Insufficient privileges?
John B Brown
jbb at vcn.com
Thu Apr 28 12:42:32 PDT 2011
Dear Alex,
In the original source for sudo there is a configure condition that must be met
for group members;
"--with-exempt=group no passwd needed for users in this group"
Which condition do you think Apple set for this? Your group 'sudoers' or
'wheel' or some other condition? I suspect this condition is unset as delivered
by Apple.
Or, possibly, this original configuration is unnecessary? Just a waste of
programming space?
Some errors come from reworking an original program for proprietary motives,
and ignoring the original configuration conditions. The group I use for purposes
of system maintenance is 'wheel.' The original version includes in a sudoers script;
"
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
"
Uncommenting the wheel lines in sudoers using the Apple delivered sudo does not
provide NOPASSWD action for group 'wheel.' Compiling original source with
'--with-exempt=wheel' provides wheel with NOPASSWD action. Under that condition
/etc/sudoers seems to work correctly. Apples compile seems not to provide that
correct action.
Myself, I don't use those 'wheel' lines in sudoers. I set my user for the
second condition above. That way, as member of group wheel, I get to use sudo
without a password because I compile sudo source using --with-exempt=wheel.
Otherwise, I will be asked for a password.
Or maybe its an Apple OS group permissions thing and mine are not correctly set?
Shalom,
John B. Brown.
[jbb at vcn.com]
358 High Street,
Buffalo, Wyoming
82834
"Freedom is not worth having if it does not include
the freedom to make mistakes" Mahatma Gandhi
"There was never a good war, or a bad peace."
Benjamin Franklin
"I wonder whether the world is being run
by smart people who are putting us on
or by imbeciles who really mean it." Mark Twain
1-307-684-9068
Alexander Skwar wrote:
> John,
>
> I manually created the 666/sudoers group. And I added my user to this
> group as well.
>
> This allowed me to use the original Apple sudo using my user without
> being prompted for a password.
>
> And THIS shows, that your statement simply is wrong. sudoers does work
> as advertised.
>
> Best regards,
> Alexander
>
> On Tue, Apr 19, 2011 at 18:59, John B Brown <jbb at vcn.com> wrote:
>
>> Dear Alex,
>>
>> There is no sudoers group on my machine, there is no group with the
>> number 666 as group number, being a member of wheel group with 'NOPASSWD'
>> allowed still didn't work.
>>
>> I simply compiled back in the original options for sudo. Only then
>> did I get 'NOPASSWD' privilege as a wheel group member for real.
>>
>> Shalom,
>>
>> John B. Brown.
>> [jbb at vcn.com]
>> 358 High Street,
>> Buffalo, Wyoming
>> 82834
>>
>> "Freedom is not worth having if it does not include
>> the freedom to make mistakes" Mahatma Gandhi
>> "There was never a good war, or a bad peace."
>> Benjamin Franklin
>> "I wonder whether the world is being run
>> by smart people who are putting us on
>> or by imbeciles who really mean it." Mark Twain
>>
>> 1-307-684-9068
>>
>>
>> Alexander Skwar wrote:
>>
>>> John,
>>>
>>> That's not true. Sudoers does work as advertised. My non-admin user is
>>> in a custom "sudoers" group and I *am* able to use sudo. Without
>>> having to use su first. I am using the apple sudo.
