Help with sudoers and wheel - "Old Guy" or anyone? - Linux

This is a discussion on Help with sudoers and wheel - "Old Guy" or anyone? - Linux ; I have an FC3 distro, setup for apache and vsftpd servers, also used as gateway for home LAN and ADSL Internet. Previously, I had redhat 9 installed for many years and had myself in the su group but forgot how ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Help with sudoers and wheel - "Old Guy" or anyone?

  1. Help with sudoers and wheel - "Old Guy" or anyone?

    I have an FC3 distro, setup for apache and vsftpd servers, also used as
    gateway for home LAN and ADSL Internet. Previously, I had redhat 9
    installed for many years and had myself in the su group but forgot how I
    did that. Here is what I want to do and can you help me? That sudoers
    file is not an easy one to precisely understand for me, I find it very
    difficult to just add myself and what I want done with it. I also don't
    understand the "wheel" group, how to add one, what it is for, etc. Please
    explain the wheel group.

    I am the FC3 root and log in with my user account. Without having su sudo
    setup properly, now I have to log in with su to get anything done and of
    course that is not a good thing to do for minor stuff in the event of a
    typo, etc.

    What I want for my user to do:

    Use halt, reboot, shutdown, mount, and tcpdump commands.
    Read all log files.

    With sudo password:
    All root privileges.

    This wheel group. How do I join this wheel group and what does the wheel
    give me? Would one have to change group permissions of file to wheel to
    gain this super access or does wheel just have access anyway? Can a file
    or directory belong to more than one group? If so, how would one check or
    assign more groups to a file than one?

    I have webmin 1.2 installed and use that to do admin work, I can run it
    from my XP PC on the LAN and have made it accessible as such, but would
    like to know about the specific commands like for adding groups.

    This sudoers file is rough and I cannot figure out how to make it do what
    I want. Can someone whip up an sudoers file that will allow me to do what
    I want as user "ohmster"? Right now if I try to use sudo, I put in the
    password and then I get "ratted out" to the root (myself) in an email
    that user ohmster tried to use sudo and of course, I am not allowed to do
    anything with sudo anyway. I have put back the default sudoers file for
    now.
    --
    ~Ohmster
    "Read Ohmster" in subject, bypass spam filter.
    ohmster /a/t/ newsguy dot com

  2. Re: Help with sudoers and wheel - "Old Guy" or anyone?

    * Ohmster wrote in comp.os.linux:
    > I have an FC3 distro, setup for apache and vsftpd servers, also used as
    > gateway for home LAN and ADSL Internet. Previously, I had redhat 9
    > installed for many years and had myself in the su group but forgot how I
    > did that. Here is what I want to do and can you help me? That sudoers
    > file is not an easy one to precisely understand for me, I find it very
    > difficult to just add myself and what I want done with it. I also don't
    > understand the "wheel" group, how to add one, what it is for, etc. Please
    > explain the wheel group.


    > I am the FC3 root and log in with my user account. Without having su sudo
    > setup properly, now I have to log in with su to get anything done and of
    > course that is not a good thing to do for minor stuff in the event of a
    > typo, etc.


    > What I want for my user to do:


    > Use halt, reboot, shutdown, mount, and tcpdump commands.
    > Read all log files.


    > With sudo password:
    > All root privileges.


    [...]

    I added this:

    sinner ALL=(ALL) NOPASSWD: ALL

    I have a strong password for my user account. This allows me to type:

    sudo

    And not type a passwd.

    I am SURE someone will tell me how crazy I am but I'd like to see them
    crack my password.

