LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 05-07-2008, 10:29 PM   #1
CJS
Member
 
Registered: May 2008
Location: California, USA
Distribution: Ubuntu 8.10
Posts: 247

Rep: Reputation: 49
Exclamation Adding command privilege to /etc/sudoers doesn't work for some programs


I'm using Ubuntu 7.10. I edited my sudoers file to include the following lines at the end:
Code:
Cmnd_Alias CMDS_AS_ROOT = /usr/local/kde/bin/swscanner
john ALL=(ALL) NOPASSWD: CMDS_AS_ROOT
Most programs/bash scripts seem to work fine with this so that I can run them as root w/o entering a password. But for some reason "swscanner" will not work when I try to run it without a password using the above changes to my sudoers file. For those who aren't familiar, swscanner is "Simple Wireless Scanner" to scan for wireless networks (www.swscanner.org). It returns an error:
Code:
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified

swscanner: cannot connect to X server :0.0
In other words, without the above changes to my sudoers file, swscanner runs fine with a simple "gksudo /usr/local/kde/bin/swscanner" command (but I have to enter the password). But as soon as I change my sudoers to make it run without a password, and I use the same command "sudo /usr/local/kde/bin/swscanner", it returns the error above.

So am I missing some subtlety of how programs are run with the above changes to my sudoers file? Any help or insight would be greatly appreciated! Thanks in advance.
 
Old 05-07-2008, 10:47 PM   #2
eggixyz
Member
 
Registered: Apr 2008
Posts: 310

Rep: Reputation: 30
Hey there,

Sounds like swscanner needs to read in a profile (or script) to set the DISPLAY variable

One way around it would be to use the shell and change

Cmnd_Alias CMDS_AS_ROOT = /usr/local/kde/bin/swscanner

to

Cmnd_Alias CMDS_AS_ROOT = /bin/bash -l /usr/local/kde/bin/swscanner

or, if that doesn't do the trick, write a simple wrapper (probably a better idea, maybe, if you "only" want to set DISPLAY and not leave anything to chance)

Cmnd_Alias CMDS_AS_ROOT = /usr/local/bin/mywrapper

and have that be:

#!/bin/bash

. /your/.profile
DISPLAY=127.0.0.1:0.0 # substitute appropriate IP here
export DISPLAY
/usr/local/kde/bin/swscanner

Hope that helps Basically you just need to make sure you've got a login shell started before that command executes and that the x DISPLAY variable is all set.

, Mike
 
Old 05-08-2008, 09:41 AM   #3
CJS
Member
 
Registered: May 2008
Location: California, USA
Distribution: Ubuntu 8.10
Posts: 247

Original Poster
Rep: Reputation: 49
Quote:
Originally Posted by eggixyz View Post
Sounds like swscanner needs to read in a profile (or script) to set the DISPLAY variable

One way around it would be to use the shell and change

Cmnd_Alias CMDS_AS_ROOT = /usr/local/kde/bin/swscanner

to

Cmnd_Alias CMDS_AS_ROOT = /bin/bash -l /usr/local/kde/bin/swscanner
Thanks for the idea, but it unfortunately didn't work. I noticed that "bash -l" doesn't seem to allow any arguments; for instance using ls as an argument, I get an error:
Code:
$ bash -l ls
/bin/ls: /bin/ls: cannot execute binary file
Also, doing a "sudo -l" returns:
Code:
User john may run the following commands on this host:
    (ALL) ALL
    (ALL) NOPASSWD: /bin/bash -l /usr/local/kde/bin/swscanner
So doing "gksudo /usr/local/kde/bin/swscanner" still asks for a password.
Quote:
or, if that doesn't do the trick, write a simple wrapper (probably a better idea, maybe, if you "only" want to set DISPLAY and not leave anything to chance)

Cmnd_Alias CMDS_AS_ROOT = /usr/local/bin/mywrapper

and have that be:

#!/bin/bash

. /your/.profile
DISPLAY=127.0.0.1:0.0 # substitute appropriate IP here
export DISPLAY
/usr/local/kde/bin/swscanner
I tried your script exactly and it didn't work, and I assume that 127.0.0.1 (localhost) is truly what I want--I'm trying to run it on my machine, in my current session. Running that script doesn't return any errors to the terminal either.

