Normal user can access VASM as root

[wcs]

I think I mentioned this a long time ago, but cannot find my old post now (as the forum search keeps on giving me weird results).
Apologies if it has been solved in the meantime.

As user, try:

Code:

/bin/vasm

and

Code:

/sbin/vasm

As expected, both start VASM in user mode.

Then, try:

Code:

sudo /bin/vasm

As expected, I get the "Sorry, user is not allowed to execute '/bin/vasm' as root" message.

But what about

Code:

sudo /sbin/vasm

EDIT: The first time you do this you get asked a password, but your user password is enough to access full VASM.

Full access, no questions asked. Is this just my machine?
Isn't this a huge security risk?

And I don't even understand why this happens.

[rbistolfi]

It asks for a password here.

[wcs]

Ok, the "no questions asked" part wasn't true.
But this is the user password.

I just tried creating a new phantom user, rebooted, logged in as new user, typed "sudo /sbin/vasm", inserted the user password and was inside with full rights.

Can anybody confirm?
And is it supposed to be like this or am I just missing something?

[telepibe]

I quote from the sudo manual:

sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. The real and effective uid and gid are set to match those of the target user as specified in the passwd file and the group vector is initialized based on the group file (unless the -P option was specified). If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password by default (NOTE: in the default configuration this is the user's password, not the root password).

Hope this helps.

[wcs]

Thanks for the answer. That makes sense.

But I'm not saying that sudo should ask for the root's password by default.

My question is why is VASM even in the /etc/sudoers file?
It doesn't make much sense (to me) to give access by default (with only the user's password) to an application that can format partitions, change root's password, and delete other users.

Especially when so many other system things do not have that access (try, for example, "sudo cat /etc/sudoers" and you cannot see it with your user's password).

I'd say if someone would like to grant that privilege to users, they should add VASM to /etc/sudoers, and not have it there by default.

Also, when looking at the relevant lines in /etc/sudoers, you get:

# anyone in the group 'users' can run some programs with a password
%users          ALL=VASM,HW2

with VASM and HW2 defined as

Cmnd_Alias      HW2=/usr/X11R6/bin/qtparted
Cmnd_Alias      VASM=/sbin/vasm,/sbin/vlapt

So why is this line there in a fresh install (of 5.9 Standard)?
Why is access with a user's password only granted to /sbin/vasm, but not to /bin/vasm?
(Especially when "man hier" tells you that /sbin, like /bin, "holds commands needed to boot the system, but which are usually not executed by normal users".)
Why is access granted to vlapt and qtparted, when there is no qtparted in a fresh install, and gslapt (not vlapt) is the standard frontend for package management? (plus, besides VASM, if any user does /sbin/vlapt with only his user's password he/she is able to install/remove packages from the system).

Surely, when so many other things are restricted to normal users you would expect VASM and package management to also be restricted by default and only work with root's password.

Maybe that line is in /etc/sudoers for a reason that I'm not getting.... 
But is sure looks like a mistake and something lingering from previous VL versions...

[exeterdad]

What the??!  I went to test and found I dont have a /etc/sudoers

Very odd, I'm sure I had one before. Meh...  Oh well.  I don't use sudo anyway. I've only used it on my wifes laptop to run acpi scripts I made.

[telepibe]

Sorry, I didn't realize you were asking that  ...

Anyway, it's the same for me. Only user password to run vasm.