http://qs321.pair.com?node_id=11113775


in reply to Re^5: Greetings and salutations | sudo
in thread Greetings and salutations | sudo

I'll never accept sudo. :-) Slackware installs sudo, but it does nothing. There should always be one root, with control over the system. Sudo is just an attempt to weaken unix security. I use Slackware and su is perfectly suitable to switch users as long as you have the password. On these sudo based systems, all any user needs to do to gain root access is do "sudo passwd root" and you have full root priviledges. If a user wants to install software and root refuses to put it into the system, the package managers should just install it into the users home directory, and use LD_PRELOAD to load non-system libraries., or adjust the user's LD Library env variable. There is absolutely no reason to allow non-root users access to the system libraries. Do you know what a shim attack is? Sudo makes shim attacks easy, but apparently that is what the computer overlords want. It is no wonder that so many database and personal information leaks are happening.... I point the finger at sudo.

P.S. Don't get me started on systemd, another piece of useless software. :-)


I'm not really a human, but I play one on earth. ..... an animated JAPH

Replies are listed 'Best First'.
Re^7: Greetings and salutations | sudo
by choroba (Archbishop) on Mar 04, 2020 at 22:48 UTC
    $ sudo passwd root [sudo] password for root:

    I don't get it. If I know root's password, I already have the full access. If I don't, the command doesn't help in any way. Or maybe openSUSE uses a different sudo?

    map{substr$_->[0],$_->[1]||0,1}[\*||{},3],[[]],[ref qr-1,-,-1],[{}],[sub{}^*ARGV,3]
      $ sudo passwd root [sudo] password for root:

      I don't get it. If I know root's password, I already have the full access. If I don't, the command doesn't help in any way.

      (You are aware that this is the passwd program is prompting for the new password for root, not sudo asking for the current password for root, aren't you?)

      This looks like a single user sudo setup. In a multi-admin-setup, sudo would either prevent access to the passwd executable, or it would require that you pass a non-root username argument to passwd. sudoers has an example for that:

      pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *ro +ot*

      The user pete is allowed to change anyone's password except for root on the HPPA machines. Because command line arguments are matched as a single, concatenated string, the * wildcard will match multiple words. This example assumes that passwd(1) does not take multiple user names on the command line. Note that on GNU systems, options to passwd(1) may be specified after the user argument. As a result, this rule will also allow:

      passwd username --expire

      which may not be desirable.

      In a multi-admin setup, you would probably have only a few admins that can change passwords. Or maybe you have a central password database (NIS, LDAP) that comes with an independant tool to manage users.

      Or maybe openSUSE uses a different sudo?

      Most likely not. As far as I know, there is only one sudo. But sudo can be compiled with tons of options, and most likely, at least PAM support is enabled on openSUSE. Slackware explicitly disables PAM.

      Update:

      The same command looks quite different on Slackware. I think the reason for that is that Slackware does not use PAM at all.

      /home/alex>sudo passwd root Password: Changing password for root Enter the new password (minimum of 5 characters) Please use a combination of upper and lower case letters and numbers. New password:

      (And yes, I use sudo in a single-user setup. My unprivileged user account is in the wheel group, and sudo is configured to prompt for a password.)

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
        > You are aware that this is the passwd program is prompting for the new password for root, not sudo asking for the current password for root, aren't you?

        I wasn't aware of that possibility and it definitely wasn't the case here. The system has a single root user and several non-root users, I don't use the root account for anything but system maintenance.

        map{substr$_->[0],$_->[1]||0,1}[\*||{},3],[[]],[ref qr-1,-,-1],[{}],[sub{}^*ARGV,3]