[Bug 804945] New: 'sudo -l' should show available permissions without asking for root's password
https://bugzilla.novell.com/show_bug.cgi?id=804945 https://bugzilla.novell.com/show_bug.cgi?id=804945#c0 Summary: 'sudo -l' should show available permissions without asking for root's password Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: All OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: valenak@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20100101 Firefox/10.0.11 Iceweasel/10.0.11 `sudo -l` should not ask for root's password. It is a common way for non-root user to get information about given (by admin) permissions on a particular host. Reproducible: Always Steps to Reproduce: 1. 2. 3. Actual Results: # got on a fresh instance of opensuse 12.2 fisher@testing:~> sudo -l root's password: stty: unknown mode: doofus root's password: I can't hear you -- I'm using the scrambler. root's password: I can't hear you -- I'm using the scrambler. sudo: 3 incorrect password attempts Expected Results: # got this on a debian box saws% sudo -l Matching Defaults entries for fisher on this host: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User fisher may run the following commands on this host: (ALL : ALL) NOPASSWD: ALL -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=804945 https://bugzilla.novell.com/show_bug.cgi?id=804945#c FeiXiang Zhang <fxzhang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |werner@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=804945 https://bugzilla.novell.com/show_bug.cgi?id=804945#c1 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |vcizek@suse.com Resolution| |INVALID --- Comment #1 from Dr. Werner Fink <werner@suse.com> 2013-04-08 09:25:10 UTC --- Please read the manual pages of sudoers in section 5, run man 5 sudoers beside this I'm not sudo maintainer. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=804945 https://bugzilla.novell.com/show_bug.cgi?id=804945#c Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |werner@suse.com AssignedTo|werner@suse.com |vcizek@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=804945 https://bugzilla.novell.com/show_bug.cgi?id=804945#c2 --- Comment #2 from Vitezslav Cizek <vcizek@suse.com> 2013-04-08 12:16:05 CEST --- (In reply to comment #0)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20100101 Firefox/10.0.11 Iceweasel/10.0.11
`sudo -l` should not ask for root's password. It is a common way for non-root user to get information about given (by admin) permissions on a particular host.
Reproducible: Always
Steps to Reproduce: 1. 2. 3. Actual Results: # got on a fresh instance of opensuse 12.2
fisher@testing:~> sudo -l root's password: stty: unknown mode: doofus root's password: I can't hear you -- I'm using the scrambler. root's password: I can't hear you -- I'm using the scrambler. sudo: 3 incorrect password attempts
That's because sudo on openSUSE is by default configured to ask for the password of the target user (setting "Defaults targetpw" in sudoers), which defaults to root.
Expected Results: # got this on a debian box
saws% sudo -l Matching Defaults entries for fisher on this host: env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fisher may run the following commands on this host: (ALL : ALL) NOPASSWD: ALL
On the contrary, Debian uses the default sudo behaviour, which means asking for the password of the invoking user. (In this particular example, you are not asked for the password, because of the NOPASSWD flag usage) As Werner already pointed out, this isn't a bug, but merely a configuration issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=804945 https://bugzilla.novell.com/show_bug.cgi?id=804945#c3 --- Comment #3 from Serge Ribalchenko <valenak@gmail.com> 2013-04-08 13:04:08 UTC --- (In reply to comment #1)
Please read the manual pages of sudoers in section 5, run
man 5 sudoers
what exact part of man page do you mean? What is the meaning of your comment?
beside this I'm not sudo maintainer.
oh, then maybe it's better to shut up? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=804945 https://bugzilla.novell.com/show_bug.cgi?id=804945#c4 --- Comment #4 from Serge Ribalchenko <valenak@gmail.com> 2013-04-08 13:09:13 UTC --- (In reply to comment #2)
On the contrary, Debian uses the default sudo behaviour, which means asking for the password of the invoking user. (In this particular example, you are not asked for the password, because of the NOPASSWD flag usage)
As Werner already pointed out, this isn't a bug, but merely a configuration issue.
thank you for your clarification, but why OpenSUSE don't use the default sudo behaviour? Let's take another example, user who aren't listed in sudoers: ---- openbox% sudo -l We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: Sorry, user user may not run sudo on openbox. openbox% uname -a OpenBSD openbox.lake 5.2 GENERIC.MP#368 amd64 openbox% ---- this is the default behaviour I expect from mature linux distro, and alas! OpenSUSE ask me for root's password when I just a user among the others. Why do OpenSUSE choose to be so extravagant? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=804945 https://bugzilla.novell.com/show_bug.cgi?id=804945#c5 --- Comment #5 from Serge Ribalchenko <valenak@gmail.com> 2013-04-08 13:11:06 UTC --- (excuse me, forgot to mention that password I was asked in case of OpenBSD was actually the user's password, not root's) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=804945 https://bugzilla.novell.com/show_bug.cgi?id=804945#c6 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de --- Comment #6 from Dr. Werner Fink <werner@suse.com> 2013-04-08 13:44:01 UTC --- (In reply to comment #3)
beside this I'm not sudo maintainer. oh, then maybe it's better to shut up?
Would you *please* restrain your wordings! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=804945 https://bugzilla.novell.com/show_bug.cgi?id=804945#c7 --- Comment #7 from Vitezslav Cizek <vcizek@suse.com> 2013-04-08 15:46:18 CEST --- (In reply to comment #4)
this is the default behaviour I expect from mature linux distro, and alas! OpenSUSE ask me for root's password when I just a user among the others.
Why do OpenSUSE choose to be so extravagant?
These settings are used in openSUSE for years. I assume the security-team once made this decision. Anyway, it is just the defaults. It can always be easily overridden by the user. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com