4
Login information is tied to UIDs in Linux. However, when I open the sudoers file the sudoers are defined by username instead of UID.
Why are used usernames instead of UID?
Does the sudoers file automatically change when usermod -l is run?
Snippet:
# User privilege specification
root ALL=(ALL:ALL) ALL
Flightkick
Posted 2015-10-14T19:02:22.467
Reputation: 55
1
Following some manuals [1,2] I can give you these answers:
It's possible to indicate the users with the UID.
From the sudoers wiki of ubuntu we can read:
You can insert comments by prefixing them with a # but this is also used to specify a uid in certain parts of the file when it is followed by a number.
Later in the Runas aliases section is reported an example:
# UID 0 is normally used for root # Note the hash (#) on the following line indicates a uid, not a comment. Runas_Alias ROOT = #0
When you do simply usermod -l you should not propagate the change in the sudoers.
Indeed from the man page for usermod, more informative than the BSD one, we can read
-l, --login NEW_LOGIN
The name of the user will be changed from LOGIN to NEW_LOGIN. Nothing else is changed.
In particular, the user's home directory name should probably be changed manually to reflect the new login name.
It seems still to imply a manual care of the modification in the sudoers if you specify only -l parameter. Probably you have to erase the old username and add the user to the sudo group with
sudo usermod -a -G sudo hduser
Indeed so it happened at this user in the 2008 with a Debian Sid system:
I used to use XXX as username to login to my sid laptop and XXX is in sudoers file. today I changed it to YYY using
sudo usermod -l YYY XXXI did nothing else.
Now I can login using YYY but I was not able to su to root using the root password. Also 'YYY' is not in sudoers file so now I can not edit /etc/sudoers to include YYY.
Finally why, probably you should obtain a definitive answer only from Todd Miller who did the last (winning) fork of sudo in 1991, or maybe from Bob Coggeshall or Cliff Spencer if it comes from 1980 [7].
References
usermod -l.
Hastur
Posted 2015-10-14T19:02:22.467
Reputation: 15 043
Thanks for elaborating. So for example, if I create a user A and give him full privileges then delete user A after a while and forget to remove his specific username from the sudoers file, then after another while I create an account for user B which happens to have the same username as A had then B will happen to have full privileges on the system as well? Along with the story from 'The guy who did usermod -l' you referenced I am wondering why this design is still being used nowadays, doesn't really make sense... Thanks for your time and effort though. – Flightkick – 2015-10-15T21:52:12.583
You can insert comments by prefixing them with a # but this is also used to specify a uid in certain parts of the file when it is followed by a number see here for example – Hastur – 2015-10-14T20:07:00.167
@Hastur Okay so it's possible to refer to uid's by prefixing them with a #. Why isn't this done by default? i.e.:
#0 ALL=(ALL:ALL) ALLinstead of
root ALL=(ALL:ALL) ALLIt's kinda strange to tie these security rules to a specific username or groupname since they can be changed. User ID's and Group ID's cannot be changed. – Flightkick – 2015-10-15T08:32:35.743
You can change UID and GUID, starting from the
etc/passwd(etc etc) and doingchown -R newUID:newGUIDwith some additional care... BTW The idea is to create alias for sudo groups, for group of group, and so on ... so the UID should became quickly a mess to administrate... but the definitive answer I suppose you can have only from the one who did it and still is improving it and working on... (Todd) – Hastur – 2015-10-15T10:24:41.647