VectorLinux

Please login or register.

Login with username, password and session length
Advanced search  

News:

Visit our home page for VL info. For support and documentation, visit the Vector Linux Knowledge Center or search the Knowledge Center and this Forum using the search box above.

Author Topic: Normal user can access VASM as root  (Read 2669 times)

wcs

  • Packager
  • Vectorian
  • ****
  • Posts: 1144
Normal user can access VASM as root
« on: August 12, 2008, 08:10:53 pm »
I think I mentioned this a long time ago, but cannot find my old post now (as the forum search keeps on giving me weird results).
Apologies if it has been solved in the meantime.

As user, try:
Code: [Select]
/bin/vasmand
Code: [Select]
/sbin/vasmAs expected, both start VASM in user mode.

Then, try:
Code: [Select]
sudo /bin/vasmAs expected, I get the "Sorry, user is not allowed to execute '/bin/vasm' as root" message.

But what about
Code: [Select]
sudo /sbin/vasm
EDIT: The first time you do this you get asked a password, but your user password is enough to access full VASM.

Full access, no questions asked. Is this just my machine?
Isn't this a huge security risk?

And I don't even understand why this happens.
« Last Edit: August 13, 2008, 12:49:39 pm by wcs »
Logged

rbistolfi

  • Packager
  • Vectorian
  • ****
  • Posts: 2366
Re: Normal user can access VASM as root
« Reply #1 on: August 12, 2008, 08:26:48 pm »
It asks for a password here.
Logged
"There is a concept which corrupts and upsets all others. I refer not to Evil, whose limited realm is that of ethics; I refer to the infinite."
Jorge Luis Borges, Avatars of the Tortoise.
--
Jumalauta!!

wcs

  • Packager
  • Vectorian
  • ****
  • Posts: 1144
Re: Normal user can access VASM as root
« Reply #2 on: August 12, 2008, 08:32:51 pm »
Ok, the "no questions asked" part wasn't true.
But this is the user password.

I just tried creating a new phantom user, rebooted, logged in as new user, typed "sudo /sbin/vasm", inserted the user password and was inside with full rights.

Can anybody confirm?
And is it supposed to be like this or am I just missing something?
Logged

telepibe

  • Member
  • *
  • Posts: 19
Re: Normal user can access VASM as root
« Reply #3 on: August 12, 2008, 10:37:28 pm »
I quote from the sudo manual:

Quote
sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. The real and effective uid and gid are set to match those of the target user as specified in the passwd file and the group vector is initialized based on the group file (unless the -P option was specified). If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password by default (NOTE: in the default configuration this is the user's password, not the root password).

Hope this helps.
Logged
Runnning VL 5.9 Light on Desktop P133 Mhz, 64 Mb Ram, 4 Gb harddisk.

wcs

  • Packager
  • Vectorian
  • ****
  • Posts: 1144
Re: Normal user can access VASM as root
« Reply #4 on: August 13, 2008, 01:48:15 am »
Thanks for the answer. That makes sense.

But I'm not saying that sudo should ask for the root's password by default.

My question is why is VASM even in the /etc/sudoers file?
It doesn't make much sense (to me) to give access by default (with only the user's password) to an application that can format partitions, change root's password, and delete other users.

Especially when so many other system things do not have that access (try, for example, "sudo cat /etc/sudoers" and you cannot see it with your user's password).

I'd say if someone would like to grant that privilege to users, they should add VASM to /etc/sudoers, and not have it there by default.

Also, when looking at the relevant lines in /etc/sudoers, you get:
Quote
# anyone in the group 'users' can run some programs with a password
%users          ALL=VASM,HW2

with VASM and HW2 defined as
Quote
Cmnd_Alias      HW2=/usr/X11R6/bin/qtparted
Cmnd_Alias      VASM=/sbin/vasm,/sbin/vlapt

So why is this line there in a fresh install (of 5.9 Standard)?
Why is access with a user's password only granted to /sbin/vasm, but not to /bin/vasm?
(Especially when "man hier" tells you that /sbin, like /bin, "holds commands needed to boot the system, but which are usually not executed by normal users".)
Why is access granted to vlapt and qtparted, when there is no qtparted in a fresh install, and gslapt (not vlapt) is the standard frontend for package management? (plus, besides VASM, if any user does /sbin/vlapt with only his user's password he/she is able to install/remove packages from the system).

Surely, when so many other things are restricted to normal users you would expect VASM and package management to also be restricted by default and only work with root's password.

Maybe that line is in /etc/sudoers for a reason that I'm not getting....  ???
But is sure looks like a mistake and something lingering from previous VL versions...
Logged

exeterdad

  • Packager
  • Vectorian
  • ****
  • Posts: 2046
Re: Normal user can access VASM as root
« Reply #5 on: August 13, 2008, 07:11:09 am »
What the??!  I went to test and found I dont have a /etc/sudoers

Very odd, I'm sure I had one before. Meh...  Oh well.  I don't use sudo anyway. I've only used it on my wifes laptop to run acpi scripts I made.
Logged

telepibe

  • Member
  • *
  • Posts: 19
Re: Normal user can access VASM as root
« Reply #6 on: August 13, 2008, 12:04:25 pm »
Sorry, I didn't realize you were asking that  :P ...

Anyway, it's the same for me. Only user password to run vasm.
Logged
Runnning VL 5.9 Light on Desktop P133 Mhz, 64 Mb Ram, 4 Gb harddisk.