“ALL ALL=(ALL) NOPASSWD:ALL” was auto added in my /etc/sudoers file. Is this a Security Breach?












5
















ALL ALL=(ALL) NOPASSWD:ALL line was auto added twice at the end of my /etc/sudoers file.





  • My linux suddenly stopped asking for a password every time I ran a sudo command. This made me investigate the issue.

  • Even after running sudo -k to reset the grace time it would not ask for my password.

  • I figured out the meaning of that line and commented out the 2 lines to fix the issue and things were back to normal.


    But as per my searches the sudoers file is only edited manually and no way I could have given ALL users NOPASSWD permissions to ALL commands.
    Could this mean that a script I executed changed the sudoers file? Is this a cause of concern?





OS : Linux Mint 18.3 Cinnamon






security sudo







share|improve this question


















  • 3





    Whoever, or whatever, added that line to sudoers needed to have root privileges to do so.

    – roaima
    Aug 16 '18 at 11:32






  • 4





    That's certainly a cause of concern. Can you tie in the last modification time of /etc/sudoers to some event (in logs or modification times of some other files)

    – Stéphane Chazelas
    Aug 16 '18 at 11:33






  • 3





    Long shot, but does sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root return anything other than /etc/sudoers?

    – roaima
    Aug 16 '18 at 12:16













  • @roaima will surely try that.

    – Neon44
    Aug 16 '18 at 14:55











  • @roaima sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root has returned the following as of now: /etc/sudoers /usr/lib/snapd/snapd /var/log/auth.log

    – Neon44
    Aug 16 '18 at 15:10
















5
















ALL ALL=(ALL) NOPASSWD:ALL line was auto added twice at the end of my /etc/sudoers file.





  • My linux suddenly stopped asking for a password every time I ran a sudo command. This made me investigate the issue.

  • Even after running sudo -k to reset the grace time it would not ask for my password.

  • I figured out the meaning of that line and commented out the 2 lines to fix the issue and things were back to normal.


    But as per my searches the sudoers file is only edited manually and no way I could have given ALL users NOPASSWD permissions to ALL commands.
    Could this mean that a script I executed changed the sudoers file? Is this a cause of concern?





OS : Linux Mint 18.3 Cinnamon






security sudo







share|improve this question


















  • 3





    Whoever, or whatever, added that line to sudoers needed to have root privileges to do so.

    – roaima
    Aug 16 '18 at 11:32






  • 4





    That's certainly a cause of concern. Can you tie in the last modification time of /etc/sudoers to some event (in logs or modification times of some other files)

    – Stéphane Chazelas
    Aug 16 '18 at 11:33






  • 3





    Long shot, but does sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root return anything other than /etc/sudoers?

    – roaima
    Aug 16 '18 at 12:16













  • @roaima will surely try that.

    – Neon44
    Aug 16 '18 at 14:55











  • @roaima sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root has returned the following as of now: /etc/sudoers /usr/lib/snapd/snapd /var/log/auth.log

    – Neon44
    Aug 16 '18 at 15:10














5












5








5









ALL ALL=(ALL) NOPASSWD:ALL line was auto added twice at the end of my /etc/sudoers file.





  • My linux suddenly stopped asking for a password every time I ran a sudo command. This made me investigate the issue.

  • Even after running sudo -k to reset the grace time it would not ask for my password.

  • I figured out the meaning of that line and commented out the 2 lines to fix the issue and things were back to normal.


    But as per my searches the sudoers file is only edited manually and no way I could have given ALL users NOPASSWD permissions to ALL commands.
    Could this mean that a script I executed changed the sudoers file? Is this a cause of concern?





OS : Linux Mint 18.3 Cinnamon






security sudo







share|improve this question















ALL ALL=(ALL) NOPASSWD:ALL line was auto added twice at the end of my /etc/sudoers file.





  • My linux suddenly stopped asking for a password every time I ran a sudo command. This made me investigate the issue.

  • Even after running sudo -k to reset the grace time it would not ask for my password.

  • I figured out the meaning of that line and commented out the 2 lines to fix the issue and things were back to normal.


    But as per my searches the sudoers file is only edited manually and no way I could have given ALL users NOPASSWD permissions to ALL commands.
    Could this mean that a script I executed changed the sudoers file? Is this a cause of concern?





OS : Linux Mint 18.3 Cinnamon






security sudo




security sudo






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Aug 16 '18 at 11:27









Neon44Neon44

315




315








  • 3





    Whoever, or whatever, added that line to sudoers needed to have root privileges to do so.

