LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Adding command privilege to /etc/sudoers doesn't work for some programs (https://www.linuxquestions.org/questions/linux-general-1/adding-command-privilege-to-etc-sudoers-doesnt-work-for-some-programs-640669/)

CJS 05-07-2008 09:29 PM

Adding command privilege to /etc/sudoers doesn't work for some programs
 
I'm using Ubuntu 7.10. I edited my sudoers file to include the following lines at the end:
Code:

Cmnd_Alias CMDS_AS_ROOT = /usr/local/kde/bin/swscanner
john ALL=(ALL) NOPASSWD: CMDS_AS_ROOT

Most programs/bash scripts seem to work fine with this so that I can run them as root w/o entering a password. But for some reason "swscanner" will not work when I try to run it without a password using the above changes to my sudoers file. For those who aren't familiar, swscanner is "Simple Wireless Scanner" to scan for wireless networks (www.swscanner.org). It returns an error:
Code:

Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified

swscanner: cannot connect to X server :0.0

In other words, without the above changes to my sudoers file, swscanner runs fine with a simple "gksudo /usr/local/kde/bin/swscanner" command (but I have to enter the password). But as soon as I change my sudoers to make it run without a password, and I use the same command "sudo /usr/local/kde/bin/swscanner", it returns the error above.

So am I missing some subtlety of how programs are run with the above changes to my sudoers file? Any help or insight would be greatly appreciated! Thanks in advance.

eggixyz 05-07-2008 09:47 PM

Hey there,

Sounds like swscanner needs to read in a profile (or script) to set the DISPLAY variable

One way around it would be to use the shell and change

Cmnd_Alias CMDS_AS_ROOT = /usr/local/kde/bin/swscanner

to

Cmnd_Alias CMDS_AS_ROOT = /bin/bash -l /usr/local/kde/bin/swscanner

or, if that doesn't do the trick, write a simple wrapper (probably a better idea, maybe, if you "only" want to set DISPLAY and not leave anything to chance)

Cmnd_Alias CMDS_AS_ROOT = /usr/local/bin/mywrapper

and have that be:

#!/bin/bash

. /your/.profile
DISPLAY=127.0.0.1:0.0 # substitute appropriate IP here
export DISPLAY
/usr/local/kde/bin/swscanner

Hope that helps :) Basically you just need to make sure you've got a login shell started before that command executes and that the x DISPLAY variable is all set.

, Mike

CJS 05-08-2008 08:41 AM

Quote:

Originally Posted by eggixyz (Post 3146321)
Sounds like swscanner needs to read in a profile (or script) to set the DISPLAY variable

One way around it would be to use the shell and change

Cmnd_Alias CMDS_AS_ROOT = /usr/local/kde/bin/swscanner

to

Cmnd_Alias CMDS_AS_ROOT = /bin/bash -l /usr/local/kde/bin/swscanner

Thanks for the idea, but it unfortunately didn't work. I noticed that "bash -l" doesn't seem to allow any arguments; for instance using ls as an argument, I get an error:
Code:

$ bash -l ls
/bin/ls: /bin/ls: cannot execute binary file

Also, doing a "sudo -l" returns:
Code:

User john may run the following commands on this host:
    (ALL) ALL
    (ALL) NOPASSWD: /bin/bash -l /usr/local/kde/bin/swscanner

So doing "gksudo /usr/local/kde/bin/swscanner" still asks for a password.
Quote:

or, if that doesn't do the trick, write a simple wrapper (probably a better idea, maybe, if you "only" want to set DISPLAY and not leave anything to chance)

Cmnd_Alias CMDS_AS_ROOT = /usr/local/bin/mywrapper

and have that be:

#!/bin/bash

. /your/.profile
DISPLAY=127.0.0.1:0.0 # substitute appropriate IP here
export DISPLAY
/usr/local/kde/bin/swscanner
I tried your script exactly and it didn't work, and I assume that 127.0.0.1 (localhost) is truly what I want--I'm trying to run it on my machine, in my current session. Running that script doesn't return any errors to the terminal either.

I also noticed that without adding swscanner to sudoers (this is the original case where it works, but requires a password), then:
Code:

$ sudo echo $DISPLAY
:0.0

So in the case where it works, DISPLAY is :0.0, not 127.0.0.1:0.0. Once I add swscanner to the sudoers file, sudo echo $DISPLAY is still :0.0, so I don't understand at all why swscanner then wouldn't run like it did before.

Thanks for the help, Mike, but I still can't get it to work and I still obviously don't understand what's really going on. If you have any more ideas please let me know. :)

eggixyz 05-08-2008 09:07 AM

Hmm...

I was wrong in my assumption that :0.0 would be equivalent to 127.0.0.1:0.0

I think the next step would be to test a few options as a user who can run it, without sudo.

Try all other IP addresses for the host with :0.0 at the end.

