[sudo-workers] Sudo and gnome-menus

Manu Cornet manu.cornet at gmail.com
Wed Aug 10 18:32:20 EDT 2005


Hello !

>     xerxes [~] % sudo -l shutdown
>     /sbin/shutdown
>
> However, this does still require a password for sudo -l unless
> the sudoers file contains a line like:
> 
>     Defaults listpw=never
> 
> I'm hesitant to relax the password rules since it could cause
> problems when you don't have good physical security (open labs,
> etc).

All right, then I would like to ask your opinion on this problem ; I
see three solutions :

1) Make a copy of the sudo code, modify it slightly so that "listpw"
will be "never" by default, and then make a helper than can be called
by gnome-menus (among others).

2) Change the default sudoers file so that it will contain "Default
listpw=never".

3) Make listpw=never default in the sudo sources, unless the sudoers
file says otherwise.

The problem with 1) is that this new "helper" program won't get the
bug-fixes/enhancements from the main sudo program. The problem in 2)
is that it can only be local to a few distributions (eg Ubuntu), if
they choose this option. I personnaly would think that 3) is the best
solution, but Todd says it might be a security hole when the physical
security is not so good. But if someone has physical access to a
system, isn't its security blown up anyway (without even needing to
use sudo) ? Is it a problem if anybody can see what commands a given
user is allowed to use, since they won't be able to run these commands
in his place without his password anyway ?

Well, I don't pretend to know more than 1% of what you guys know about
security :o)   I just thought I'd ask whether this third solution
would really be a problem, because it really seems to be the simplest
option (to me !).

Besides these, do you see a better solution ?

Thank you for your advice !
Manu




More information about the sudo-workers mailing list