ALL
id http://nopaste.me/paste/13423264574dac87ba2ab0e :
MacBook-Pro:~ alex$ id
uid=502(alex) gid=20(staff)
groups=20(staff),103(com.apple.sharepoint.group.3),405(com.apple.sharepoint.group.7),404(com.apple.sharepoint.group.6),61(localaccounts),12(everyone),403(com.apple.sharepoint.group.5),101(com.apple.sharepoint.group.1),102(com.apple.sharepoint.group.2),667(wir),402(com.apple.sharepoint.group.4),666(sudoers)
As you can see, I'm member of the "666 sudoers" group
and can run sudo because of this.
Regards,
Alexander
On Mon, Apr 18, 2011 at 20:15, John B Brown <[email protected]> wrote:
Daniel J. Luke wrote:
On Apr 18, 2011, at 1:30 PM, John B Brown wrote:
I've found the 'native' sudo to be insufficient. My solution is a
complete compile and install right over the Apple version.
I highly recommend that no one ever do this.
If you replace Apple software with your own software, things may work.
Things may also break unexpectedly.
Things probably will break in the future (as any future Apple software
update may replace or remove your software).
The important setting in the configure line is --with-exempt=[group] to
get a fully useful sudo without the necessity of using 'su.'
That configure flag lets a group use sudo without entering a password
and
has nothing to do with using 'su' or not.
Both what you describe as wanting (be able to use sudo without 'su'-ing
to
someone else), and what you describe setting (being able to use sudo
without
entering a password) can be configured in sudo's configuration file
/etc/sudoers
Unfortunately, No, sudoers does not work as advertised. Witness
the
original complaint.
However, claiming the sky will fall if you chose what you want in
your computer is ridiculous! Recompile fixes a myriad of "Apple knows
best"
crap.
Or did you invest in that expensive CS degree to stop thinking?
--
Daniel J. Luke
+========================================================+
| *---------------- [email protected] ----------------* |
| *-------------- http://www.geeklair.net-------------*
|
+========================================================+
| Opinions expressed are mine and do not necessarily |
| reflect the opinions of my employer. |
+========================================================+
Shalom,
John B. Brown.
[[email protected]]
358 High Street,
Buffalo, Wyoming
82834
"Freedom is not worth having if it does not include
the freedom to make mistakes" Mahatma Gandhi
"There was never a good war, or a bad peace."
Benjamin Franklin
"I wonder whether the world is being run
by smart people who are putting us on
or by imbeciles who really mean it." Mark Twain
1-307-684-9068
_______________________________________________
macports-users mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
_______________________________________________
macports-users mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
Shalom,
John B. Brown.
[[email protected]]
358 High Street,
Buffalo, Wyoming
82834
"Freedom is not worth having if it does not include
the freedom to make mistakes" Mahatma Gandhi
"There was never a good war, or a bad peace."
Benjamin Franklin
"I wonder whether the world is being run
by smart people who are putting us on
or by imbeciles who really mean it." Mark Twain
1-307-684-9068
_______________________________________________
macports-users mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
