[opensuse] 13.1 visudo -> %wheel ALL=(ALL) NOPASSWD: ALL, user (member of wheel) still prompted for pw
All, I have unexpected behavior in 13.1 regarding sudo. As a general configuration item, I modify sudoers via visudo and uncomment the following to provide passwordless access to sudo for members of the wheel group: # Same thing without a password %wheel ALL=(ALL) NOPASSWD: ALL It has always worked, except for 13.1. Any ideas? Additionally, pam.d/su no longer provides the following options: # Uncomment the following line to implicitly trust users in the "wheel" group. auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid They still work as they did before. Any reason they are not in su anymore? -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 13 Jul 2014 11:07:24 David C. Rankin wrote:
All,
I have unexpected behavior in 13.1 regarding sudo. As a general configuration item, I modify sudoers via visudo and uncomment the following to provide passwordless access to sudo for members of the wheel group:
# Same thing without a password %wheel ALL=(ALL) NOPASSWD: ALL
It has always worked, except for 13.1. Any ideas?
Additionally, pam.d/su no longer provides the following options:
# Uncomment the following line to implicitly trust users in the "wheel" group. auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid
They still work as they did before. Any reason they are not in su anymore?
-- David C. Rankin, J.D.,P.E.
Did you try after logging the affected user out and in again? Not sure if that will make any difference but if they've been added to the wheel group while logged in that won't take effect until the next login. (But you already knew that). Just a thought. -- ============================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au ============================================================== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/13/2014 11:43 AM, Rodney Baker wrote:
Did you try after logging the affected user out and in again? Not sure if that will make any difference but if they've been added to the wheel group while logged in that won't take effect until the next login. (But you already knew that).
Just a thought.
(smacks self) You are probably right! I've been so busy copying files from old drive to new that I haven't logged out yet. Next WM restart will be telling. Changed sysconfig WM & DM to kde3 values, fingers crossed (but I cheated and launched kwrite, so I know the core works :) -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/13/2014 06:07 PM, David C. Rankin wrote:
Additionally, pam.d/su no longer provides the following options:
# Uncomment the following line to implicitly trust users in the "wheel" group. auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid
They still work as they did before. Any reason they are not in su anymore?
su(1) has been moved from coreutils to util-linux between 12.3 -> 13.1. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/13/2014 12:05 PM, Bernhard Voelker wrote:
On 07/13/2014 06:07 PM, David C. Rankin wrote:
Additionally, pam.d/su no longer provides the following options:
# Uncomment the following line to implicitly trust users in the "wheel" group. auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid
They still work as they did before. Any reason they are not in su anymore?
su(1) has been moved from coreutils to util-linux between 12.3 -> 13.1.
Have a nice day, Berny
Berny, I guess there is the correct explanation in there, but I don't see it. Why would the move mean the comments get dropped from pam.d/su? Are you just saying that the auth entries were dropped during the transition, or is that something other than that, that I should be able to recognize if I weren't so stupid? -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/13/2014 08:01 PM, David C. Rankin wrote:
On 07/13/2014 12:05 PM, Bernhard Voelker wrote:
su(1) has been moved from coreutils to util-linux between 12.3 -> 13.1.
I guess there is the correct explanation in there, but I don't see it. Why would the move mean the comments get dropped from pam.d/su? Are you just saying that the auth entries were dropped during the transition, or is that something other than that, that I should be able to recognize if I weren't so stupid?
Well, I was helping in that move, but I don't remember such lines in the PAM configuration files, neither in the old nor in the new ones: https://build.opensuse.org/package/view_file/openSUSE:12.3/coreutils/su.pamd... https://build.opensuse.org/package/view_file/openSUSE:13.1/util-linux/su.pam... Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/13/2014 01:18 PM, Bernhard Voelker wrote:
Well, I was helping in that move, but I don't remember such lines in the PAM configuration files, neither in the old nor in the new ones:
https://build.opensuse.org/package/view_file/openSUSE:12.3/coreutils/su.pamd... https://build.opensuse.org/package/view_file/openSUSE:13.1/util-linux/su.pam...
Have a nice day, Berny
You guys deal with recent history. I don't know when they were dropped, but they were there in every version of SuSE/openSuSE as long as I can remember up to at least 11.4. E.g.: [02:56 lakehouse/home/david] # cat /etc/SuSE-release openSUSE 10.3 (i586) VERSION = 10.3 [02:56 lakehouse/home/david] # cat /etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid auth include common-auth account include common-account password include common-password session include common-session session optional pam_xauth.so Why would you want to drop them when they still serve a valid purpose? Security related to prevent compromise of a user account allowing further privilege escalation? I'm not sure that makes much sense since it would require cracking a user who is also a member of the wheel group, but the second also tightens security by requiring the user be member of wheel to su.. If you can recall the reason, I'm interested in knowing. You've go me curious now. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/15/2014 10:04 AM, David C. Rankin wrote:
If you can recall the reason, I'm interested in knowing. You've go me curious now.
Sorry, that was long before I started contributing to coreutils, and the log on OBS doesn't help either: https://build.opensuse.org/package/revisions/Base:System/coreutils BTW: I have an old 11.3 system which lacks these lines, too. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Bernhard Voelker
-
David C. Rankin
-
Rodney Baker