Re: Sudoers question

AFAIK, members of the "admin" group have sudo, aka "root" privileges, and everyone else does not. So you're either in the group, or not. I have not heard of "semi-admin" privileges.

But, if you put her in the admin group and show her how to use Adept Manager, that seems fairly harmless. If she doesn't know the CLI commands that would cause harm, and you don't teach them to her, and she only uses her privileges to run Adept Manager, I don't see how she'll destroy the system (but, I admit I don't know her!).

Re: Sudoers question

You can put something like
wife's_username ALL = /usr/sbin/synaptic, /usr/bin/adept_manager
in /etc/sudoers to allow your wife to run synaptic and adept with sudo (replace 'wife's_username' with her actual username)

Re: Sudoers question

Thanks, guys. I try to add a line using visudo and the editor is not behaving. I'll search around for this issue.

Re: Sudoers question

Do you have a problem with the editor or with sudoers syntax?

Re: Sudoers question

When I go to the end of a line to press Enter for a Newline, the cursor positions itself over the last charachter of the line. If I go to a blank line and paste in the line above, it pastes it at the start of the prev line.....

Maybe it is a case of not knowing how to use this editor?

Re: Sudoers question

Is vi/vim editor a new thing for you?

Here's a small crash course:
vi/vim is a 'modal' editor, so make sure you are insert mode to add text (press 'i' to get to insert mode... 'Esc' will get you back in command mode afterwards).

Other commands you may need (in command mode):
:w (save file)
:q (quit)

Re: Sudoers question

AH! That explains it. It uses vi. Thank you!

Edit: That did it. Adding the line to sudoers and I don't see any possibilities for shell escapes either.

Re: Sudoers question

Theoretically, if you allow (only) password protected remote access for that user and the password is cracked...the cracker can set his/her own repositories with synaptic or adept and install pretty much anything on your machine (including modifed versions of software to get full root access).

The chances of this happening are rather small, and there are several rather easy ways to make it 'impossible', like (in no particular order):
1. strong password
2. host key remote authentication instead of password authentication.
3. no remote login allowed for that user
4. separate root password and user password, with sudo set to ask for the root password

No need to worry about local vulnerabilities, since anyone with physical access to the machine can get root access with a bit of knowledge.

If you're only worried about your wife messing up the system (no remote logins), you're rather safe (if she knows enough to exploit any loopholes...she's not very likely to mess anything up :P ).