sudo doesn't always ask password even though it should

Dieter@be · 2008-10-20 20:27:13

Hi, sometimes sudo asks for a password, sometimes it doesn't. This seems to be pretty randomly. I just rebooted and the first thing I did was sudo <command> and it didn't ask for a password
Here's my config. I think it's pretty much default.

root    ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel        ALL=(ALL) NOPASSWD: ALL

phrakture · 2008-10-20 20:51:28

sudo has a bit of a "login time". If you enter your password once, you have a bit of a grace period before you need to enter it again. I do not know if you can shut this off, but check "man sudoers" for options.

broch · 2008-10-21 12:43:32

1) you can change sudo settings so it will never remember passoword:
timestamp_timeout
e.g.
Defaults:dieter timestamp_timeout=0, passwd_tries=1

above means that sudo will never remember passoword for user dieter (timestamp_timeout=0). It also means that user dieter will have only 1 chance to correctly enter passoword (passwd_tries=1)

you may also force root password requirements on user (add runaspw)

Note: this in general defies security. You should make sure that there is less not more passwords flying around.
In other words sudo should not ask for password at all (and you should define user group that can use sudo)

Dieter@be · 2008-10-21 17:41:51

Thanks guys, figured it out in man sudoers (Didn't know it could do so much)

broch wrote:

Note: this in general defies security. You should make sure that there is less not more passwords flying around.
In other words sudo should not ask for password at all (and you should define user group that can use sudo)

I don't get this? Why would you give a user root access without password confirmation? This means users can kill your entire system?

Maybe your rule applies if you have users who write down passwords or leave them unprotected. But assuming users take care of their passwords, I prefer password confirmation.

broch · 2008-10-21 18:30:36

I don't get this? Why would you give a user root access without password confirmation? This means users can kill your entire system?

are you saying that giving up root password is safer? In what sense?

In your scenario, you need to give sudo privileges to specified users. Is that correct?
now if one of these users will leave, you will need to change root password (assuming that you are really giving up root password)

In my scenario,
I create a group of users who can use sudo e.g sudogroup. If user does not belong to sudogrup, he can't use sudo
they don't need to know root password, they need to perform specific tasks. If someone is leaving, remove him from sudogroup. That is all.

In general giving up root password (to anyone) is not best security measure.
Additionally, there are simple ways to recover password (echo) on some systems (e.g. suse had this problem quite recently).

Also sudo privileges should not be equal to root privileges.

creslin · 2008-10-21 18:38:48

@broch, if I'm understanding you correctly, I think you're confusing which password is prompted by sudo. If a user in the wheel group invokes sudo, sudo asks the user for the user's password, not the root password.

Dieter@be · 2008-10-21 18:41:31

broch wrote:

are you saying that giving up root password is safer? In what sense?

No, when sudo'ing with passwords, the password you must give is your own (eg confirm your own identity). It could be that you can also configure it to ask the root pass (you would get a su-alike then) but that's definitely not the default, if it even is possible.

broch wrote:

Also sudo privileges should not be equal to root privileges.

Definitely agreed. Even though you can restrict root priveleges (via sudo) to certain users, certain programs etc, I still think it's better to ask for the users password as confirmation.

Xyne · 2008-10-21 19:22:14

Aside from the sudo password being the user's password and not root's as pointed out already, NOT requesting a password means that scripts run by the user can invoke sudo undetected. If a user runs a nasty script by accident, that could be a real problem. Imo, it's better to have one more step between you and the execution of a sudo command.

broch · 2008-10-21 20:03:02

if user run nasty script by accident, then you are screwed anyway.

What you are saying is that you will give sudo privileges to anyone (more or less).

Even though you can restrict root priveleges (via sudo) to certain users, certain programs etc, I still think it's better to ask for the users password as confirmation.

this is one more wrong security concept, you should make sure that programs are not running with root privileges.
There is more and more programs that can do just this. Otherwise run them jailed (not chrooted which is not real security measure).

@broch, if I'm understanding you correctly, I think you're confusing which password is prompted by sudo. If a user in the wheel group invokes sudo, sudo asks the user for the user's password, not the root password.

nope, use runaspw which will force user to provide root password before using sudo. It depends of sudo configuration. This is really, really bad argument.

Hi, sometimes sudo asks for a password, sometimes it doesn't. This seems to be pretty randomly. I just rebooted and the first thing I did was sudo <command> and it didn't ask for a password

this would mean that you may have bigger problems than providing password or not.

there is difference between su and sudo not only regarding password but also privileges.
Your sudo user should not have the same privileges as root. Otherwise why bother with sudo at all if sudoed user can do as much damage as root. For example you can change root password. Simply give up root password. Otherwise what is the point?

sudo reason d'etre is to elevate a normal user to a set of tasks that doesn't require to be done by root access
If you are using sudo as root then this is simply bad.
sudo tasks can be performed only by specific group e.g. wheel or anygroup you want and configure
wheel != sudo

sudo does not stand for "superuser" it stands for "substitute user" meaning that some system tasks (check out GNU original man page)

Anyway,
I showed above how to skip 15 min of delay so use it.

creslin · 2008-10-21 20:24:23

broch wrote:

This is really, really bad argument.

Quite frankly, what I said wasn't even supposed to be an argument for/about anything. While it's true that "wheel group != sudo" and "sudo can ask for the root password," those are not the default and you have to go out of your way to configure that behavior. Most of us are simply using sudo on our home rigs, and what you're describing seems to be more on the sysadmin level and a bit overboard for personal use.

Last edited by creslin (2008-10-21 21:26:51)

Arch Linux

#1 2008-10-20 20:27:13

sudo doesn't always ask password even though it should

#2 2008-10-20 20:51:28

Re: sudo doesn't always ask password even though it should

#3 2008-10-21 12:43:32

Re: sudo doesn't always ask password even though it should

#4 2008-10-21 17:41:51

Re: sudo doesn't always ask password even though it should

#5 2008-10-21 18:30:36

Re: sudo doesn't always ask password even though it should

#6 2008-10-21 18:38:48

Re: sudo doesn't always ask password even though it should

#7 2008-10-21 18:41:31

Re: sudo doesn't always ask password even though it should

#8 2008-10-21 19:22:14

Re: sudo doesn't always ask password even though it should

#9 2008-10-21 20:03:02

Re: sudo doesn't always ask password even though it should

#10 2008-10-21 20:24:23

Re: sudo doesn't always ask password even though it should

Board footer