Mailing List Archive

Change in sudoers format?
I just ran an update and noticed that etc-update wants to change the
layout of /etc/sudoers, specifically...

######################################################################

##
## User privilege specification
##
-root ALL=(ALL) ALL
+root ALL=(ALL:ALL) ALL

## Uncomment to allow members of group wheel to execute any command
-# %wheel ALL=(ALL) ALL
+# %wheel ALL=(ALL:ALL) ALL

## Same thing without a password
-# %wheel ALL=(ALL) NOPASSWD: ALL
+# %wheel ALL=(ALL:ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
-# %sudo ALL=(ALL) ALL
+# %sudo ALL=(ALL:ALL) ALL

## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw # Ask for the password of the target user
-# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
+# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw'

######################################################################

...and similar changes for /etc/sudoers.dist. What is this about, and
should I go ahead?

--
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications
Re: Change in sudoers format? [ In reply to ]
On Thursday, 26 May 2022 21:54:50 BST Walter Dnes wrote:
> I just ran an update and noticed that etc-update wants to change the
> layout of /etc/sudoers, specifically...
>
> ######################################################################
>
> ##
> ## User privilege specification
> ##
> -root ALL=(ALL) ALL
> +root ALL=(ALL:ALL) ALL
[snip ...]

> ...and similar changes for /etc/sudoers.dist. What is this about, and
> should I go ahead?

I can't recall how long ago the syntax changed to this format. I'm currently
running 'app-admin/sudo1.9.10-r1' and it works as it should using the new
syntax. Therefore I would think you can go ahead with accepting this change.
Re: Change in sudoers format? [ In reply to ]
On Thursday, 26 May 2022 21:54:50 BST Walter Dnes wrote:
> I just ran an update and noticed that etc-update wants to change the
> layout of /etc/sudoers, specifically...
>
>
######################################################################
>
> ##
> ## User privilege specification
> ##
> -root ALL=(ALL) ALL
> +root ALL=(ALL:ALL) ALL
>
> ## Uncomment to allow members of group wheel to execute any command
> -# %wheel ALL=(ALL) ALL
> +# %wheel ALL=(ALL:ALL) ALL
>
> ## Same thing without a password
> -# %wheel ALL=(ALL) NOPASSWD: ALL
> +# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
>
> ## Uncomment to allow members of group sudo to execute any command
> -# %sudo ALL=(ALL) ALL
> +# %sudo ALL=(ALL:ALL) ALL
>
> ## Uncomment to allow any user to run sudo if they know the password
> ## of the user they are running the command as (root by default).
> # Defaults targetpw # Ask for the password of the target user
> -# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults
> targetpw' +# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with
> 'Defaults targetpw'
>
>
######################################################################
>
> ...and similar changes for /etc/sudoers.dist. What is this about, and
> should I go ahead?

I did it without thinking about it, and nothing untoward has befallen. Yet.

--
Regards,
Peter.
Re: Change in sudoers format? [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dnia 2022-05-29, o godz. 14:47:12
Peter Humphrey <peter@prh.myzen.co.uk> napisa?(a):

> On Thursday, 26 May 2022 21:54:50 BST Walter Dnes wrote:
> > I just ran an update and noticed that etc-update wants to change
> > the layout of /etc/sudoers, specifically...
> >
> >
> ######################################################################
> >
> > ##
> > ## User privilege specification
> > ##
> > -root ALL=(ALL) ALL
> > +root ALL=(ALL:ALL) ALL
> >
> > ## Uncomment to allow members of group wheel to execute any command
> > -# %wheel ALL=(ALL) ALL
> > +# %wheel ALL=(ALL:ALL) ALL
> >
> > ## Same thing without a password
> > -# %wheel ALL=(ALL) NOPASSWD: ALL
> > +# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
> >
> > ## Uncomment to allow members of group sudo to execute any command
> > -# %sudo ALL=(ALL) ALL
> > +# %sudo ALL=(ALL:ALL) ALL
> >
> > ## Uncomment to allow any user to run sudo if they know the
> > password ## of the user they are running the command as (root by
> > default). # Defaults targetpw # Ask for the password of the target
> > user -# ALL ALL=(ALL) ALL # WARNING: only use this together with
> > 'Defaults targetpw' +# ALL ALL=(ALL:ALL) ALL # WARNING: only use
> > this together with 'Defaults targetpw'
> >
> >
> ######################################################################
> >
> > ...and similar changes for /etc/sudoers.dist. What is this about,
> > and should I go ahead?
>
> I did it without thinking about it, and nothing untoward has
> befallen. Yet.
>

After reading 'man sudoers' (especially the 'examples' part) I see
there's a slight difference between (although in case of gaining root
privileges it is only a matter of aesthetics):
Line:
xyz A=(B:C) D
means:
User xyz can exacute command D on host A as user B in group C
Therefore changing:
root ALL=(ALL) ALL
to
root ALL=(ALL:ALL) ALL
is just a matter of consistency ;)

- ----
xWK
-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQTD0rOlRXTVQVPxHd4dqSXVhOqGqwUCYpOVxQAKCRAdqSXVhOqG
q9EsAP9qXwy8RqzEqsLU8AhGjS7Ab5ehN/2IFRrXWZHnmSIwxgD/WyL/k9RgzkB+
fn8y3fOQzgd8jyJkBoSA3rTAqv4+GtE=
=G2UQ
-----END PGP SIGNATURE-----
Re: Change in sudoers format? [ In reply to ]
On 5/29/22 9:48 AM, wkuz@op.pl wrote:
> User xyz can exacute command D on host A as user B in group C

...

> is just a matter of consistency ;)

The group that a command is run as starts to become much more germane
when you are using sudo to run commands as a different non-root user.
E.g. if you want to run commands as the Oracle user to manage things
about a database.

In some ways this is somewhat akin to setting the GID bit on a directory
so that newly created files inherit the group of the directory. At
least insofar as the type of situation that would necessitate the use of
this feature.



--
Grant. . . .
unix || die
Re: Change in sudoers format? [ In reply to ]
Thanks for the comments everybody. I'll let etc-update do its thing.

--
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications