Recipe 5.4 Bypassing Password Authentication in sudo
Always edit
/etc/sudoers with the
visudo program, not by invoking a text editor
directly. visudo uses a lock to ensure that only
one person edits /etc/sudoers at a time, and
verifies that there are no syntax errors before the file is saved. Never permit the following programs to be invoked with
root
privileges by sudo: su,
sudo, visudo, any shell, and
any program having a shell escape. Be meticulous about specifying argument lists for each command in
/etc/sudoers. If you aren't
careful, even common commands like cat and
chmod can be springboards to gain root privileges: $ sudo cat /etc/shadow > my.evil.file
$ sudo cat ~root/.ssh/id_dsa > my.copy.of.roots.ssh.key
$ sudo chmod 777 /etc/passwd; emacs /etc/passwd
$ sudo chmod 4755 /usr/bin/less (root-owned with a shell escape) Obviously, never let users invoke a program or script via
sudo if the users have write permissions to the
script. For example: /etc/sudoers:
smith ALL = (root) /home/smith/myprogram would be a very bad idea, since smith can modify
myprogram arbitrarily.
|
5.4.1 Problem
You want one user to run a
command as another user without supplying a
password.
5.4.2 Solution
Use sudo's
NOPASSWD tag, which indicates to
sudo that no password is needed for
authentication:
/etc/sudoers:
smith ALL = (jones) NOPASSWD: /usr/local/bin/mycommand args
smith ALL = (root) NOPASSWD: /usr/local/bin/my_batch_script ""
5.4.3 Discussion
By not requiring a password, you are trading security for
convenience. If a sudo-enabled user leaves herself
logged in at an unattended terminal, someone else can sit down and
run privileged commands.
That being said, passwordless authorization is particularly useful
for batch jobs, where no human operator is available to type a
password.
5.4.4 See Also
sudo(8), sudoers(5).
|