    --
    David
    If the food is fine,
    - it is cancerogenic
    - makes you fat
    - or both.
    -- The doctor's axioms

  3. Re: Help with sudoers and wheel - "Old Guy" or anyone?

    SINNER <99nesorjd@gates_of_hell.invalid> wrote in news:kki4n2xrst.ln2
    @news.gates_of_hell.com:

    > [...]
    >
    > I added this:
    >
    > sinner ALL=(ALL) NOPASSWD: ALL
    >
    > I have a strong password for my user account. This allows me to type:
    >
    > sudo
    >
    > And not type a passwd.
    >
    > I am SURE someone will tell me how crazy I am but I'd like to see them
    > crack my password.
    >
    > --
    > David


    Ooooohhh, that is a bit over the top for me David, I am interested to see
    what "Old Guy" comes up with. Would rather need the sudo password for most
    stuff but the ones listed. I think your idea is not bad though, it works
    for you.

    --
    ~Ohmster
    "Read Ohmster" in subject, bypass spam filter.
    ohmster /a/t/ newsguy dot com

  4. Re: Help with sudoers and wheel - "Old Guy" or anyone?

    Ohmster wrote:
    > I have an FC3 distro, setup for apache and vsftpd servers, also used as
    > gateway for home LAN and ADSL Internet. Previously, I had redhat 9
    > installed for many years and had myself in the su group but forgot how I
    > did that. Here is what I want to do and can you help me? That sudoers
    > file is not an easy one to precisely understand for me, I find it very
    > difficult to just add myself and what I want done with it. I also don't
    > understand the "wheel" group, how to add one, what it is for, etc. Please
    > explain the wheel group.
    >
    > I am the FC3 root and log in with my user account. Without having su sudo
    > setup properly, now I have to log in with su to get anything done and of
    > course that is not a good thing to do for minor stuff in the event of a
    > typo, etc.
    >
    > What I want for my user to do:
    >
    > Use halt, reboot, shutdown, mount, and tcpdump commands.
    > Read all log files.
    >
    > With sudo password:
    > All root privileges.
    >
    > This wheel group. How do I join this wheel group and what does the wheel
    > give me? Would one have to change group permissions of file to wheel to
    > gain this super access or does wheel just have access anyway? Can a file
    > or directory belong to more than one group? If so, how would one check or
    > assign more groups to a file than one?
    >
    > I have webmin 1.2 installed and use that to do admin work, I can run it
    > from my XP PC on the LAN and have made it accessible as such, but would
    > like to know about the specific commands like for adding groups.
    >
    > This sudoers file is rough and I cannot figure out how to make it do what
    > I want. Can someone whip up an sudoers file that will allow me to do what
    > I want as user "ohmster"? Right now if I try to use sudo, I put in the
    > password and then I get "ratted out" to the root (myself) in an email
    > that user ohmster tried to use sudo and of course, I am not allowed to do
    > anything with sudo anyway. I have put back the default sudoers file for
    > now.


    To use halt, reboot, and other commands without rootly powers is easy
    to set up if you are on logged in from the console. Halt and reboot
    are probably already setup for you, for other commands just need to
    create an empty file in the right directory with the name of the
    command. To allow console users to use mount, shutdown, and tcpdump:

    # cd /etc/security/console.apps/
    # touch mount shutdown tcpdump

    (Note that local users probably can already mount removable media,
    which is controlled by the file /etc/security/console.perms.)

    To allow remote users to shutdown add the user-id to /etc/shutdown.allow.
    Personally I don't use this feature but rather the more general sudo
    facility.

    To allow remote users to execute arbitrary commands the best solutions
    would be SELinux/RBAC, but a much easier solution is to configure sudo.
    There are sudo tutorials all over the Internet, see also man sudoers.
    Basically you can ignore the power of sudo and simply add lines like
    this:

    user-id localhost = command-line

    Where "user-id" is replaced by the user's id you wish to empower,
    and the command line is the absolute pathname to the command. To
    allow user "kim" to run tcpdump as root, use "visudo" and add this
    line:

    kim localhost = /usr/sbin/tcpdump

    You can replace localhost with the IP address of your LAN. Assuming
    your home LAN uses the network 172.16.0.0/16, this will allow
    use by user kim logged in from anywhere on your home LAN:

    kim 172.16.0.0/16, localhost = /usr/sbin/tcpdump

    If you use sudo you need not worry about the wheel group. If you
    wish to restrict who can use the "su" command, then you use the
    wheel group (it has another use but it is unsafe so don't worry
    about it). this is not as good a solution as using sudo, because
    once you give a user the ability to use "su" to become root, that
    user can do much more than run certain commands. Even if you
    trust the user typos and mistakes do happen so it is best not
    to give more permission than is really needed. Using sudo is
    a great way to do that.

