Insufficient privileges?

John B Brown jbb at vcn.com
Thu Apr 28 18:57:40 PDT 2011



Bayard Bell wrote:
> To quote the last line on --with-exempt from the INSTALL file for sudo:
> 
> "You should probably use NOPASSWD in sudoers instead."
> 
> Is your claim that NOPASSWD is in fact dependent on the compile-time value of --with-exempt and that the sudo documentation has this backwards? It seems far more likely that the problem is having rules that are ordered in the expectation that the first rather than the last match is used. The diff between Apple's sudo build and the stock 1.7.0 base from which it was built isn't that considerable, so any code underlying the difference in behaviour you're suggesting really should jump out.
> 

	Yes. see 'man sudoers' from the original source.
"
Users in the group specified by the exempt_group option are not affected by 
secure_path.  This option is not set by default.
"
"exempt_group Users in this group are exempt from password and PATH 
requirements.  This is not set by default.
"

	Sort of, DUH!

> In any case I find it difficult to see why the NOPASSWD behaviour is ever desirable because it makes an account essentially root-equivalent without requiring knowledge of the password. With such a config, you're relying on safety because not so many people are trying to target OS X (i.e. there's safety in relatively small numbers) rather than security in terms of the ability to resist determined attack.
> 

	Well, it is there for some purpose. If you don't like it, don't use it. I kind 
of like it on my little one user box hiding behind three firewalls.