    – roaima
    Aug 16 '18 at 11:32






  • 4





    That's certainly a cause of concern. Can you tie in the last modification time of /etc/sudoers to some event (in logs or modification times of some other files)

    – Stéphane Chazelas
    Aug 16 '18 at 11:33






  • 3





    Long shot, but does sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root return anything other than /etc/sudoers?

    – roaima
    Aug 16 '18 at 12:16













  • @roaima will surely try that.

    – Neon44
    Aug 16 '18 at 14:55











  • @roaima sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root has returned the following as of now: /etc/sudoers /usr/lib/snapd/snapd /var/log/auth.log

    – Neon44
    Aug 16 '18 at 15:10














  • 3





    Whoever, or whatever, added that line to sudoers needed to have root privileges to do so.

    – roaima
    Aug 16 '18 at 11:32






  • 4





    That's certainly a cause of concern. Can you tie in the last modification time of /etc/sudoers to some event (in logs or modification times of some other files)

    – Stéphane Chazelas
    Aug 16 '18 at 11:33






  • 3





    Long shot, but does sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root return anything other than /etc/sudoers?

    – roaima
    Aug 16 '18 at 12:16













  • @roaima will surely try that.

    – Neon44
    Aug 16 '18 at 14:55











  • @roaima sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root has returned the following as of now: /etc/sudoers /usr/lib/snapd/snapd /var/log/auth.log

    – Neon44
    Aug 16 '18 at 15:10








3




3





Whoever, or whatever, added that line to sudoers needed to have root privileges to do so.

– roaima
Aug 16 '18 at 11:32





Whoever, or whatever, added that line to sudoers needed to have root privileges to do so.

– roaima
Aug 16 '18 at 11:32




4




4





That's certainly a cause of concern. Can you tie in the last modification time of /etc/sudoers to some event (in logs or modification times of some other files)

– Stéphane Chazelas
Aug 16 '18 at 11:33





That's certainly a cause of concern. Can you tie in the last modification time of /etc/sudoers to some event (in logs or modification times of some other files)

– Stéphane Chazelas
Aug 16 '18 at 11:33




3




3





Long shot, but does sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root return anything other than /etc/sudoers?

– roaima
Aug 16 '18 at 12:16







Long shot, but does sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root return anything other than /etc/sudoers?

– roaima
Aug 16 '18 at 12:16















@roaima will surely try that.

– Neon44
Aug 16 '18 at 14:55





@roaima will surely try that.

– Neon44
Aug 16 '18 at 14:55













@roaima sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root has returned the following as of now: /etc/sudoers /usr/lib/snapd/snapd /var/log/auth.log

– Neon44
Aug 16 '18 at 15:10





@roaima sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root has returned the following as of now: /etc/sudoers /usr/lib/snapd/snapd /var/log/auth.log

– Neon44
Aug 16 '18 at 15:10










2 Answers
2






active

oldest

votes


















5














After running this command



sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root


you advised that several files matched:



/etc/sudoers

/usr/lib/snapd/snapd

/var/log/auth.log

/home/neon/HUAWEI-4g_Dongle/Linux/install


The first three of these files could be reasonably expected to contain a match, and can be safely ignored. The fourth, on the other hand, appears to be a possible culprit and bears further investigation.



Indeed, your pastebin shows these snippets:



SOFTWARENAME="Mobile Partner"

SOFTWARENAME=$(echo $SOFTWARENAME | sed s# #_#g)

TEMPFILE="${SOFTWARENAME}_install_$PPID"

... 



grep -v "MobilePartner.sh" /etc/sudoers >/tmp/${TEMPFILE} 2>&1

echo -e "ALL ALL=(ALL) NOPASSWD:ALL" >> /tmp/${TEMPFILE}

...



cp -f /tmp/${TEMPFILE} /etc/sudoers


Yes, I would say that's a (terrible) security hole from fairly lousy quality code.



Having removed (or commented out) the lines from your /etc/sudoers file, I would also recommend you check the permissions on that file. They should be ug=r,o= (0440 = r--r-----), probably owned by root:root.






share|improve this answer


























  • Verified the file permissions to be 0440. Seems like it was a really bad install script that came bundled with the dongle. Thanks a lot !

    – Neon44
    Aug 16 '18 at 18:43



















0














Interesting that its a Huawei dongle!






share|improve this answer








New contributor




oratek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f462957%2fall-all-all-nopasswdall-was-auto-added-in-my-etc-sudoers-file-is-this-a-s%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    5














    After running this command



    sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root


    you advised that several files matched:



    /etc/sudoers
    
/usr/lib/snapd/snapd
    
/var/log/auth.log
    
/home/neon/HUAWEI-4g_Dongle/Linux/install


    The first three of these files could be reasonably expected to contain a match, and can be safely ignored. The fourth, on the other hand, appears to be a possible culprit and bears further investigation.