    Not convinced to give up on using "wheel" and su? Then read on.

    To restrict the su command to just those users listed in the wheel
    group takes two steps. First (!) you need to add your user-id(s) to
    group wheel. Then you enable PAM wheel group processing by editing
    the PAM configuration file.

    To add the user id "kim" to the wheel group is done with:

    # gpasswd -a kim wheel

    Second (!) vi the file /etc/pam.d/su and
    change:

    # Uncomment the following line to require a user to be in the "wheel" group.
    #auth required /lib/security/$ISA/pam_wheel.so use_uid

    to:

    # Uncomment the following line to require a user to be in the "wheel" group.
    auth required /lib/security/$ISA/pam_wheel.so use_uid

    After this only members of group wheel can use "su" command, which is why
    you need to add yourself first.

    Hope this helps!

    -Wayne

  5. Re: Help with sudoers and wheel - "Old Guy" or anyone?

    In article , Ohmster wrote:

    >Previously, I had redhat 9 installed for many years and had myself in
    >the su group but forgot how I did that.


    "su group" or listed in /etc/sudoers? su and sudo are quite different
    programs.

    >That sudoers file is not an easy one to precisely understand for me, I
    >find it very difficult to just add myself and what I want done with it.


    I can't help with that - I don't use sudo, although it is a good program.
    (I am root on my home systems, and have "root" user accounts at work,
    which is not something recommended - we use that method because all of
    the people who have root have a minimum three years experience in *nix).

    >I also don't understand the "wheel" group, how to add one, what it is
    >for, etc. Please explain the wheel group.


    This is an old Berkeley concept. A number of binaries had their ownership
    and permissions thusly:

    -rwxr-x--- 1 root wheel 37672 Oct 6 2004 foo
    -rwsr-x--- 2 root wheel 12932 Aug 23 2004 shutdown

    Notice - no permissions for normal users to run. Thus, only root, and
    members of the 'wheel' group could run those commands. The 'foo'
    binary might not have needed root to actually run, but 'shutdown'
    does, and was thus made SUID (note the s permission - run as owner).
    The 'wheel' group is still used by the *BSD crowd, but it's use is
    rare in Linux. Look at the contents of the file /etc/group - there will
    almost certainly be a 'wheel' group (probably group 10), but likely there
    will be no members listed. One example of an application that _used to be_
    like this is 'su' itself. From the 'info' page for su:

    However, GNU `su' does not check if the user is a member of
    the `wheel' group; see below.

    This was an added layer of security that Richard M Stallman of the
    Free Software Foundation (Gnu founder) didn't like. If I recall correctly,
    '/bin/su' was hard coded internally to check for U/GID, just as fdisk
    and a number of other "sensitive" applications now do, and refuse to
    run if you are not the appropriate user/group.

    >What I want for my user to do:
    >
    >Use halt, reboot, shutdown, mount, and tcpdump commands.


    OK, but 'mount' can be handled by changing the entry in /etc/fstab and
    including the 'user' option.

    /dev/fd0 /mnt/floppy auto noauto,user 0 0

    >Read all log files.


    Oh my... the way I handle that is to use the create command in the
    logrotation file to set the mode to 0644. You could also use the
    chmod command in the postrotate section. However you may have other
    "security" helper programs that reset permissions to what it feels are
    "safe". I don't have such a program, but know that Red Hat was
    installing them - it may be the 'system-config-securitylevel' tool now.
    Understand that most Linux distributions assume that the user doesn't have
    years of experience before getting root, and try to take precautions that
    things won't explode about your ears. Another example - may distributions
    alias 'rm' to 'rm -i', which frustrates an experienced user. Take the
    safeties off, shoot yourself in the foot - that way, you'll learn not
    to do dumb things (I don't care how pushed I am, as root, I ALWAYS
    re-read what I've typed _before_ hitting the enter key).

