Insufficient privileges?
Bayard Bell
buffer.g.overflow at googlemail.com
Thu Apr 28 14:23:12 PDT 2011
To quote the last line on --with-exempt from the INSTALL file for sudo:
"You should probably use NOPASSWD in sudoers instead."
Is your claim that NOPASSWD is in fact dependent on the compile-time value of --with-exempt and that the sudo documentation has this backwards? It seems far more likely that the problem is having rules that are ordered in the expectation that the first rather than the last match is used. The diff between Apple's sudo build and the stock 1.7.0 base from which it was built isn't that considerable, so any code underlying the difference in behaviour you're suggesting really should jump out.
In any case I find it difficult to see why the NOPASSWD behaviour is ever desirable because it makes an account essentially root-equivalent without requiring knowledge of the password. With such a config, you're relying on safety because not so many people are trying to target OS X (i.e. there's safety in relatively small numbers) rather than security in terms of the ability to resist determined attack.
On 28 Apr 2011, at 20:42, John B Brown wrote:
> Dear Alex,
>
> In the original source for sudo there is a configure condition that must be met for group members;
>
> "--with-exempt=group no passwd needed for users in this group"
>
> Which condition do you think Apple set for this? Your group 'sudoers' or 'wheel' or some other condition? I suspect this condition is unset as delivered by Apple.
>
> Or, possibly, this original configuration is unnecessary? Just a waste of programming space?
>
> Some errors come from reworking an original program for proprietary motives, and ignoring the original configuration conditions. The group I use for purposes of system maintenance is 'wheel.' The original version includes in a sudoers script;
>
> "
> # Uncomment to allow people in group wheel to run all commands
> # %wheel ALL=(ALL) ALL
>
> # Same thing without a password
> # %wheel ALL=(ALL) NOPASSWD: ALL
> "
>
> Uncommenting the wheel lines in sudoers using the Apple delivered sudo does not provide NOPASSWD action for group 'wheel.' Compiling original source with '--with-exempt=wheel' provides wheel with NOPASSWD action. Under that condition /etc/sudoers seems to work correctly. Apples compile seems not to provide that correct action.
>
> Myself, I don't use those 'wheel' lines in sudoers. I set my user for the second condition above. That way, as member of group wheel, I get to use sudo without a password because I compile sudo source using --with-exempt=wheel. Otherwise, I will be asked for a password.
>
> Or maybe its an Apple OS group permissions thing and mine are not correctly set?
>
> Shalom,
>
> John B. Brown.
> [jbb at vcn.com]
> 358 High Street,
> Buffalo, Wyoming
> 82834
>
> "Freedom is not worth having if it does not include
> the freedom to make mistakes" Mahatma Gandhi
> "There was never a good war, or a bad peace."
> Benjamin Franklin
> "I wonder whether the world is being run
> by smart people who are putting us on
> or by imbeciles who really mean it." Mark Twain
>
> 1-307-684-9068
>
>
> Alexander Skwar wrote:
>> John,
>> I manually created the 666/sudoers group. And I added my user to this
>> group as well.
>> This allowed me to use the original Apple sudo using my user without
>> being prompted for a password.
>> And THIS shows, that your statement simply is wrong. sudoers does work
>> as advertised.
>> Best regards,
>> Alexander
>> On Tue, Apr 19, 2011 at 18:59, John B Brown <jbb at vcn.com> wrote:
>>> Dear Alex,
>>>
>>> There is no sudoers group on my machine, there is no group with the
>>> number 666 as group number, being a member of wheel group with 'NOPASSWD'
>>> allowed still didn't work.
>>>
>>> I simply compiled back in the original options for sudo. Only then
>>> did I get 'NOPASSWD' privilege as a wheel group member for real.
>>>
>>> Shalom,
>>>
>>> John B. Brown.
>>> [jbb at vcn.com]
>>> 358 High Street,
>>> Buffalo, Wyoming
>>> 82834
>>>
>>> "Freedom is not worth having if it does not include
>>> the freedom to make mistakes" Mahatma Gandhi
>>> "There was never a good war, or a bad peace."
>>> Benjamin Franklin
>>> "I wonder whether the world is being run
>>> by smart people who are putting us on
>>> or by imbeciles who really mean it." Mark Twain
>>>
>>> 1-307-684-9068
>>>
>>>
>>> Alexander Skwar wrote:
>>>
>>>> John,
>>>>
>>>> That's not true. Sudoers does work as advertised. My non-admin user is
>>>> in a custom "sudoers" group and I *am* able to use sudo. Without
>>>> having to use su first. I am using the apple sudo.
