As a beginner,I am using Fedora18 64bit.The Firefox needs the plugin of the Adobe flash Player,I have downloaded the file of install_flash_player_11_linux.x86_64.tar.gz.By terminal, when I copied the file of libflashplayer.so to /usr/lib64/mozilla/plugins,the result is my user name is not in the file of sudoers.Except C Language,I do not know any more about computer:BY TERMINAL,I NEED THE DETAIL OPERATE PROCESS ABOUT EDITING SUDOERS FILE--EVEN EVERY COMMAND
On Fri, 2013-06-14 at 12:37 +0800, LingxianGuo wrote:
As a beginner,I am using Fedora18 64bit.The Firefox needs the plugin of the Adobe flash Player,I have downloaded the file of install_flash_player_11_linux.x86_64.tar.gz.By terminal, when I copied the file of libflashplayer.so to /usr/lib64/mozilla/plugins,the result is my user name is not in the file of sudoers.Except C Language,I do not know any more about computer:BY TERMINAL,I NEED THE DETAIL OPERATE PROCESS ABOUT EDITING SUDOERS FILE--EVEN EVERY COMMAND
You could try copying it just for your user first, just run:
cp libflashplayer.so ${HOME}/.mozilla/plugins/
Thanks, Michael
On 06/13/2013 11:37 PM, LingxianGuo wrote:
As a beginner,I am using Fedora18 64bit.The Firefox needs the plugin of the Adobe flash Player,I have downloaded the file of install_flash_player_11_linux.x86_64.tar.gz.By terminal, when I copied the file of libflashplayer.so to /usr/lib64/mozilla/plugins,the result is my user name is not in the file of sudoers.Except C Language,I do not know any more about computer:BY TERMINAL,I NEED THE DETAIL OPERATE PROCESS ABOUT EDITING SUDOERS FILE--EVEN EVERY COMMAND
As root, type visudo
remove the comment before the 2nd line here so it looks like this:
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL
Save the file.
Still as root, edit the groups file:
vi /etc/group
Find the line with "wheel" and add your user id after the colon
wheel:x:10:sdstern
save the file. Log out of your terminal session and open a new one and you'll be able to sudo.
If you're using Firefox, it's probably easier to load the flash plugin from adobe's repo than to download and copy yourself -- and to leep it up to date.
See http://www.if-not-true-then-false.com/2010/install-adobe-flash-player-10-on-... for instructions.
On Fri, Jun 14, 2013 at 07:38:40AM -0500, Steven Stern wrote:
remove the comment before the 2nd line here so it looks like this: ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL
This line *IS* uncommented by default.
Still as root, edit the groups file: vi /etc/group Find the line with "wheel" and add your user id after the colon wheel:x:10:sdstern
Or, better, because there's less chance of accidentally making a mistake which breaks your system (possible when editing /etc/group), use this command as root:
gpasswd wheel -a sdstern
Or, you can use the GUI user admin tool to do the same thing.
So, you *don't need to edit the file directly, which is good thing, because the sudoers file has a complicated and fussy syntax.
On 06/14/2013 08:11 AM, Matthew Miller wrote:
remove the comment before the 2nd line here so it looks like this:
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL
This line *IS* uncommented by default.
Hmmm... Maybe it's been so long since I've had to do it. In any case, it was commented on the two CentOS 6 systems I just set up.
On 06/14/2013 12:42 PM, Steven Stern wrote:
On 06/14/2013 08:11 AM, Matthew Miller wrote:
remove the comment before the 2nd line here so it looks like this:
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL
This line *IS* uncommented by default.
Hmmm... Maybe it's been so long since I've had to do it. In any case, it was commented on the two CentOS 6 systems I just set up.
In my sudoers, that line is commented out, and should be. You don't want everybody and his brother to have sudo privileges. What you need to do is insert the _following_ line, that looks like (in my case)
doug ALL=(ALL) ALL
put your user-name in where mine is.
--doug
On Fri, Jun 14, 2013 at 01:04:13PM -0400, Doug wrote:
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL
This line *IS* uncommented by default.
Hmmm... Maybe it's been so long since I've had to do it. In any case, it was commented on the two CentOS 6 systems I just set up.
In my sudoers, that line is commented out, and should be. You don't want everybody and his brother to have sudo privileges.
"Everybody and his brother" should not be in the wheel group. "Wheel" is the group for people with administrative privledges on the system.
On 06/14/2013 01:43 PM, Matthew Miller wrote:
On Fri, Jun 14, 2013 at 01:04:13PM -0400, Doug wrote:
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL
This line *IS* uncommented by default.
