<SOLVED> a little 'minor' but annoying bug

Message

#1 Post by **jeanpaulberes** » Tue Jan 01, 2019 9:20 am

Everyone can type 'sudo reboot' AND without having to enter the password for sudo the system simply reboots.
This should not be the case ...

#2 Post by **anticapitalista** » Tue Jan 01, 2019 9:23 am

You can change this behaviour by editing the /etc/sudoers.d/mxers file

#3 Post by **fehlix** » Tue Jan 01, 2019 9:39 am

anticapitalista wrote: ↑Tue Jan 01, 2019 9:23 am You can change this behaviour by editing the /etc/sudoers.d/mxers file

Or perhabs edit a new extra sudoers-file, to avoid changing system provided files,
which might get overwritten by system updates.
eg by creating a new sudoers-file /etc/sudoers.d/timeout and editing this way:

Code: Select all

sudo visudo -f /etc/sudoers.d/timeout

and put this line into the new sudoers-file /etc/sudoers.d/timeout :

Code: Select all

Defaults  timestamp_timeout=0

By this, the user is always asked to enter a password.

man sudoers wrote: timestamp_timeout
Number of minutes that can elapse before sudo will ask for a
passwd again. The timeout may include a fractional component
if minute granularity is insufficient, for example 2.5. The
default is 15. Set this to 0 to always prompt for a password.
If set to a value less than 0 the user's time stamp will not
expire until the system is rebooted. This can be used to allow
users to create or delete their own time stamps via “sudo -v”
and “sudo -k” respectively.

hny

#4 Post by **jeanpaulberes** » Sun Jan 06, 2019 4:38 am

Even with the timeout set to zero, the way mentioned here above, it still works without entering a password :(

#5 Post by **fehlix** » Sun Jan 06, 2019 7:44 am

jeanpaulberes wrote: ↑Sun Jan 06, 2019 4:38 am Even with the timeout set to zero ... it still works without entering a password

Some commands are intentionally setup for all "sudoers" to run without entering a password.
So in this case if you want to always enter a password for the reboot-command, you can either delete or comment out change this line:

Code: Select all

%users ALL=(root) NOPASSWD: /sbin/reboot

to

Code: Select all

%users ALL=(root) /sbin/reboot

within these sudoers-files:

Code: Select all

/etc/sudoers.d/antixers 
/etc/sudoers.d/mxers

by editing these sudoers-file's with the sudo-file editor visudo:

Code: Select all

sudo visudo -f /etc/sudoers.d/antixers

and

Code: Select all

sudo visudo -f /etc/sudoers.d/mxers

EDIT: Ooops: not delete but change the lines!

#6 Post by **jeanpaulberes** » Sun Jan 06, 2019 1:26 pm

fehlix wrote: ↑Sun Jan 06, 2019 7:44 am
jeanpaulberes wrote: ↑Sun Jan 06, 2019 4:38 am Even with the timeout set to zero ... it still works without entering a password
Some commands are intentionally setup for all "sudoers" to run without entering a password.
So in this case if you want to always enter a password for the reboot-command, you can either delete or comment out change this line:
Code: Select all
%users ALL=(root) NOPASSWD: /sbin/reboot  
to
Code: Select all
%users ALL=(root) /sbin/reboot  
within these sudoers-files:
Code: Select all
/etc/sudoers.d/antixers 
/etc/sudoers.d/mxers 
by editing these sudoers-file's with the sudo-file editor visudo:
Code: Select all
sudo visudo -f /etc/sudoers.d/antixers
and
Code: Select all
sudo visudo -f /etc/sudoers.d/mxers 
EDIT: Ooops: not delete but change the lines!

Thanks a lot !!!

MX Linux Forum

<SOLVED> a little 'minor' but annoying bug

<SOLVED> a little 'minor' but annoying bug

Re: a little 'minor' but annoying bug

Re: a little 'minor' but annoying bug

Re: a little 'minor' but annoying bug

Re: a little 'minor' but annoying bug

Re: a little 'minor' but annoying bug