>>>>
>>>> From my sudoers http://nopaste.dk/p3153 :
>>>>
>>>> # Defaults specification
>>>> Defaults env_reset
>>>> Defaults env_keep += "BLOCKSIZE"
>>>> Defaults env_keep += "COLORFGBG COLORTERM"
>>>> Defaults env_keep += "__CF_USER_TEXT_ENCODING"
>>>> Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE
>>>> LC_CTYPE"
>>>> Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
>>>> Defaults env_keep += "LINES COLUMNS"
>>>> Defaults env_keep += "LSCOLORS"
>>>> Defaults env_keep += "SSH_AUTH_SOCK"
>>>> Defaults env_keep += "TZ"
>>>> Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
>>>> Defaults env_keep += "EDITOR VISUAL"
>>>>
>>>> # Runas alias specification
>>>>
>>>> # User privilege specification
>>>> root ALL=(ALL) ALL
>>>> %admin ALL=(ALL) ALL
>>>>
>>>> # Uncomment to allow people in group wheel to run all commands
>>>> # %wheel ALL=(ALL) ALL
>>>>
>>>> # Same thing without a password
>>>> # %wheel ALL=(ALL) NOPASSWD: ALL
>>>> %sudoers ALL=(ALL) NOPASSWD: ALL
>>>>
>>>> id http://nopaste.me/paste/13423264574dac87ba2ab0e :
>>>>
>>>> MacBook-Pro:~ alex$ id
>>>> uid=502(alex) gid=20(staff)
>>>>
>>>> groups=20(staff),103(com.apple.sharepoint.group.3),405(com.apple.sharepoint.group.7),404(com.apple.sharepoint.group.6),61(localaccounts),12(everyone),403(com.apple.sharepoint.group.5),101(com.apple.sharepoint.group.1),102(com.apple.sharepoint.group.2),667(wir),402(com.apple.sharepoint.group.4),666(sudoers)
>>>>
>>>>
>>>> As you can see, I'm member of the "666 sudoers" group
>>>> and can run sudo because of this.
>>>>
>>>> Regards,
>>>> Alexander
>>>>
>>>> On Mon, Apr 18, 2011 at 20:15, John B Brown <jbb at vcn.com> wrote:
>>>>
>>>>> Daniel J. Luke wrote:
>>>>>
>>>>>> On Apr 18, 2011, at 1:30 PM, John B Brown wrote:
>>>>>>
>>>>>>> I've found the 'native' sudo to be insufficient. My solution is a
>>>>>>> complete compile and install right over the Apple version.
>>>>>>>
>>>>>> I highly recommend that no one ever do this.
>>>>>>
>>>>>> If you replace Apple software with your own software, things may work.
>>>>>> Things may also break unexpectedly.
>>>>>>
>>>>>> Things probably will break in the future (as any future Apple software
>>>>>> update may replace or remove your software).
>>>>>>
>>>>>> The important setting in the configure line is --with-exempt=[group] to
>>>>>>> get a fully useful sudo without the necessity of using 'su.'
>>>>>>>
>>>>>> That configure flag lets a group use sudo without entering a password
>>>>>> and
>>>>>> has nothing to do with using 'su' or not.
>>>>>>
>>>>>> Both what you describe as wanting (be able to use sudo without 'su'-ing
>>>>>> to
>>>>>> someone else), and what you describe setting (being able to use sudo
>>>>>> without
>>>>>> entering a password) can be configured in sudo's configuration file
>>>>>> /etc/sudoers
>>>>>>
>>>>>> Unfortunately, No, sudoers does not work as advertised. Witness
>>>>> the
>>>>> original complaint.
>>>>>
>>>>> However, claiming the sky will fall if you chose what you want in
>>>>> your computer is ridiculous! Recompile fixes a myriad of "Apple knows
>>>>> best"
>>>>> crap.
>>>>>
>>>>> Or did you invest in that expensive CS degree to stop thinking?
>>>>>
>>>>> --
>>>>>> Daniel J. Luke
>>>>>> +========================================================+
>>>>>> | *---------------- dluke at geeklair.net ----------------* |
>>>>>> | *-------------- http://www.geeklair.net-------------*
>>>>>> |
>>>>>> +========================================================+
>>>>>> | Opinions expressed are mine and do not necessarily |
>>>>>> | reflect the opinions of my employer. |
>>>>>>
>>>>>> +========================================================+
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Shalom,
>>>>>
>>>>> John B. Brown.
>>>>> [jbb at vcn.com]
>>>>> 358 High Street,
>>>>> Buffalo, Wyoming
>>>>> 82834
>>>>>
>>>>> "Freedom is not worth having if it does not include
>>>>> the freedom to make mistakes" Mahatma Gandhi
>>>>> "There was never a good war, or a bad peace."
>>>>> Benjamin Franklin
>>>>> "I wonder whether the world is being run
>>>>> by smart people who are putting us on
>>>>> or by imbeciles who really mean it." Mark Twain
>>>>>
>>>>> 1-307-684-9068
>>>>> _______________________________________________
>>>>> macports-users mailing list
>>>>> macports-users at lists.macosforge.org
>>>>> http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
>>>>>
>>>>>
>>>>
>>>>
>
> _______________________________________________
> macports-users mailing list
> macports-users at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1515 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/macports-users/attachments/20110428/5f288831/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 841 bytes
Desc: This is a digitally signed message part
URL: <http://lists.macosforge.org/pipermail/macports-users/attachments/20110428/5f288831/attachment-0001.bin>
More information about the macports-users
mailing list