Hmmm... Maybe it's been so long since I've had to do it. In any case, it was commented on the two CentOS 6 systems I just set up.
In my sudoers, that line is commented out, and should be. You don't want everybody and his brother to have sudo privileges.
"Everybody and his brother" should not be in the wheel group. "Wheel" is the group for people with administrative privledges on the system.
OK, let's now have some fun....
sudo cp /bin/bash /bin/mylocalshell sudo mylocalshell
I know this is preventable, but it's something to think about. No one should have sudo who you would not trust with root itself. sudo just adds a layer of accountability.
Am 14.06.2013 20:51, schrieb Steven Stern:
On 06/14/2013 01:43 PM, Matthew Miller wrote:
On Fri, Jun 14, 2013 at 01:04:13PM -0400, Doug wrote:
> ## Allows people in group wheel to run all commands > %wheel ALL=(ALL) ALL
This line *IS* uncommented by default.
Hmmm... Maybe it's been so long since I've had to do it. In any case, it was commented on the two CentOS 6 systems I just set up.
In my sudoers, that line is commented out, and should be. You don't want everybody and his brother to have sudo privileges.
"Everybody and his brother" should not be in the wheel group. "Wheel" is the group for people with administrative privledges on the system.
OK, let's now have some fun....
sudo cp /bin/bash /bin/mylocalshell sudo mylocalshell
I know this is preventable, but it's something to think about. No one should have sudo who you would not trust with root itself. sudo just adds a layer of accountability
and that is why you you can restrict sudo for a limited set of commands while put somebody in the wheel-group is the same as give him the root-pwd except logging which can with root perms also tricked out as long syslog is not pushing to a network machine
On Fri, Jun 14, 2013 at 01:51:42PM -0500, Steven Stern wrote:
> %wheel ALL=(ALL) ALL
This line *IS* uncommented by default.
Hmmm... Maybe it's been so long since I've had to do it. In any case, it was commented on the two CentOS 6 systems I just set up.
In my sudoers, that line is commented out, and should be. You don't want everybody and his brother to have sudo privileges.
"Everybody and his brother" should not be in the wheel group. "Wheel" is the group for people with administrative privledges on the system.
OK, let's now have some fun.... sudo cp /bin/bash /bin/mylocalshell sudo mylocalshell I know this is preventable, but it's something to think about. No one should have sudo who you would not trust with root itself. sudo just adds a layer of accountability.
I'm a little perplexed by your "fun". Maybe it is not obvious, but the above line allows any member of the wheel group (but just members of that group) to use sudo for any command, which, yes, allows the same access level as root. I don't think anyone is suggesting otherwise. You can just skip right to "sudo bash", or, probably better, "sudo -i".
It's also the case that once you have root, or group membership, unless a full audit of all files on the system is performed, it's difficult to make sure that that access is _gone_ -- you can't just remove someone from the list. But that's another issue.
On 06/14/2013 11:51 AM, Steven Stern wrote:
OK, let's now have some fun....
sudo cp /bin/bash /bin/mylocalshell sudo mylocalshell
I know this is preventable, but it's something to think about. No one should have sudo who you would not trust with root itself. sudo just adds a layer of accountability.
AIUI, use of sudo is logged. if you want to limit the number of suspicious entries, use this as the second command:
sudo chmod a+s /bin/mylocalshell
Unless my understanding of how that works is badly off (and if it is, please let me know) mylocalshell now runs with root privileges by default. No more need to use sudo and risk having somebody spot abuses in a log. In fact, you can have your sudo privs revoked and still have root access.
On Fri, Jun 14, 2013 at 12:21:44PM -0700, Joe Zeff wrote:
sudo cp /bin/bash /bin/mylocalshell sudo mylocalshell I know this is preventable, but it's something to think about. No one should have sudo who you would not trust with root itself. sudo just adds a layer of accountability.
AIUI, use of sudo is logged. if you want to limit the number of suspicious entries, use this as the second command: sudo chmod a+s /bin/mylocalshell
Oh no. Start with 'sudo bash' or 'sudo su'. People do this all the time. Then `unset HISTFILE`. Then do the above not with sudo.
But this is very off-topic.
On 06/14/2013 01:04 PM, Matthew Miller wrote:
Oh no. Start with 'sudo bash' or 'sudo su'. People do this all the time. Then `unset HISTFILE`. Then do the above not with sudo.
But this is very off-topic.
It is and it isn't. If nothing else, it makes it clear just how easy it is to gain un-logged root access if you have unrestricted access to sudo, even for a short time. If you're going to add any of your users to sudoers, think carefully about just what access they need, and don't give anybody more than you have to. And, don't add them to wheel unless you'd be willing to give them the root password, because with wheel having unlimited sudo rights, there's no practical difference (except for logging) that I can see.
