localhost in sudoers

8

2

There is no chance of an internal attack, so I would like to give sudo privileges to users at the local computer using sudoers. I tried these lines separately:

%admin localhost=(ALL) NOPASSWD: ALL
%admin 127.0.0.1=(ALL) NOPASSWD: ALL

But sudoers does not seem recognize either localhost or 127.0.0.1.

Is there an alternative, and if so, how secure would it be? Could a remote attacker gain local user privileges using cron or some other method?

Zaz

Posted 2010-07-29T10:27:55.300

Reputation: 1 843

Answers

13

%admin ALL=(ALL) NOPASSWD: ALL

The host list restricts the sudo rule to hosts on which one network interface has a name or address in the list. Since every host has a loopback interface, every host should match your rule; in fact, sudo skips the loopback interface when checking host lists, so no host does match your rule; either way specifying the host as localhost is not useful.

Sudo doesn't do any network authentication: the host list is there so that you can deploy a single sudoers file on multiple machines and give users different permissions on different machines.

Cron also doesn't do any network authentication. A remote user would gain user privileges through a misconfigured or vulnerable network server or client (http, ftp, samba, nfs, snmp, ssh, …).

Gilles 'SO- stop being evil'

Posted 2010-07-29T10:27:55.300

Reputation: 58 319

"Since every host has a loopback interface, every host matches your rule." Are you sure that's correct? Neither localhost nor 127.0.0.1 seem to match the local computer. – Zaz – 2010-07-29T20:56:07.847

1@Josh: that's the documented behavior. In fact sudo skips the loopback interface when checking whether the host is in the list. I've updated my answer to reflect this. Either way, specifying localhost in the host list is not useful. – Gilles 'SO- stop being evil' – 2010-07-29T21:25:35.853

Every host would match your rule, if the sudo system allowed it. – bukzor – 2013-04-02T17:12:01.857

0

It seems that your hostname is not a "localhost". See output hostname command or check content your /etc/hostname

Snaut

Posted 2010-07-29T10:27:55.300

Reputation: 1

1How is hostname going to help ? Can you elaborate – pun – 2016-01-22T12:13:41.840

0

sudo does not know anything about the loopback interface (localhost/127.0.0.1), but it knows about all of the other interfaces. If your machine has at least one such interface, then it is considered to be on a network. Thus during the interface configuration -generally done during the OS installation- you were required to set a "host name", or maybe one was assigned automatically.

This "host name" can be accessed via the "hostname" command or the /etc/hostname file.

As a consequence,
(i) your machine has a loopback interface but also certainly a "host name"
(ii) sudo can only use this "network name"
(iii) if you replace "localhost=" by "<your hostname>" in your sudoers file, the rule will match and everything will work as you expect.

liar666

Posted 2010-07-29T10:27:55.300

Reputation: 1

Asked: 2010-07-29T10:27:55.300

Viewed: 6 447 times

Active: 2018-08-19T10:51:32.757