Adding command privilege to /etc/sudoers doesn't work for some programs
I'm using Ubuntu 7.10. I edited my sudoers file to include the following lines at the end:
Code:
Cmnd_Alias CMDS_AS_ROOT = /usr/local/kde/bin/swscanner Code:
Xlib: connection to ":0.0" refused by server So am I missing some subtlety of how programs are run with the above changes to my sudoers file? Any help or insight would be greatly appreciated! Thanks in advance. |
Hey there,
Sounds like swscanner needs to read in a profile (or script) to set the DISPLAY variable One way around it would be to use the shell and change Cmnd_Alias CMDS_AS_ROOT = /usr/local/kde/bin/swscanner to Cmnd_Alias CMDS_AS_ROOT = /bin/bash -l /usr/local/kde/bin/swscanner or, if that doesn't do the trick, write a simple wrapper (probably a better idea, maybe, if you "only" want to set DISPLAY and not leave anything to chance) Cmnd_Alias CMDS_AS_ROOT = /usr/local/bin/mywrapper and have that be: #!/bin/bash . /your/.profile DISPLAY=127.0.0.1:0.0 # substitute appropriate IP here export DISPLAY /usr/local/kde/bin/swscanner Hope that helps :) Basically you just need to make sure you've got a login shell started before that command executes and that the x DISPLAY variable is all set. , Mike |
Quote:
Code:
$ bash -l ls Code:
User john may run the following commands on this host: Quote:
I also noticed that without adding swscanner to sudoers (this is the original case where it works, but requires a password), then: Code:
$ sudo echo $DISPLAY Thanks for the help, Mike, but I still can't get it to work and I still obviously don't understand what's really going on. If you have any more ideas please let me know. :) |
Hmm...
I was wrong in my assumption that :0.0 would be equivalent to 127.0.0.1:0.0 I think the next step would be to test a few options as a user who can run it, without sudo. Try all other IP addresses for the host with :0.0 at the end. Also, try doing unset DISPLAY and then DISPLAY=:0.0 export DISPLAY and see if that works. Maybe it'll be easier than I thought :) Best wishes, Mike |
Quote:
|
Hey There,
Yes, I think, in the end, it'll be a problem with the environment. Try this. Take sudo out of the equation and run su root -c /usr/local/kde/bin/swscanner and su - root -c /usr/local/kde/bin/swscanner and let me know if either of those work. The first su shouldn't read root's /.profile or /.bashrc, and the second (with the - symbol) should. There is an env_keep option that you can set in /etc/sudoers that might help, also: From: http://www.gratisoft.us/sudo/man/sud...udoers_options env_keep Environment variables to be preserved in the user's environment when the env_reset option is in effect. This allows fine-grained control over the environment sudo-spawned processes will receive. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of variables to keep is displayed when sudo is run by root with the -V option. Best wishes, Mike |
Quote:
I would like to try adding the env_keep tag, but I really don't know the syntax to use, and was unable to figure it out from the man page you link to. More precisely, where and how do I put "env_keep" in the line: john ALL=(ALL) NOPASSWD: CMDS_AS_ROOT Sorry to trouble you with this detail, but I'm not really a programmer, and that man page has absolutely no examples of using the "Sudoers Options" like env_keep. |
You can try running
Code:
xhost + |
Quote:
Code:
Could not read network connection list. Code:
local/Home-PC:/tmp/.ICE-unix/dcop5539-1210681879 Also, to further troubleshoot I tried adding the following to sudoers: Code:
john ALL=NOPASSWD: ALL Any further insight/help would be greatly appreciated! Thanks. |
Hey There,
Probably what you've just uncovered (by making it work by allowing ALL to run without password) is a dependant program that swscanner needs to have running tandem in order for it to function correctly. So, knowing that it works if you let everything have free reign, gets you one step closer to the best solution. Best wishes, Mike |
All times are GMT -5. The time now is 05:42 PM. |