user created at install added in sudoers ?
Matthew Miller
mattdm at mattdm.org
Thu Jun 21 02:03:25 UTC 2007
On Thu, Jun 21, 2007 at 07:35:24AM +0930, n0dalus wrote:
> >We could easily set up the sudoers file like this:
> > a) for wheel-group members, auth-as-self.
> > b) for non-wheel-group-members, sudo prompts for the *root* password.
> I'm not sure this is possible to do with sudoers. Please post the
Sure it is. Why would I have suggested it otherwise?
> lines you would expect to see in the file. I think that kind of
> behaviour would require patching sudo, and would be inconsistent with
> the sudo documentation found anywhere on the internet.
What, the man page isn't on the internet? :)
You just need to do this:
Defaults:ALL,!%wheel rootpw
and optionally
Defaults passprompt="Root password:"
Defaults:%wheel passprompt="Your password:"
and then
ALL ALL=(ALL) ALL
That last line is a bit scary but is as safe as allowing anyone to run the
su command, assuming nothing screws with the Defaults line. There'd be other
ways to accomplish the same goal with a little more complexity in return for
a more fail-safe feeling, but you get the idea.
It *is* unfortunate that there isn't a ROOTPW or ROOTPASSWD "tag" (in sudo
terminology) to match the existing NOPASSWD. (And a TARGETPW, while we're at
it) That'd be a slightly nicer way to do this. The upstream author might
accept a patch to add that, actually. That way, you could do:
ALL ALL=(ALL) ROOTPW: ALL
wheel ALL=(ALL)
instead of the split between the defaults line and "ALL ALL=(ALL) ALL".
--
Matthew Miller mattdm at mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
More information about the fedora-devel-list
mailing list