    >This wheel group. How do I join this wheel group and what does the wheel
    >give me?


    You would edit /etc/group, and add your user to that group. As for what
    it gives you in Linux - probable nothing now. As root, try

    find / -group 10 -exec ls -lad {} \;

    which will list all files/directories owned by group wheel. On this system,
    that returns nothing - no wheel group ownership of anything.

    >Would one have to change group permissions of file to wheel to
    >gain this super access or does wheel just have access anyway?


    Possibly, but you'd have to change the group ownership. That's done with
    the 'chown' command ('chown :10 /name/of/file' - see the man page). Root
    is the only one with complete access to everything, as long as you haven't
    installed the SELinux security enhancements.

    >Can a file or directory belong to more than one group? If so, how would
    >one check or assign more groups to a file than one?


    No, the file/directory can only be owned by one group. However, in most
    cases, groups can be members of groups. However, this is getting into
    scary territory where you want a _much_ better handle on what you are
    allowing and not allowing.

    >I have webmin 1.2 installed and use that to do admin work, I can run it
    >from my XP PC on the LAN and have made it accessible as such, but would
    >like to know about the specific commands like for adding groups.


    Can't help there - we've never permitted a web based admin tool. All of
    our admin tasks are either done at the console, or via SSH. We don't use
    GUI admin tools because they tend to hide what they are doing (and none
    of our servers are running X anyway).

    >This sudoers file is rough and I cannot figure out how to make it do what
    >I want. Can someone whip up an sudoers file that will allow me to do what
    >I want as user "ohmster"?


    Not withstanding the response from 'SINNER <99nesorjd@gates_of_hell.invalid>'
    I'd suggest trying in the 'comp.os.linux.security' newsgroup.

    Oh, and SINNER, just to make you happy "You are crazy". ;-) You may
    have the worlds greatest password, but "watch your back" and make sure
    someone isn't shoulder surfing when you log in.

    >Right now if I try to use sudo, I put in the password and then I get
    >"ratted out" to the root (myself) in an email that user ohmster tried to
    >use sudo and of course, I am not allowed to do anything with sudo anyway.
    >I have put back the default sudoers file for now.


    That's fine - DO NOT DISABLE that mail function. It's there for the same
    reason that your login program should tell you that you last logged in
    from $TERMINAL on $DATE - it's a tiny tripwire to alert you in the case
    that someone else gets into your system.

    Old guy

  6. Re: Help with sudoers and wheel - "Old Guy" or anyone?

    ibuprofin@painkiller.example.tld (Moe Trin) wrote in
    news:slrnda1bgq.gn3.ibuprofin@compton.phx.az.us:

    > I can't help with that - I don't use sudo, although it is a good program.


    You have helped a great deal, Old Guy. I really appreciate your taking the
    time to answer all of this stuff, bit by bit. I read all of it, and saved
    this particular post as it answers a great deal. I will forget about "the
    wheel" and work on a decent sudoers setup. Thanks a bunch, you sure did not
    let me down.

    --
    ~Ohmster
    "Read Ohmster" in subject, bypass spam filter.
    ohmster /a/t/ newsguy dot com

  7. Re: Help with sudoers and wheel - "Old Guy" or anyone?

    Wayne wrote in news:6a0oe.93221$w15.3674
    @tornado.tampabay.rr.com:

    > Hope this helps!


    Oh yes, it helps quite a bit, very informative. Thanks for your time,
    Wayne.

    --
    ~Ohmster
    "Read Ohmster" in subject, bypass spam filter.
    ohmster /a/t/ newsguy dot com

+ Reply to Thread