Ubuntu 22.04:sudo 不要求输入密码,sudoers.d 为空,并且 /etc/sudoers 中没有“NOPASSWD”条目

Ubuntu 22.04:sudo 不要求输入密码,sudoers.d 为空,并且 /etc/sudoers 中没有“NOPASSWD”条目

奇怪的是,最近我注意到每次我使用 sudo 运行命令时,它都不会要求输入密码。

我已检查过的事情:

  • /etc/sudoers.d = 空
myuser@MYPC:/etc/sudoers.d# ls
README
myuser@MYPC:/etc/sudoers.d# cat README 
#
# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on
# installation of the package now includes the directive:
# 
#   #includedir /etc/sudoers.d
# 
# This will cause sudo to read and parse any files in the /etc/sudoers.d 
# directory that do not end in '~' or contain a '.' character.
# 
# Note that there must be at least one file in the sudoers.d directory (this
# one will do), and all files in this directory should be mode 0440.
# 
# Note also, that because sudoers contents can vary widely, no attempt is 
# made to add this directive to existing sudoers files on upgrade.  Feel free
# to add the above directive to the end of your /etc/sudoers file to enable 
# this functionality for existing installations if you wish!
#
# Finally, please note that using the visudo command is the recommended way
# to update sudoers content, since it protects against many failure modes.
# See the man page for visudo for more information.
#
  • /etc/sudoers = 甚至没有一个 NOPASSWD 条目
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
Defaults        use_pty

# This preserves proxy settings from user environments of root
# equivalent users (group sudo)
#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"

# This allows running arbitrary commands, but so does ALL, and it means
# different sudoers have their choice of editor respected.
#Defaults:%sudo env_keep += "EDITOR"

# Completely harmless preservation of a user preference.
#Defaults:%sudo env_keep += "GREP_COLOR"

# While you shouldn't normally run git as root, you need to with etckeeper
#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"

# Per-user preferences; root won't have sensible values for them.
#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"

# "sudo scp" or "sudo rsync" should be able to use your SSH agent.
#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"

# Ditto for GPG agent
#Defaults:%sudo env_keep += "GPG_AGENT_INFO"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
#%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d
  • 组:不知道还能尝试什么,我尝试将我的用户留在唯一的组 sudo 中,但这并没有改变任何东西,无论如何,这些是实际的组:
uid=1000(myuser) gid=1000(myuser) groups=1000(myuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),104(input),118(lpadmin),128(sambashare),133(libvirt),138(ubridge),143(render),997(docker)

正如 muru 所问,“sudo -l”输出:

myuser@MYPC:~$ sudo -l
Matching Defaults entries for myuser on MYPC:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User myuser may run the following commands on MYPC:
    (ALL : ALL) ALL

答案1

顺便说一句,我设法解决了这个问题,只需从安装了全新 Ubuntu 22.04 的新虚拟机中复制 /etc/pam.d 中的文件(我在之前的 Ubuntu 20.04 和 18.04 等中从未手动编辑过)即可。

因此看起来它是从以前的 Ubuntu 版本继承而来,其中“pam.d”配置无论如何都有不同的行为(总是询问 sudo 密码)。

我尝试对“pam.d”目录中包含的文件进行差异分析,但这些文件多达 44 个,因此非常耗时。

如果有人感兴趣,我可能会发布“diff”的输出,我们可以尝试调查哪一行导致了这种奇怪的行为。

顺便说一句,在对 pam.d 文件进行“原始”复制之前,我尝试使用 Google 和 Linux 文档调查与身份验证相关的每个文件(例如 common-auth 等),但没有发现任何有意义的东西。

答案2

进一步研究“正确”设置和以某种方式“继承”的设置之间的差异。

# cd /etc/pam.d ; diff -r . ~/pam-save-20230731/ -y --suppress-common-lines
diff -r -y --suppress-common-lines ./common-account /root/pam-save-20230731/common-account
account [success=1 new_authtok_reqd=done default=ignore]      | account [default=1]                     pam_permit.so
account sufficient                      pam_localuser.so      <
account [default=bad success=ok user_unknown=ignore]    pam_s <
diff -r -y --suppress-common-lines ./common-auth /root/pam-save-20230731/common-auth
auth    [success=2 default=ignore]      pam_unix.so nullok    | auth    [default=1]                     pam_permit.so
auth    [success=1 default=ignore]      pam_sss.so use_first_ <
diff -r -y --suppress-common-lines ./common-password /root/pam-save-20230731/common-password
password        requisite                       pam_pwquality | password        [default=1]                     pam_permit.so
password        [success=2 default=ignore]      pam_unix.so o <
password        sufficient                      pam_sss.so us <
diff -r -y --suppress-common-lines ./common-session /root/pam-save-20230731/common-session
session required        pam_unix.so                           <
session optional                        pam_sss.so            <
session optional        pam_systemd.so                        <
diff -r -y --suppress-common-lines ./common-session-noninteractive /root/pam-save-20230731/common-session-noninteractive
session required        pam_unix.so                           <

在不同的系统上有:

# diff -r -y --suppress-common-lines . ~/pam-20230731/
diff -r -y --suppress-common-lines ./common-account /root/pam-20230731/common-account
account [success=1 new_authtok_reqd=done default=ignore]      | account [default=1]                     pam_permit.so
account sufficient                      pam_localuser.so      <
account [default=bad success=ok user_unknown=ignore]    pam_s <
diff -r -y --suppress-common-lines ./common-auth /root/pam-20230731/common-auth
auth    [success=2 default=ignore]      pam_unix.so nullok    | auth    [default=1]                     pam_permit.so
auth    [success=1 default=ignore]      pam_sss.so use_first_ <
diff -r -y --suppress-common-lines ./common-password /root/pam-20230731/common-password
password        requisite                       pam_pwquality | password        [default=1]                     pam_permit.so
password        [success=2 default=ignore]      pam_unix.so o <
password        sufficient                      pam_sss.so us <
diff -r -y --suppress-common-lines ./common-session /root/pam-20230731/common-session
session required        pam_unix.so                           <
session optional                        pam_sss.so            <
session optional        pam_systemd.so                        <
diff -r -y --suppress-common-lines ./common-session-noninteractive /root/pam-20230731/common-session-noninteractive
session required        pam_unix.so                           <

pam-auth-update 显示:

 │    [ ] Pwquality password strength checking                               │
 │    [ ] Unix authentication                                                │
 │    [ ] SSS authentication                                                 │
 │    [ ] Register user sessions in the systemd control group ...            │
 │    [*] Create home directory on login                                     │
 │    [*] Inheritable Capabilities Management                                │

显然应该是:

 │    [*] Pwquality password strength checking                               │
 │    [*] Unix authentication                                                │
 │    [*] SSS authentication                                                 │
 │    [*] Register user sessions in the systemd control group ...            │
 │    [*] Create home directory on login                                     │
 │    [*] Inheritable Capabilities Management                                │

设置完最后的设置后,一切恢复正常。还观察到...登录/ssh 等时,任何密码都可以。它仍然会要求输入密码,但从不验证。在看到 unix 身份验证也不需要后,这一点就变得很明显了。

因此,这个问题比看上去的要严重得多。

相关内容