10

There is no chance of an internal attack, so I would like to give sudo privileges to users at the local computer using sudoers. I tried these lines separately:

%admin localhost=(ALL) NOPASSWD: ALL
%admin 127.0.0.1=(ALL) NOPASSWD: ALL

But sudoers does not seem recognize either localhost or 127.0.0.1.

Is there an alternative, and if so, how secure would it be? Could a remote attacker gain local user privileges using cron or some other method?

Zaz
  • 2,405
  • 2
  • 26
  • 38

3 Answers3

15

%admin ALL=(ALL) NOPASSWD: ALL

The host list restricts the sudo rule to hosts on which one network interface has a name or address in the list. Since every host has a loopback interface, every host should match your rule; in fact, sudo skips the loopback interface when checking host lists, so no host does match your rule; either way specifying the host as localhost is not useful.

Sudo doesn't do any network authentication: the host list is there so that you can deploy a single sudoers file on multiple machines and give users different permissions on different machines.

Cron also doesn't do any network authentication. A remote user would gain user privileges through a misconfigured or vulnerable network server or client (http, ftp, samba, nfs, snmp, ssh, …).

Gilles 'SO- stop being evil'
  • 69,786
  • 21
  • 137
  • 178
  • "Since every host has a loopback interface, every host matches your rule." Are you sure that's correct? Neither `localhost` nor `127.0.0.1` seem to match the local computer. – Zaz Jul 29 '10 at 20:56
  • 1
    @Josh: that's the documented behavior. In fact sudo skips the loopback interface when checking whether the host is in the list. I've updated my answer to reflect this. Either way, specifying `localhost` in the host list is not useful. – Gilles 'SO- stop being evil' Jul 29 '10 at 21:25
  • Every host *would* match your rule, if the sudo system allowed it. – bukzor Apr 02 '13 at 17:12
0

It seems that your hostname is not a "localhost". See output hostname command or check content your /etc/hostname

Snaut
  • 1
0

sudo does not know anything about the loopback interface (localhost/127.0.0.1), but it knows about all of the other interfaces. If your machine has at least one such interface, then it is considered to be on a network. Thus during the interface configuration -generally done during the OS installation- you were required to set a "host name", or maybe one was assigned automatically.

This "host name" can be accessed via the "hostname" command or the /etc/hostname file.

As a consequence,
(i) your machine has a loopback interface but also certainly a "host name"
(ii) sudo can only use this "network name"
(iii) if you replace "localhost=" by "<your hostname>" in your sudoers file, the rule will match and everything will work as you expect.

robinCTS
  • 4,327
  • 4
  • 20
  • 29
liar666
  • 1