Doug:
In my sudoers, that line
... which is this line: %wheel ALL=(ALL) ALL
is commented out, and should be. You don't want everybody and his brother to have sudo privileges.
It doesn't need to be. Because no users are in the wheel group unless you customise things when setting up the user accounts. And anyone who was capable of putting themselves in the wheel group, would be just as able to edit the sudoers file.
This is an alternative way of doing the same thing:
What you need to do is insert the _following_ line, that looks like (in my case)
doug ALL=(ALL) ALL
put your user-name in where mine is.
... of giving specific users special privileges via a different route.
The method of adding specific users into the sudoers file is that you can add them without *ALL* privileges, so that they can have *some* special abilities more than an ordinary user, but will be restricted from doing other things. In essence, you're whitelisting the commands that they will be allowed to use.
On 06/14/2013 12:37 AM, LingxianGuo wrote:
As a beginner,I am using Fedora18 64bit.The Firefox needs the plugin of the Adobe flash Player,I have downloaded the file of install_flash_player_11_linux.x86_64.tar.gz.By terminal, when I copied the file of libflashplayer.so to /usr/lib64/mozilla/plugins,the result is my user name is not in the file of sudoers.Except C Language,I do not know any more about computer:BY TERMINAL,I NEED THE DETAIL OPERATE PROCESS ABOUT EDITING SUDOERS FILE--EVEN EVERY COMMAND
While you are "supposed" to use visudo to edit sudoers, that requires that you know how to use the vi editor. Visudo is designed to catch mistakes that you make. However, you can edit sudoers with any editor; it is only a text file and doesn't know any better. You must have root privileges to edit sudoers, however.
--doug
On Fri, Jun 14, 2013 at 11:25:39AM -0400, Doug wrote:
While you are "supposed" to use visudo to edit sudoers, that requires that you know how to use the vi editor. Visudo is designed to catch mistakes that you make. However, you can edit sudoers with any editor; it is only a text file and doesn't know any better. You must have root privileges to edit sudoers, however.
Technically, visudo doesn't require vi. From the man page:
There is a hard-coded list of one or more editors that visudo will use set at compile-time that may be overridden via the editor sudoers Default variable. This list defaults to /usr/local/bin/vi. Normally, visudo does not honor the VISUAL or EDITOR environment variables unless they contain an editor in the aforementioned editors list. However, if visudo is configured with the --with-env-editor option or the env_editor Default variable is set in sudoers, visudo will use any the editor defines by VISUAL or EDITOR. Note that this can be a security hole since it allows the user to execute any program they wish simply by setting VISUAL or EDITOR.
But of course that requires configuration. And I stick to my repeated position that avoiding editing sudoers is the best choice.
On Fri, Jun 14, 2013 at 11:25:39AM -0400, Doug wrote:
On 06/14/2013 12:37 AM, LingxianGuo wrote:
As a beginner,I am using Fedora18 64bit.The Firefox needs the plugin of the Adobe flash Player,I have downloaded the file of install_flash_player_11_linux.x86_64.tar.gz.By terminal, when I copied the file of libflashplayer.so to /usr/lib64/mozilla/plugins,the result is my user name is not in the file of sudoers.Except C Language,I do not know any more about computer:BY TERMINAL,I NEED THE DETAIL OPERATE PROCESS ABOUT EDITING SUDOERS FILE--EVEN EVERY COMMAND
While you are "supposed" to use visudo to edit sudoers, that requires that you know how to use the vi editor. Visudo is designed to catch mistakes that you make. However, you can edit sudoers with any editor; it is only a text file and doesn't know any better. You must have root privileges to edit sudoers, however.
--doug
-- Blessed are the peacemakers..for they shall be shot at from both sides. --A.M.Greeley -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
EDITOR=nano visudo solves that problem, alternatively you can set the EDITOR environment variable beforehand. Of course, it doesn't have to be nano.
Never edit the actual sudoers file by hand, visudo does some syntax checks to check for errors in the edit.
Allegedly, on or about 14 June 2013, staticsafe sent:
visudo does some syntax checks to check for errors in the edit.
As well as ensuring that your edits are accepted. It's possible to edit the file, and thanks to the timing of when you did the edit, and other things happening on the system, that your changes get ignored.
I seem to recall an email about that, on this list, a few months ago.
-
Doug -
Joe Zeff -
LingxianGuo -
Matthew Miller -
Michael E. Maher -
Reindl Harald -
staticsafe -
SternData -
Tim