Kees van Vloten
2021-Oct-02 20:47 UTC
[Samba] Fwd: Fwd: Winbind and GPO access restrictions?
On 02-10-2021 22:16, Rowland Penny via samba wrote:> On Sat, 2021-10-02 at 22:05 +0200, Kees van Vloten via samba wrote: >> On 02-10-2021 21:58, Rowland Penny via samba wrote: >>> On Sat, 2021-10-02 at 21:51 +0200, Kees van Vloten via samba wrote: >>>> I don't know what you have in /etc/sudoers or /etc/sudoers.d. >>> I have already shown that my name is not in /etc/sudoers and >>> /etc/sudoers.d/ is virtually empty: >>> >>> rowland at devstation:~$ ls /etc/sudoers.d >>> README >>> >>> But I can use sudo. >>> >>> Rowland >>> >>> >>> >> Indeed you did, but you did not show the /etc/sudoers file. I would >> expect it to contain a line that allows a group you are member of to >> provide you root access. > Believe me it doesn't > > > >> If you want to see sudo-rules that are matching for your user you can >> do >> sudo -l from your user. > Here you are: > > rowland at devstation:~$ sudo -l > [sudo] password for rowland: > Matching Defaults entries for rowland on devstation: > !env_reset, mail_badpass, > secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin > \:/bin, env_reset, mail_badpass, > secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/ > sbin\:/bin > > User rowland may run the following commands on devstation: > (ALL : ALL) ALL > > Would it help if I told you that I do this on all my Unix domain > members and DC's without modifying any sudo files ? > > Rowland > > >The one thing I see here is that there is indeed a sudo-rule that allows you full root access given you enter your password. The output does not show on what basis you get this rule "(ALL : ALL) ALL" assigned. I am certain that I do not see that on my machines when I am not in the group "sudo". The sudo -l output on for my user (which is member of group sudo) is: kvv at bach:~$ sudo -l [sudo] wachtwoord voor kvv: Overeenkomende standaarditems voor kvv op bach: ??? env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin Gebruiker kvv mag de volgende opdrachten uitvoeren op bach: ??? (ALL : ALL) ALL When comparing the output, I noticed in yours "matching default items" are listed twice. Again no clue how it got there. On the other hand I have a fresh and unchanged Debian Bullseye setup, so I suspect there are changes in yours, at least reason to do a thorough investigation, I would say. - Kees