Also, try doing

unset DISPLAY

and then

DISPLAY=:0.0
export DISPLAY

and see if that works. Maybe it'll be easier than I thought :)

Best wishes,

Mike

CJS 05-10-2008 08:09 AM

Quote:

Originally Posted by eggixyz (Post 3146920)
Hmm...

I was wrong in my assumption that :0.0 would be equivalent to 127.0.0.1:0.0

I think the next step would be to test a few options as a user who can run it, without sudo.

Try all other IP addresses for the host with :0.0 at the end.

Also, try doing

unset DISPLAY

and then

DISPLAY=:0.0
export DISPLAY

and see if that works. Maybe it'll be easier than I thought :)

Best wishes,

Mike

Thanks, Mike, but trying other IP addresses for the host didn't work, and doing the unset...export routine didn't work either. Personally I think this could be a bug with sudoers--what do you think? All I tried to do was disable the password, and then sudo/gksudo can't run the program anymore. Unless by disabling the password the command is now run with different environmental variables, I just don't see why it would break.

eggixyz 05-10-2008 12:55 PM

Hey There,

Yes, I think, in the end, it'll be a problem with the environment.

Try this. Take sudo out of the equation and run

su root -c /usr/local/kde/bin/swscanner

and

su - root -c /usr/local/kde/bin/swscanner

and let me know if either of those work. The first su shouldn't read root's /.profile or /.bashrc, and the second (with the - symbol) should.

There is an env_keep option that you can set in /etc/sudoers that might help, also:


From: http://www.gratisoft.us/sudo/man/sud...udoers_options
env_keep
Environment variables to be preserved in the user's environment when the env_reset option is in effect. This allows fine-grained control over the environment sudo-spawned processes will receive. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of variables to keep is displayed when sudo is run by root with the -V option.

Best wishes,

Mike

CJS 05-10-2008 08:30 PM

Quote:

Originally Posted by eggixyz (Post 3149278)
Hey There,

Yes, I think, in the end, it'll be a problem with the environment.

Try this. Take sudo out of the equation and run

su root -c /usr/local/kde/bin/swscanner

and

su - root -c /usr/local/kde/bin/swscanner

and let me know if either of those work. The first su shouldn't read root's /.profile or /.bashrc, and the second (with the - symbol) should.

There is an env_keep option that you can set in /etc/sudoers that might help, also:


From: http://www.gratisoft.us/sudo/man/sud...udoers_options
env_keep
Environment variables to be preserved in the user's environment when the env_reset option is in effect. This allows fine-grained control over the environment sudo-spawned processes will receive. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of variables to keep is displayed when sudo is run by root with the -V option.

Best wishes,

Mike

Unfortunately, I can't run "su root -c cmd" or "su - root -c cmd" because I don't have the root account enabled, i.e. no password. That's really why I'm trying to use sudo to begin with. :)

I would like to try adding the env_keep tag, but I really don't know the syntax to use, and was unable to figure it out from the man page you link to. More precisely, where and how do I put "env_keep" in the line:

john ALL=(ALL) NOPASSWD: CMDS_AS_ROOT

Sorry to trouble you with this detail, but I'm not really a programmer, and that man page has absolutely no examples of using the "Sudoers Options" like env_keep.

imadoofus 05-12-2008 09:21 PM

You can try running
Code:

xhost +
to disable access controls for your session before running your sudo command.

CJS 05-13-2008 07:54 AM

Quote:

Originally Posted by imadoofus (Post 3151373)
You can try running
Code:

xhost +
to disable access controls for your session before running your sudo command.

Thanks, that actually worked but with errors: this time when running swscanner it returned an error "kdeinit: Aborting. $HOME not set!" in the terminal, and then a warning dialog pops up with:
Code:

Could not read network connection list.
//.DCOPServer_Home-PC__0

Please check that the "dcopserver" is running!

And yes, dcopserver was running, and the contents of ~/.DCOPServer_Home-PC__0 is simply:
Code:

local/Home-PC:/tmp/.ICE-unix/dcop5539-1210681879
5539

And then if I click OK on the warning, swscanner loads up just fine! So despite the errors it worked.

Also, to further troubleshoot I tried adding the following to sudoers:
Code:

john ALL=NOPASSWD: ALL
And even without using "xhost +" I was able to get swscanner to load just fine w/o a password. But as I've shown in my previous posts, if I try to allow ONLY swscanner to not require a password, it fails. Doesn't that seem like a bug with sudoers?

Any further insight/help would be greatly appreciated! Thanks.

eggixyz 05-13-2008 11:08 AM

Hey There,

Probably what you've just uncovered (by making it work by allowing ALL to run without password) is a dependant program that swscanner needs to have running tandem in order for it to function correctly. So, knowing that it works if you let everything have free reign, gets you one step closer to the best solution.

Best wishes,

Mike


All times are GMT -5. The time now is 05:42 PM.