[sudo-users] Sorry, user me is not allowed to execute 'cmd' as me:Media on machinename
L A Walsh
sudo at tlinx.org
Fri Mar 30 15:55:06 MDT 2018
Todd C. Miller wrote:
> The short answer is you probably just want:
>
> me ALL=(ALL:ALL) NOPASSWD: SETENV: ALL
>
> ... I agree it would make sense for sudo to
> allow this, but currently it does not.
>
----
Ah well....work around is simple enough. I try to, more than most,
to use groups as a means of access control, starting by usually allocating
1 group/user. I find the trend in many utils of disallowing
group access (usually write, though sometimes read as well) to be a very
counter productive security measure. It basically makes access by group
useless as in 'ssh' rules disallowing group access anywhere in the path.
My .ssh dir could be shared between 2 UID's on 2 different systems
but instead had a less secure 2x+ duplication where my local UID is
different
than my domain UID, but both exist in the same local group as does my UID
on the domain server (linux based).
More than once I've had to patched the source of some program to fix
some bogus security addition -- sometimes having to work around
deliberate obfuscation of the code enforcing policy to make it hard to
change.
Went through similar pain w/samba when chicken-littles created
embarrassment for samba having an option to allow cross-share symlinks
(a non default setting) on shares that supported unix extensions. The
extensions allowed creation of symlinks pointing anywhere even though
they didn't allow access unless the user already had access. It took
almost 2 years to get some way to re-enable the feature initially as
"client managed symlinks" to make it obvious, but obfuscated by
the samba team naming it "allow insecure wide links", which besides
being false, really told no one anything useful. Oh well.
Thanks for having an easy workaround!
-linda
More information about the sudo-users
mailing list