> On 28 Apr 2011, at 20:42, John B Brown wrote:
> 
>> Dear Alex,
>>
>> 	In the original source for sudo there is a configure condition that must be met for group members;
>>
>> "--with-exempt=group     no passwd needed for users in this group"
>>
>> 	Which condition do you think Apple set for this? Your group 'sudoers' or 'wheel' or some other condition? I suspect this condition is unset as delivered by Apple.
>>
>> 	Or, possibly, this original configuration is unnecessary? Just a waste of programming space?
>>
>> 	Some errors come from reworking an original program for proprietary motives, and ignoring the original configuration conditions. The group I use for purposes of system maintenance is 'wheel.' The original version includes in a sudoers script;
>>
>> "
>> # Uncomment to allow people in group wheel to run all commands
>> # %wheel        ALL=(ALL) ALL
>>
>> # Same thing without a password
>> # %wheel        ALL=(ALL) NOPASSWD: ALL
>> "
>>
>> 	Uncommenting the wheel lines in sudoers using the Apple delivered sudo does not provide NOPASSWD action for group 'wheel.' Compiling original source with '--with-exempt=wheel' provides wheel with NOPASSWD action. Under that condition /etc/sudoers seems to work correctly. Apples compile seems not to provide that correct action.
>>
>> 	Myself, I don't use those 'wheel' lines in sudoers. I set my user for the second condition above. That way, as member of group wheel, I get to use sudo without a password because I compile sudo source using --with-exempt=wheel. Otherwise, I will be asked for a password.
>>
>> 	Or maybe its an Apple OS group permissions thing and mine are not correctly set?
>>
>> 	Shalom,
>>
>> 	John B. Brown.
>> 	[jbb at vcn.com]
>> 	358 High Street,
>> 	Buffalo, Wyoming
>> 	82834
>>
>> "Freedom is not worth having if it does not include
>> the freedom to make mistakes"  Mahatma Gandhi
>> "There was never a good war, or a bad peace."
>> Benjamin Franklin
>> "I wonder whether the world is being run
>> by smart people who are putting us on
>> or by imbeciles who really mean it."  Mark Twain
>>
>> 1-307-684-9068
>>
>>
>> Alexander Skwar wrote:
>>> John,
>>> I manually created the 666/sudoers group. And I added my user to this
>>> group as well.
>>> This allowed me to use the original Apple sudo using my user without
>>> being prompted for a password.
>>> And THIS shows, that your statement simply is wrong. sudoers does work
>>> as advertised.
>>> Best regards,
>>> Alexander
>>> On Tue, Apr 19, 2011 at 18:59, John B Brown <jbb at vcn.com> wrote:
>>>> Dear Alex,
>>>>
>>>>       There is no sudoers group on my machine, there is no group with the
>>>> number 666 as group number, being a member of wheel group with 'NOPASSWD'
>>>> allowed still didn't work.
>>>>
>>>>       I simply compiled back in the original options for sudo. Only then
>>>> did I get 'NOPASSWD' privilege as a wheel group member for real.
>>>>
>>>>       Shalom,
>>>>
>>>>       John B. Brown.
>>>>       [jbb at vcn.com]
>>>>       358 High Street,
>>>>       Buffalo, Wyoming
>>>>       82834
>>>>
>>>> "Freedom is not worth having if it does not include
>>>> the freedom to make mistakes"  Mahatma Gandhi
>>>> "There was never a good war, or a bad peace."
>>>> Benjamin Franklin
>>>> "I wonder whether the world is being run
>>>> by smart people who are putting us on
>>>> or by imbeciles who really mean it."  Mark Twain
>>>>
>>>> 1-307-684-9068
>>>>
>>>>
>>>> Alexander Skwar wrote:
>>>>
>>>>> John,
>>>>>
>>>>> That's not true. Sudoers does work as advertised. My non-admin user is
>>>>> in a custom "sudoers" group and I *am* able to use sudo. Without
>>>>> having to use su first. I am using the apple sudo.
>>>>>
>>>>> From my sudoers http://nopaste.dk/p3153 :
>>>>>
>>>>> # Defaults specification
>>>>> Defaults        env_reset
>>>>> Defaults        env_keep += "BLOCKSIZE"
>>>>> Defaults        env_keep += "COLORFGBG COLORTERM"
>>>>> Defaults        env_keep += "__CF_USER_TEXT_ENCODING"
>>>>> Defaults        env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE
>>>>> LC_CTYPE"
>>>>> Defaults        env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
>>>>> Defaults        env_keep += "LINES COLUMNS"
>>>>> Defaults        env_keep += "LSCOLORS"
>>>>> Defaults        env_keep += "SSH_AUTH_SOCK"
>>>>> Defaults        env_keep += "TZ"
>>>>> Defaults        env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
>>>>> Defaults        env_keep += "EDITOR VISUAL"
>>>>>
>>>>> # Runas alias specification
>>>>>
>>>>> # User privilege specification
>>>>> root    ALL=(ALL) ALL
>>>>> %admin  ALL=(ALL) ALL
>>>>>
>>>>> # Uncomment to allow people in group wheel to run all commands
>>>>> # %wheel        ALL=(ALL)       ALL
>>>>>
>>>>> # Same thing without a password
>>>>> # %wheel        ALL=(ALL)       NOPASSWD: ALL
>>>>> %sudoers        ALL=(ALL)       NOPASSWD: ALL
>>>>>
>>>>> id http://nopaste.me/paste/13423264574dac87ba2ab0e :
>>>>>
>>>>> MacBook-Pro:~ alex$ id
>>>>> uid=502(alex) gid=20(staff)
>>>>>
>>>>> groups=20(staff),103(com.apple.sharepoint.group.3),405(com.apple.sharepoint.group.7),404(com.apple.sharepoint.group.6),61(localaccounts),12(everyone),403(com.apple.sharepoint.group.5),101(com.apple.sharepoint.group.1),102(com.apple.sharepoint.group.2),667(wir),402(com.apple.sharepoint.group.4),666(sudoers)
>>>>>
>>>>>
>>>>> As you can see, I'm member of the "666 sudoers" group
>>>>> and can run sudo because of this.
>>>>>
>>>>> Regards,
>>>>> Alexander
>>>>>
>>>>> On Mon, Apr 18, 2011 at 20:15, John B Brown <jbb at vcn.com> wrote:
>>>>>
>>>>>> Daniel J. Luke wrote:
>>>>>>
>>>>>>> On Apr 18, 2011, at 1:30 PM, John B Brown wrote:
>>>>>>>
>>>>>>>>      I've found the 'native' sudo to be insufficient. My solution is a
>>>>>>>> complete compile and install right over the Apple version.
>>>>>>>>
>>>>>>> I highly recommend that no one ever do this.
>>>>>>>
>>>>>>> If you replace Apple software with your own software, things may work.
>>>>>>> Things may also break unexpectedly.
>>>>>>>
>>>>>>> Things probably will break in the future (as any future Apple software
>>>>>>> update may replace or remove your software).
>>>>>>>
>>>>>>> The important setting in the configure line is --with-exempt=[group] to
>>>>>>>> get a fully useful sudo without the necessity of using 'su.'
>>>>>>>>
>>>>>>> That configure flag lets a group use sudo without entering a password
>>>>>>> and
>>>>>>> has nothing to do with using 'su' or not.
>>>>>>>
>>>>>>> Both what you describe as wanting (be able to use sudo without 'su'-ing
>>>>>>> to
>>>>>>> someone else), and what you describe setting (being able to use sudo
>>>>>>> without
>>>>>>> entering a password) can be configured in sudo's configuration file
>>>>>>> /etc/sudoers
>>>>>>>
>>>>>>>       Unfortunately, No, sudoers does not work as advertised. Witness
>>>>>> the
>>>>>> original complaint.
>>>>>>
>>>>>>      However, claiming the sky will fall if you chose what you want in
>>>>>> your computer is ridiculous! Recompile fixes a myriad of "Apple knows
>>>>>> best"
>>>>>> crap.
>>>>>>
>>>>>>      Or did you invest in that expensive CS degree to stop thinking?
>>>>>>
>>>>>> --
>>>>>>> Daniel J. Luke
>>>>>>>     +========================================================+
>>>>>>>          | *---------------- dluke at geeklair.net ----------------* |
>>>>>>>                  | *-------------- http://www.geeklair.net-------------*
>>>>>>> |
>>>>>>> +========================================================+
>>>>>>>      |   Opinions expressed are mine and do not necessarily   |
>>>>>>>              |          reflect the opinions of my employer.          |
>>>>>>>
>>>>>>> +========================================================+
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>      Shalom,
>>>>>>
>>>>>>      John B. Brown.
>>>>>>      [jbb at vcn.com]
>>>>>>      358 High Street,
>>>>>>      Buffalo, Wyoming
>>>>>>      82834
>>>>>>
>>>>>> "Freedom is not worth having if it does not include
>>>>>> the freedom to make mistakes"  Mahatma Gandhi
>>>>>> "There was never a good war, or a bad peace."
>>>>>> Benjamin Franklin
>>>>>> "I wonder whether the world is being run
>>>>>> by smart people who are putting us on
>>>>>> or by imbeciles who really mean it."  Mark Twain
>>>>>>
>>>>>> 1-307-684-9068
>>>>>> _______________________________________________
>>>>>> macports-users mailing list
>>>>>> macports-users at lists.macosforge.org
>>>>>> http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
>>>>>>
>>>>>>
>>>>>
>> _______________________________________________
>> macports-users mailing list
>> macports-users at lists.macosforge.org
>> http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
> 



	Shalom,

	John B. Brown.
	[jbb at vcn.com]
	358 High Street,
	Buffalo, Wyoming
	82834

"Freedom is not worth having if it does not include
the freedom to make mistakes"  Mahatma Gandhi
"There was never a good war, or a bad peace."
Benjamin Franklin
"I wonder whether the world is being run
by smart people who are putting us on
or by imbeciles who really mean it."  Mark Twain

1-307-684-9068


More information about the macports-users mailing list