>>>
>>> From my sudoers http://nopaste.dk/p3153 :
>>>
>>> # Defaults specification
>>> Defaults env_reset
>>> Defaults env_keep += "BLOCKSIZE"
>>> Defaults env_keep += "COLORFGBG COLORTERM"
>>> Defaults env_keep += "__CF_USER_TEXT_ENCODING"
>>> Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE
>>> LC_CTYPE"
>>> Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
>>> Defaults env_keep += "LINES COLUMNS"
>>> Defaults env_keep += "LSCOLORS"
>>> Defaults env_keep += "SSH_AUTH_SOCK"
>>> Defaults env_keep += "TZ"
>>> Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
>>> Defaults env_keep += "EDITOR VISUAL"
>>>
>>> # Runas alias specification
>>>
>>> # User privilege specification
>>> root ALL=(ALL) ALL
>>> %admin ALL=(ALL) ALL
>>>
>>> # Uncomment to allow people in group wheel to run all commands
>>> # %wheel ALL=(ALL) ALL
>>>
>>> # Same thing without a password
>>> # %wheel ALL=(ALL) NOPASSWD: ALL
>>> %sudoers ALL=(ALL) NOPASSWD: ALL
>>>
>>> id http://nopaste.me/paste/13423264574dac87ba2ab0e :
>>>
>>> MacBook-Pro:~ alex$ id
>>> uid=502(alex) gid=20(staff)
>>>
>>> groups=20(staff),103(com.apple.sharepoint.group.3),405(com.apple.sharepoint.group.7),404(com.apple.sharepoint.group.6),61(localaccounts),12(everyone),403(com.apple.sharepoint.group.5),101(com.apple.sharepoint.group.1),102(com.apple.sharepoint.group.2),667(wir),402(com.apple.sharepoint.group.4),666(sudoers)
>>>
>>>
>>> As you can see, I'm member of the "666 sudoers" group
>>> and can run sudo because of this.
>>>
>>> Regards,
>>> Alexander
>>>
>>> On Mon, Apr 18, 2011 at 20:15, John B Brown <jbb at vcn.com> wrote:
>>>
>>>> Daniel J. Luke wrote:
>>>>
>>>>> On Apr 18, 2011, at 1:30 PM, John B Brown wrote:
>>>>>
>>>>>> I've found the 'native' sudo to be insufficient. My solution is a
>>>>>> complete compile and install right over the Apple version.
>>>>>>
>>>>> I highly recommend that no one ever do this.
>>>>>
>>>>> If you replace Apple software with your own software, things may work.
>>>>> Things may also break unexpectedly.
>>>>>
>>>>> Things probably will break in the future (as any future Apple software
>>>>> update may replace or remove your software).
>>>>>
>>>>> The important setting in the configure line is --with-exempt=[group] to
>>>>>> get a fully useful sudo without the necessity of using 'su.'
>>>>>>
>>>>> That configure flag lets a group use sudo without entering a password
>>>>> and
>>>>> has nothing to do with using 'su' or not.
>>>>>
>>>>> Both what you describe as wanting (be able to use sudo without 'su'-ing
>>>>> to
>>>>> someone else), and what you describe setting (being able to use sudo
>>>>> without
>>>>> entering a password) can be configured in sudo's configuration file
>>>>> /etc/sudoers
>>>>>
>>>>> Unfortunately, No, sudoers does not work as advertised. Witness
>>>> the
>>>> original complaint.
>>>>
>>>> However, claiming the sky will fall if you chose what you want in
>>>> your computer is ridiculous! Recompile fixes a myriad of "Apple knows
>>>> best"
>>>> crap.
>>>>
>>>> Or did you invest in that expensive CS degree to stop thinking?
>>>>
>>>> --
>>>>> Daniel J. Luke
>>>>> +========================================================+
>>>>> | *---------------- dluke at geeklair.net ----------------* |
>>>>> | *-------------- http://www.geeklair.net-------------*
>>>>> |
>>>>> +========================================================+
>>>>> | Opinions expressed are mine and do not necessarily |
>>>>> | reflect the opinions of my employer. |
>>>>>
>>>>> +========================================================+
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Shalom,
>>>>
>>>> John B. Brown.
>>>> [jbb at vcn.com]
>>>> 358 High Street,
>>>> Buffalo, Wyoming
>>>> 82834
>>>>
>>>> "Freedom is not worth having if it does not include
>>>> the freedom to make mistakes" Mahatma Gandhi
>>>> "There was never a good war, or a bad peace."
>>>> Benjamin Franklin
>>>> "I wonder whether the world is being run
>>>> by smart people who are putting us on
>>>> or by imbeciles who really mean it." Mark Twain
>>>>
>>>> 1-307-684-9068
>>>> _______________________________________________
>>>> macports-users mailing list
>>>> macports-users at lists.macosforge.org
>>>> http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
>>>>
>>>>
>>>
>>>
>
>
More information about the macports-users
mailing list