Talk:Sudo

From ArchWiki
Jump to navigation Jump to search

Unclear intention of the section discussing hostnames

Hi, in the section "Example entries" I stumbled over this sentence: "To allow a user to run all commands as any user but only the machine with hostname HOST_NAME:" Is this intended to be saying "...on the machine...", like physically, not by ssh for example? Would be great to clarify this! Kay94 (talk) 15:03, 28 July 2017 (UTC)kay94

On not requiring password at console

I don't want to type my password at the console. Nobody else has access to my console unless they break into my house, and if they do that they can just take my computer. I do want to type my password if I'm ssh'd in, because if somebody breaks into my account somehow I'd just as soon they not also have root access. So what exactly is wrong with putting this in pam:

auth	sufficient	pam_succeed_if.so	tty = /dev/tty1

Not that it really matters, for the reasons stated above, but don't forget this won't give sudo access to anyone logged into the console; you still have to be in sudoers.

I put something to this effect in the article, and was reverted. Please let me know what I'm missing. --Chowbok (talk) 22:04, 19 February 2018 (UTC)

Of course use it if you want. But I don't see why it should be listed on the wiki without any security implications - for example a warning quite similar to the one in sudo#Disable_per-terminal_sudo would be appropriate. Also it does not seem very useful to me, since any graphical terminal uses pty rather than tty and you can just as well log in as root to the console to do the administrative things (there is also sudo -s). -- Lahwaacz (talk) 23:28, 19 February 2018 (UTC)

Undo revision 543841

What do you mean by "it's not necessary"? I followed the examples on a fresh arch system and was told by another arch user I had to logout for the changes to take effect. And that was correct.

Johnjay79 (talk) 10:07, 27 September 2018 (UTC)

You may have needed that because of some things other than sudo. I have no idea what you did on your fresh system. -- Lahwaacz (talk) 10:21, 27 September 2018 (UTC)
Okay, can you give me a list of steps I should do to reproduce the problem to your satisfaction with a fresh system? Note I still have to run dhcpcd in order to get an internet connection to download sudo as it does not come installed. Johnjay79 (talk) 10:41, 27 September 2018 (UTC)
What problem? I have no idea what your system looks like or what you're trying to do. Also, I have no idea how you could have played with sudo before adding the warning, but still not having it installed. -- Lahwaacz (talk) 10:51, 27 September 2018 (UTC)

Disable root login, missing infos ?

I recently installed sudo and disabled root login. When launching graphical apps that require root access (gparted, partitionmanager, etc.) I was still prompted for the root password.

Of course I found this page and the part about disabling root login and configuring kdesu. As I am suing KDE, I thought I was good, but I was still prompted for the root password.

Looking deeper into it, I found that running kdesu <command> did prompt me for my own password, and that I was still prompted for root password because it was polkit (and not kdesu) prompting me for root password.

In the end, I solved my problem by adding the sudo group to the list of polkit admins:

polkit.addAdminRule(function(action, subject) {
    return ["unix-group:sudo"];
});

So I feel this wiki is incomplete and we need to add a section (4.7.2 ?) that explains that one might want to add a polkit rule when disabling root login.

However, I am not sure this is a best practice and do not know enough about polkit to write this part myself; I do not know the difference between using polkit ".rules" files like it is documented in Arch Wiki and using polkit localauthority ".conf" files like it is done in Ubuntu.

BTerrier (talk) 21:01, 5 April 2020 (UTC)