10

ALL ALL=(ALL) NOPASSWD:ALL line was auto added twice at the end of my /etc/sudoers file.

  • My linux suddenly stopped asking for a password every time I ran a sudo command. This made me investigate the issue.
  • Even after running sudo -k to reset the grace time it would not ask for my password.
  • I figured out the meaning of that line and commented out the 2 lines to fix the issue and things were back to normal.

    But as per my searches the sudoers file is only edited manually and no way I could have given ALL users NOPASSWD permissions to ALL commands. Could this mean that a script I executed changed the sudoers file? Is this a cause of concern?

OS : Linux Mint 18.3 Cinnamon

Neon44
  • 111
  • 4
    Whoever, or whatever, added that line to sudoers needed to have root privileges to do so. – Chris Davies Aug 16 '18 at 11:32
  • 4
    That's certainly a cause of concern. Can you tie in the last modification time of /etc/sudoers to some event (in logs or modification times of some other files) – Stéphane Chazelas Aug 16 '18 at 11:33
  • 4
    Long shot, but does sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root return anything other than /etc/sudoers? – Chris Davies Aug 16 '18 at 12:16
  • @roaima will surely try that. – Neon44 Aug 16 '18 at 14:55
  • @roaima sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root has returned the following as of now: /etc/sudoers /usr/lib/snapd/snapd /var/log/auth.log – Neon44 Aug 16 '18 at 15:10
  • 1
    @roaima Oh wait ! grep has also returned /home/neon/HUAWEI-4g_Dongle/Linux/install. I think I've found the issue. I had run the install script for the HUAWEI 4g dongle https://pastebin.com/e37GGKsu. Its most likely happened through this. – Neon44 Aug 16 '18 at 15:25

1 Answers1

10

After running this command

sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root

you advised that several files matched:

/etc/sudoers
/usr/lib/snapd/snapd
/var/log/auth.log
/home/neon/HUAWEI-4g_Dongle/Linux/install

The first three of these files could be reasonably expected to contain a match, and can be safely ignored. The fourth, on the other hand, appears to be a possible culprit and bears further investigation.

Indeed, your pastebin shows these snippets:

SOFTWARENAME="Mobile Partner"
SOFTWARENAME=$(echo $SOFTWARENAME | sed s\#\ \#_\#g)
TEMPFILE="${SOFTWARENAME}_install_$PPID"
... 

grep -v "MobilePartner.sh" /etc/sudoers >/tmp/${TEMPFILE} 2>&1
echo -e "ALL ALL=(ALL) NOPASSWD:ALL" >> /tmp/${TEMPFILE}
...

cp -f /tmp/${TEMPFILE} /etc/sudoers

Yes, I would say that's a (terrible) security hole from fairly lousy quality code.

Having removed (or commented out) the lines from your /etc/sudoers file, I would also recommend you check the permissions on that file. They should be ug=r,o= (0440 = r--r-----), probably owned by root:root.

Chris Davies
  • 116,213
  • 16
  • 160
  • 287
  • Verified the file permissions to be 0440. Seems like it was a really bad install script that came bundled with the dongle. Thanks a lot ! – Neon44 Aug 16 '18 at 18:43
  • Wow, good idea for grep 'NOPASSWD:ALL' /etc /lib /usr /var /home /root ! – Weekend Apr 08 '19 at 08:19