[THE 1st TIME] Elevated permissions

[machinebacon]

Some commands in Linux can only be run as root. Usually, the user would have to change to root with the 'su' command, then enter the root password, and execute the command we actually wanted to execute. Safe? Yes. Bothersome? Yeah, man.

So we could circumvent this by installing sudo and adding our own user to the sudoers group. Let's see which groups we already belong to:

Code: Select all

bbq@grill:~$ groups
bbq lp dialout cdrom floppy sudo audio dip video plugdev users fuse netdev storage power

Nice, a bunch of groups are listed there, apart from our own 'bbq' group, we are also part of dialout and sudo and audio and stuff like this. Audio? Yes, if we are not in the audio group, we need to be root or superuser to access ALSA which is needed to play audio files or streams. Same goes for video (users of fbterm or xlinks2 will remember).

To add our user to a certain group, we need to go into the root account first:

Code: Select all

bbq@grill:~$ su -

Let's check which groups the user 'bbq' belongs to:

Code: Select all

root@grill:~# groups bbq

and then, from outside, add the user bbq to the group, we just take the group 'monsterpenis' as an example:

Code: Select all

root@grill:~# addgroup monsterpenis
Adding group `monsterpenis' (GID 1003) ...
Done.
addgroup monsterpenis

Nice. Now let's add 'bbq' to this group, because a real BBQ user has a comparably large genital:

Code: Select all

root@grill:~# adduser bbq monsterpenis
Adding user `bbq' to group `monsterpenis' ...
Adding user bbq to group monsterpenis
Done.

Now of course replace 'monsterpenis' with 'sudo' if you want to put the user 'bbq' to the 'sudoers'

Let's say, the group 'sudo' should be able to run every command without ever needing to enter the password. Dangerous? Yeah. Convenient? Fuck yeah :D Start the visudo, which is (originally) a VI frontend for editing the sudoers file:

Code: Select all

root@grill:~# visudo

You see this?

Code: Select all

# Allow members of group sudo to execute any command

let's add following line there, under the other entries of the section:

Code: Select all

%sudo   ALL=(ALL)NOPASSWD: ALL

Save and exit (have fun finding this out if visudo uses VI instead of nano :)) and log back to your user account:

Code: Select all

root@grill:~# exit

You see how the prompt changes. And now check if we are really in the sudo group:

Code: Select all

bbq@grill:~$ groups
bbq lp dialout cdrom floppy sudo audio dip video plugdev users fuse netdev storage power

Seems so! Can we now execute *any* sudo command without being bothered to enter the password?

Code: Select all

bbq@grill:~$ fdisk
bash: fdisk: command not found
bbq@grill:~$ sudo fdisk
Usage: fdisk [OPTION]... [DEVICE]
bbq@grill:~$ 

yes, we can!

Of course (!) this is absolutely not recommended, don't ever even mention you saw this anywhere. We're just lazy bastards. Or at least I am.

[wuxmedia]

I might take you up on this, I always get confused, being always root on the machine that I'm working on - then switching and so forth. Also the great aliases that the BBQ have setup are such a time saver. 'ins' ,'upg' and so on.
But does the sudo warning message come up each time,

[machinebacon]

Sure, because the user is in sudo group but %sudo (the group) still has to enter the password. If the user is not in %sudo group, he can not run any sudo command. Or: he can try to, but will be lectured.

[wuxmedia]

sorry, forgot the #! thread reference 8)
http://crunchbang.org/forums/viewtopic.php?id=32077

[machinebacon]

Oh you mean the first time lecture? IIRC it only happens if you run sudo the first time, except lecture is enabled in sudoers. But it does even lecture you if you have no sudo right.

[rhowaldt]

there is a certain period of time in which the regular sudo allows you to keep sudo'ing passwordless.. i wonder if that would be changeable to make it longer, so a midway between this and regular sudo.

anyway,

we just take the group 'monsterpenis' as an example:

L.O.L.

[machinebacon]

Yes, as long as you do not close the terminal (session) to which the sudo belongs, though the 'tty_tickets' option can override this.

For passwordless sudoing the option is called 'timeout' and per default it is 15 minutes.

Edit: https://wiki.archlinux.org/index.php/su ... he_timeout

Tip: To ensure sudo always asks for a password, set the timeout to 0. To ensure the password never times out, set to less than 0.

[rhowaldt]

^ cool, it is like a security valve :)

[elixir]

Great tutorial it worked. Many laughs reading.