    Indeed, your pastebin shows these snippets:



    SOFTWARENAME="Mobile Partner"
    
SOFTWARENAME=$(echo $SOFTWARENAME | sed s# #_#g)
    
TEMPFILE="${SOFTWARENAME}_install_$PPID"
    
... 
    

    
grep -v "MobilePartner.sh" /etc/sudoers >/tmp/${TEMPFILE} 2>&1
    
echo -e "ALL ALL=(ALL) NOPASSWD:ALL" >> /tmp/${TEMPFILE}
    
...
    

    
cp -f /tmp/${TEMPFILE} /etc/sudoers


    Yes, I would say that's a (terrible) security hole from fairly lousy quality code.



    Having removed (or commented out) the lines from your /etc/sudoers file, I would also recommend you check the permissions on that file. They should be ug=r,o= (0440 = r--r-----), probably owned by root:root.






    share|improve this answer


























    • Verified the file permissions to be 0440. Seems like it was a really bad install script that came bundled with the dongle. Thanks a lot !

      – Neon44
      Aug 16 '18 at 18:43
















    5














    After running this command



    sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root


    you advised that several files matched:



    /etc/sudoers
    
/usr/lib/snapd/snapd
    
/var/log/auth.log
    
/home/neon/HUAWEI-4g_Dongle/Linux/install


    The first three of these files could be reasonably expected to contain a match, and can be safely ignored. The fourth, on the other hand, appears to be a possible culprit and bears further investigation.



    Indeed, your pastebin shows these snippets:



    SOFTWARENAME="Mobile Partner"
    
SOFTWARENAME=$(echo $SOFTWARENAME | sed s# #_#g)
    
TEMPFILE="${SOFTWARENAME}_install_$PPID"
    
... 
    

    
grep -v "MobilePartner.sh" /etc/sudoers >/tmp/${TEMPFILE} 2>&1
    
echo -e "ALL ALL=(ALL) NOPASSWD:ALL" >> /tmp/${TEMPFILE}
    
...
    

    
cp -f /tmp/${TEMPFILE} /etc/sudoers


    Yes, I would say that's a (terrible) security hole from fairly lousy quality code.



    Having removed (or commented out) the lines from your /etc/sudoers file, I would also recommend you check the permissions on that file. They should be ug=r,o= (0440 = r--r-----), probably owned by root:root.






    share|improve this answer


























    • Verified the file permissions to be 0440. Seems like it was a really bad install script that came bundled with the dongle. Thanks a lot !

      – Neon44
      Aug 16 '18 at 18:43














    5












    5








    5







    After running this command



    sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root


    you advised that several files matched:



    /etc/sudoers
    
/usr/lib/snapd/snapd
    
/var/log/auth.log
    
/home/neon/HUAWEI-4g_Dongle/Linux/install


    The first three of these files could be reasonably expected to contain a match, and can be safely ignored. The fourth, on the other hand, appears to be a possible culprit and bears further investigation.



    Indeed, your pastebin shows these snippets:



    SOFTWARENAME="Mobile Partner"
    
SOFTWARENAME=$(echo $SOFTWARENAME | sed s# #_#g)
    
TEMPFILE="${SOFTWARENAME}_install_$PPID"
    
... 
    

    
grep -v "MobilePartner.sh" /etc/sudoers >/tmp/${TEMPFILE} 2>&1
    
echo -e "ALL ALL=(ALL) NOPASSWD:ALL" >> /tmp/${TEMPFILE}
    
...
    

    
cp -f /tmp/${TEMPFILE} /etc/sudoers


    Yes, I would say that's a (terrible) security hole from fairly lousy quality code.



    Having removed (or commented out) the lines from your /etc/sudoers file, I would also recommend you check the permissions on that file. They should be ug=r,o= (0440 = r--r-----), probably owned by root:root.






    share|improve this answer















    After running this command



    sudo grep -rl 'NOPASSWD:ALL' /etc /lib /usr /var /home /root


    you advised that several files matched:



    /etc/sudoers
    
/usr/lib/snapd/snapd
    
/var/log/auth.log
    
/home/neon/HUAWEI-4g_Dongle/Linux/install


    The first three of these files could be reasonably expected to contain a match, and can be safely ignored. The fourth, on the other hand, appears to be a possible culprit and bears further investigation.



    Indeed, your pastebin shows these snippets:



    SOFTWARENAME="Mobile Partner"
    
SOFTWARENAME=$(echo $SOFTWARENAME | sed s# #_#g)
    
TEMPFILE="${SOFTWARENAME}_install_$PPID"
    
... 
    

    
grep -v "MobilePartner.sh" /etc/sudoers >/tmp/${TEMPFILE} 2>&1
    
echo -e "ALL ALL=(ALL) NOPASSWD:ALL" >> /tmp/${TEMPFILE}
    
...
    

    
cp -f /tmp/${TEMPFILE} /etc/sudoers


    Yes, I would say that's a (terrible) security hole from fairly lousy quality code.



