More sudo
I've set up the sudoers file a little more sensibly now.
%wheel ALL=(ALL) ALL
%wheel ALL = NOPASSWD: /sbin/poweroff, /sbin/reboot, /bin/mount /mnt/cdrom, /bin
/umount
%wheel ALL=(ALL) !/bin/su
The first line says that anyone in the wheel group (i.e. me) can run any command as root, but needs to enter his password first.
The second line says that I can do some mundane tasks like mount the cdrom drive, or poweroff without needing a password at all. This line has to be after the previous line - if it's before, you still need a password as the other line overrules it or something.
The third line says that you can't sudo to su. I originally put this in a security thing, then realised that if someone unauthorised got access to a wheel group user, they could just sudo everything and wouldn't need the su to root at all. So in reality, its function is more to make sure I don't forget the root password, and slow me up from running lots of commands as root, where I might make silly mistakes (such as "rm -Rf /").
In fact, the whole file doesn't really increase security at all (although it'd be just as hard to get access to my account as root's). It just serves to save me typing passwords on mundane things, and make me type passwords on anything that could actually damage the computer. It's just a way of stopping and saying "wait a minute, are you sure you want to do this?" before I blow up the computer.
%wheel ALL=(ALL) ALL
%wheel ALL = NOPASSWD: /sbin/poweroff, /sbin/reboot, /bin/mount /mnt/cdrom, /bin
/umount
%wheel ALL=(ALL) !/bin/su
The first line says that anyone in the wheel group (i.e. me) can run any command as root, but needs to enter his password first.
The second line says that I can do some mundane tasks like mount the cdrom drive, or poweroff without needing a password at all. This line has to be after the previous line - if it's before, you still need a password as the other line overrules it or something.
The third line says that you can't sudo to su. I originally put this in a security thing, then realised that if someone unauthorised got access to a wheel group user, they could just sudo everything and wouldn't need the su to root at all. So in reality, its function is more to make sure I don't forget the root password, and slow me up from running lots of commands as root, where I might make silly mistakes (such as "rm -Rf /").
In fact, the whole file doesn't really increase security at all (although it'd be just as hard to get access to my account as root's). It just serves to save me typing passwords on mundane things, and make me type passwords on anything that could actually damage the computer. It's just a way of stopping and saying "wait a minute, are you sure you want to do this?" before I blow up the computer.
posted by shfbbm at 11:18 AM
<< Home