VectorLinux
July 24, 2014, 10:38:49 am *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Visit our home page for VL info. To search the old message board go to http://vectorlinux.com/forum1. The first VL forum is temporarily offline until we can find a host for it. Thanks for your patience.
 
Now powered by KnowledgeDex.
   Home   Help Search Login Register  
Please support VectorLinux!
Pages: [1]
  Print  
Author Topic: Normal user can access VASM as root  (Read 1669 times)
wcs
Packager
Vectorian
****
Posts: 1144


« on: August 12, 2008, 07:10:53 pm »

I think I mentioned this a long time ago, but cannot find my old post now (as the forum search keeps on giving me weird results).
Apologies if it has been solved in the meantime.

As user, try:
Code:
/bin/vasm
and
Code:
/sbin/vasm
As expected, both start VASM in user mode.

Then, try:
Code:
sudo /bin/vasm
As expected, I get the "Sorry, user is not allowed to execute '/bin/vasm' as root" message.

But what about
Code:
sudo /sbin/vasm

EDIT: The first time you do this you get asked a password, but your user password is enough to access full VASM.

Full access, no questions asked. Is this just my machine?
Isn't this a huge security risk?

And I don't even understand why this happens.
« Last Edit: August 13, 2008, 11:49:39 am by wcs » Logged
rbistolfi
Packager
Vectorian
****
Posts: 2276


« Reply #1 on: August 12, 2008, 07:26:48 pm »

It asks for a password here.
Logged

"There is a concept which corrupts and upsets all others. I refer not to Evil, whose limited realm is that of ethics; I refer to the infinite."
Jorge Luis Borges, Avatars of the Tortoise.

--
Jumalauta!!
wcs
Packager
Vectorian
****
Posts: 1144


« Reply #2 on: August 12, 2008, 07:32:51 pm »

Ok, the "no questions asked" part wasn't true.
But this is the user password.

I just tried creating a new phantom user, rebooted, logged in as new user, typed "sudo /sbin/vasm", inserted the user password and was inside with full rights.

Can anybody confirm?
And is it supposed to be like this or am I just missing something?
Logged
telepibe
Member
*
Posts: 19



« Reply #3 on: August 12, 2008, 09:37:28 pm »

I quote from the sudo manual:

Quote
sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. The real and effective uid and gid are set to match those of the target user as specified in the passwd file and the group vector is initialized based on the group file (unless the -P option was specified). If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password by default (NOTE: in the default configuration this is the user's password, not the root password).

Hope this helps.
Logged

Runnning VL 5.9 Light on Desktop P133 Mhz, 64 Mb Ram, 4 Gb harddisk.
wcs
Packager
Vectorian
****
Posts: 1144


« Reply #4 on: August 13, 2008, 12:48:15 am »

Thanks for the answer. That makes sense.

But I'm not saying that sudo should ask for the root's password by default.

My question is why is VASM even in the /etc/sudoers file?
It doesn't make much sense (to me) to give access by default (with only the user's password) to an application that can format partitions, change root's password, and delete other users.

Especially when so many other system things do not have that access (try, for example, "sudo cat /etc/sudoers" and you cannot see it with your user's password).

I'd say if someone would like to grant that privilege to users, they should add VASM to /etc/sudoers, and not have it there by default.

Also, when looking at the relevant lines in /etc/sudoers, you get:
Quote
# anyone in the group 'users' can run some programs with a password
%users          ALL=VASM,HW2

with VASM and HW2 defined as
Quote
Cmnd_Alias      HW2=/usr/X11R6/bin/qtparted
Cmnd_Alias      VASM=/sbin/vasm,/sbin/vlapt

So why is this line there in a fresh install (of 5.9 Standard)?
Why is access with a user's password only granted to /sbin/vasm, but not to /bin/vasm?
(Especially when "man hier" tells you that /sbin, like /bin, "holds commands needed to boot the system, but which are usually not executed by normal users".)
Why is access granted to vlapt and qtparted, when there is no qtparted in a fresh install, and gslapt (not vlapt) is the standard frontend for package management? (plus, besides VASM, if any user does /sbin/vlapt with only his user's password he/she is able to install/remove packages from the system).

Surely, when so many other things are restricted to normal users you would expect VASM and package management to also be restricted by default and only work with root's password.

Maybe that line is in /etc/sudoers for a reason that I'm not getting....  Huh
But is sure looks like a mistake and something lingering from previous VL versions...
Logged
exeterdad
Packager
Vectorian
****
Posts: 2046



« Reply #5 on: August 13, 2008, 06:11:09 am »

What the??!  I went to test and found I dont have a /etc/sudoers

Very odd, I'm sure I had one before. Meh...  Oh well.  I don't use sudo anyway. I've only used it on my wifes laptop to run acpi scripts I made.
Logged
telepibe
Member
*
Posts: 19



« Reply #6 on: August 13, 2008, 11:04:25 am »

Sorry, I didn't realize you were asking that  Tongue ...

Anyway, it's the same for me. Only user password to run vasm.
Logged

Runnning VL 5.9 Light on Desktop P133 Mhz, 64 Mb Ram, 4 Gb harddisk.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!