    Having removed (or commented out) the lines from your /etc/sudoers file, I would also recommend you check the permissions on that file. They should be ug=r,o= (0440 = r--r-----), probably owned by root:root.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Aug 16 '18 at 19:10

























    answered Aug 16 '18 at 16:42









    roaimaroaima

    44.3k555119




    44.3k555119













    • Verified the file permissions to be 0440. Seems like it was a really bad install script that came bundled with the dongle. Thanks a lot !

      – Neon44
      Aug 16 '18 at 18:43



















    • Verified the file permissions to be 0440. Seems like it was a really bad install script that came bundled with the dongle. Thanks a lot !

      – Neon44
      Aug 16 '18 at 18:43

















    Verified the file permissions to be 0440. Seems like it was a really bad install script that came bundled with the dongle. Thanks a lot !

    – Neon44
    Aug 16 '18 at 18:43





    Verified the file permissions to be 0440. Seems like it was a really bad install script that came bundled with the dongle. Thanks a lot !

    – Neon44
    Aug 16 '18 at 18:43













    0














    Interesting that its a Huawei dongle!






    share|improve this answer








    New contributor




    oratek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.

























      0














      Interesting that its a Huawei dongle!






      share|improve this answer








      New contributor




      oratek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.























        0












        0








        0







        Interesting that its a Huawei dongle!






        share|improve this answer








        New contributor




        oratek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.










        Interesting that its a Huawei dongle!







        share|improve this answer








        New contributor




        oratek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        share|improve this answer



        share|improve this answer






        New contributor




        oratek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        answered 14 mins ago









        oratekoratek

        1




        1




        New contributor




        oratek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        New contributor





        oratek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        oratek is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f462957%2fall-all-all-nopasswdall-was-auto-added-in-my-etc-sudoers-file-is-this-a-s%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Loup dans la culture

            Image
            Loups sur une enluminure du Bestiaire d'Aberdeen Le loup est l'animal le plus emblématique de l'histoire de l'Eurasie, il était à l'honneur durant l'Antiquité chez la totalité des anciens peuples européens [ 1 ] . Sommaire 1 Le loup dans la mythologie 2 Les loups dans le folklore 2.1 L'évolution des mentalités 2.2 Le loup dans la psychanalyse 3 Le loup dans les œuvres culturelles 3.1 Le loup dans la littérature 3.1.1 Fables 3.1.2 Poésie 3.1.3 Romans 3.1.4 Littérature jeunesse 3.1.4.1 Quelques titres d'albums contemporains 3.1.5 Bande dessinée 3.2 Le loup à l'écran 3.2.1 Le cinéma et la télévision 3.2.2 Documentaires 3.2.3 Dessins animés 3.2.4 Jeux vidéo 3.3 Le loup en peinture et en sculpture 3.4 Le loup dans les œuvres musicales 4 Le loup et les noms propres 5 Bibliographie 6 Notes et références 7 Voir aussi 7.1 Articles connexes
            Read more

            How to solve the problem of ntp “Unable to contact time server” from KDE?

            Image
            1 0 I want to set date and time automatically but this error appears when I try to .. I'm using openSUSE, I tried different servers but it didn't work either, help please! It doesn't seem to be a network problem: $ ping pool.ntp.org 64 bytes from 41.78.128.17: icmp_seq=1 ttl=41 time=260 ms To the question of whether ntpd is installed and running: $ ps -C ntpd PID TTY TIME CMD i.e. there's no ntpd process running. $ rpm -qa | grep ntp yast2-ntp-client-3.1.12-1.7.noarch ntp-4.2.6p5-25.2.1.i586 Further information from the comments: $ sudo ntpdate pool.ntp.org 25 Sep 19:41:51 ntpdate[3162]: no server suitable for synchronization found networking kde opensuse ntp ntpd sh
            Read more

            Connection limited (no internet access)

            Image
            -1 My laptop is running on Windows 10 ، My wifi adapter is tenda V7TW311M ,My router is D-Link , When I connect to the internet I get connection limited with yellow triangle , and no ipv4 address in ipconfig ,Ihave tried manually setting the ipv4 address When dhcp works there is no ipv4 , When I select ipv4 manually dhcp is turned off , I tried an update my wifi to the Latest version But the same problem remained . networking wifi internet net share | improve this question asked 13 mins ago Souchi Souchi 1 1
            Read more