Tiny Core Linux
Off-Topic => Off-Topic - Tiny Tux's Corner => Topic started by: remus on May 20, 2013, 09:04:01 PM
-
Hi all,
I'm looking into making my mc server a bit more secure, am and wondering if I can make the sudo command trigger a root password request ?
Thanks.
-
Set up a password for the tc user (type passwd)
type sudo visudo
Look for the following line:
tc ALL=NOPASSWD: ALL
Change it to:
tc ALL=(ALL) ALL
Make sure you add /etc/shadow and /etc/sudoers to your backup. /etc/group might be needed in your backup too, but I don't think it's necessary.
Whatever you do, don't manually edit /etc/sudoers. Visudo protects you somewhat against typos and errors in your sudoers file.
-
Thanks althalus
Your instructions are spot on :)
-
Not withstanding any syntax checks that it performs, does visudo actually -do- anything other than sudo some-other-editor would do?
I find that I'm more likely to foul something up due using anything "vi"-related than due to any obscure file syntax. And the sudoers syntax doesn't look all that complex anyhow.
-
Then set your VISUAL or EDITOR variable to whatever editor you prefer.
-
Thanks gerald_clark - but with either or both of EDITOR and VISUAL set to another value, visudo still invokes vi or something that looks very like it. So the question remains: does visudo do anything, besides syntax checking the output, that simply invoking a normal editor would not do?
-
Hi Lee
Maybe you need to set those environmental variables for root?
-
Looks like it was compiled without $EDITOR support.
-
Hi Lee
Adding the following line to your sudoers file:
Defaults env_editor
and setting the EDITOR variable for root will allow you to use a different editor.
-
No Luck - it looks like w/o the $EDITOR support compiled in it doesn't honor that.
On the other hand, apparently there is no magic in visudo besides the syntax checking.
-
Hi Lee
If I do:
sudo su
export EDITOR=editor
visudo
it opens sudoers using editor.
-
Hi Lee
No Luck - it looks like w/o the $EDITOR support compiled in it doesn't honor that.
From:
http://www.sudo.ws/visudo.man.html
There is a hard-coded list of one or more editors that visudo will use set at compile-time that may be overridden via the editor sudoers Default variable. This list defaults to vi. Normally, visudo does not honor the VISUAL or EDITOR environment variables unless they contain an editor in the aforementioned editors list. However, if visudo is configured with the --with-env-editor option or the env_editor Default variable is set in sudoers, visudo will use any the editor defines by VISUAL or EDITOR. Note that this can be a security hole since it allows the user to execute any program they wish simply by setting VISUAL or EDITOR.
-
Not sure if this is worth the calories burnt in brain effort, but the insults command appended to the Defaults line does not appear to be working, should I assume that its been left out of the frugal nature of microcore ?
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
# Custom Defaults
Defaults timestamp_timeout=2
Defaults passwd_timeout=1, insults
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
tc ALL=(ALL) ALL
-
Not sure if this is worth the calories burnt in brain effort, but the insults command
Personally I have never heard of any such command on any system, but just guessing now, does it perhaps feature quotes of Linus related to udev, systemd et al?
-
Here's a straightforward way to get visudo to use a different editor. Add a Defaults statement to sudoers like this:
Defaults editor=/usr/bin/editor
To use another editor, replace /usr/bin/editor with the name and path to your editor.
-
Yes, the sudo build is close to default, which doesn't include insults (you have to specifically enable them). Would take space too, yes.