By default, every user on my Linux powered Acer Aspire One can sudo any command without having to enter a password. I think this is a bad thing, because this way anyone (or everything) that can access your computer as a local user, can do anything on the system.
The problem is caused by the configuration of sudo, which contains these lines:
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL ## Same thing without a password %wheel ALL=(ALL) NOPASSWD: ALL
(to see/edit the sudo config file, issue sudo visudo in a terminal window.) Commenting out the line below 'Same thing without a password' is not an option, because the network (and other things) will not start after starting xfce.
It seems that when xfce is started, a list of commands is executed, some of which are called with 'sudo'. I don't know which script is containing these commands, so I turned on sudo logging. This can be done adding the following lines to the sudo config:
Defaults loglinelen=0 # disable line wrapping in log. Defaults logfile=/var/log/sudo.log # or some other filename.
When logging on again, you can see in /var/log/sudo.log the commands that were executed with sudo:
/usr/bin/gnome-keyring-daemon /bin/mv /usr/bin/xfce-mcs-manager.new /usr/bin/xfce-mcs-manager /bin/mv /usr/bin/xfce-mcs-manager /usr/bin/xfce-mcs-manager.new /sbin//modprobe ath_pci /sbin//modprobe wlan_scan_sta /sbin//modprobe wlan_acl /sbin//modprobe wlan_wep /sbin//modprobe wlan_xauth /sbin//modprobe wlan_ccmp /sbin//modprobe wlan_tkip /usr/local/bin/wlanconfig ath0 create wlandev wifi0 wlanmode sta /sbin//ifconfig ath0 up /etc/init.d/network start /etc/init.d/netfs start /etc/init.d/udev-post start /etc/init.d/ConsoleKit start /etc/init.d/cups start /etc/init.d/wpa_supplicant start /etc/init.d/NetworkManager start /etc/init.d/NetworkManagerDispatcher start /etc/init.d/crond start /usr/bin/nm-applet /sbin/iwpriv ath0 powersave 1 /sbin//fdisk -l /sbin//swapon -a /sbin//iwpriv ath0 powersave 1
These commands are probably somewhere in a script, but I did not find out yet which one.
Anyway, I added the following lines to the sudo configuration script
Cmnd_Alias JOHAN = /usr/bin/gnome-keyring-daemon,/sbin/modprobe,/usr/local/bin/wlanconfig \ ,/sbin/ifconfig,/etc/init.d/network,/etc/init.d/netfs,/etc/init.d/udev-post \ ,/etc/init.d/ConsoleKit,/etc/init.d/cups,/etc/init.d/wpa_supplicant,/etc/init.d/NetworkManager \ ,/etc/init.d/NetworkManagerDispatcher,/etc/init.d/crond,/usr/bin/nm-applet,/sbin/iwpriv \ ,/sbin/swapon %test ALL=(ALL) ALL %test ALL=NOPASSWD: JOHAN
Now every user added to the 'test' group, has to enter a password when sudo'ing, except for the commands issued when logging on.
I'm aware of the fact that this is still not the most secure solution. Things like 'swapon' should already be run before the user is logged on. It would also be better to group the commands executed when logging on in a special script. The test users would then only need passwordless sudo rights on this script.