On Tue, Aug 04, 2020 at 04:09:30PM +0200, Marco Möller wrote:
The idea of Tomas to look in /etc/sudoers.conf for something like 'requiretty' sounds promising. I will need a couple of days to read and learn about this and then testing it.
That won't work. Anything that's based on identifying a "safe" tty won't work on a modern system. (In the old days you could identify a trusted tty by tracing its physical attachment. So /etc/securetty made sense because it was those terminals whose serial cables terminated in secure areas or which were directly attached, like the linux text console. But once X came along people wanted to use virtual terminals--at which point the idea of a secure physically-connected terminal went right out the Xwindow.) To get similar functionality now, you'd need something that has a concept of what is a local login vs what is a remote login. You could experiment with using systemd/polkit to do this, for example. *BUT* this approach is more inherently fragile, and it would be really good to make sure you have an actual root password to facilite recovery, as someone suggested earlier.