I also noticed that without adding swscanner to sudoers (this is the original case where it works, but requires a password), then:
Code:
$ sudo echo $DISPLAY
:0.0
So in the case where it works, DISPLAY is :0.0, not 127.0.0.1:0.0. Once I add swscanner to the sudoers file, sudo echo $DISPLAY is still :0.0, so I don't understand at all why swscanner then wouldn't run like it did before.

Thanks for the help, Mike, but I still can't get it to work and I still obviously don't understand what's really going on. If you have any more ideas please let me know.
 
Old 05-08-2008, 10:07 AM   #4
eggixyz
Member
 
Registered: Apr 2008
Posts: 310

Rep: Reputation: 30
Hmm...

I was wrong in my assumption that :0.0 would be equivalent to 127.0.0.1:0.0

I think the next step would be to test a few options as a user who can run it, without sudo.

Try all other IP addresses for the host with :0.0 at the end.

Also, try doing

unset DISPLAY

and then

DISPLAY=:0.0
export DISPLAY

and see if that works. Maybe it'll be easier than I thought

Best wishes,

Mike
 
Old 05-10-2008, 09:09 AM   #5
CJS
Member
 
Registered: May 2008
Location: California, USA
Distribution: Ubuntu 8.10
Posts: 247

Original Poster
Rep: Reputation: 49
Quote:
Originally Posted by eggixyz View Post
Hmm...

I was wrong in my assumption that :0.0 would be equivalent to 127.0.0.1:0.0

I think the next step would be to test a few options as a user who can run it, without sudo.

Try all other IP addresses for the host with :0.0 at the end.

Also, try doing

unset DISPLAY

and then

DISPLAY=:0.0
export DISPLAY

and see if that works. Maybe it'll be easier than I thought

Best wishes,

Mike
Thanks, Mike, but trying other IP addresses for the host didn't work, and doing the unset...export routine didn't work either. Personally I think this could be a bug with sudoers--what do you think? All I tried to do was disable the password, and then sudo/gksudo can't run the program anymore. Unless by disabling the password the command is now run with different environmental variables, I just don't see why it would break.
 
Old 05-10-2008, 01:55 PM   #6
eggixyz
Member
 
Registered: Apr 2008
Posts: 310

Rep: Reputation: 30
Hey There,

Yes, I think, in the end, it'll be a problem with the environment.

Try this. Take sudo out of the equation and run

su root -c /usr/local/kde/bin/swscanner

and

su - root -c /usr/local/kde/bin/swscanner

and let me know if either of those work. The first su shouldn't read root's /.profile or /.bashrc, and the second (with the - symbol) should.

There is an env_keep option that you can set in /etc/sudoers that might help, also:


From: http://www.gratisoft.us/sudo/man/sud...udoers_options
env_keep
Environment variables to be preserved in the user's environment when the env_reset option is in effect. This allows fine-grained control over the environment sudo-spawned processes will receive. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of variables to keep is displayed when sudo is run by root with the -V option.

Best wishes,

Mike
 
Old 05-10-2008, 09:30 PM   #7
CJS
Member
 
Registered: May 2008
Location: California, USA
Distribution: Ubuntu 8.10
Posts: 247

Original Poster
Rep: Reputation: 49
Quote:
Originally Posted by eggixyz View Post
Hey There,

Yes, I think, in the end, it'll be a problem with the environment.

Try this. Take sudo out of the equation and run

su root -c /usr/local/kde/bin/swscanner

and

su - root -c /usr/local/kde/bin/swscanner

and let me know if either of those work. The first su shouldn't read root's /.profile or /.bashrc, and the second (with the - symbol) should.

There is an env_keep option that you can set in /etc/sudoers that might help, also:


From: http://www.gratisoft.us/sudo/man/sud...udoers_options
env_keep
Environment variables to be preserved in the user's environment when the env_reset option is in effect. This allows fine-grained control over the environment sudo-spawned processes will receive. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of variables to keep is displayed when sudo is run by root with the -V option.

Best wishes,

Mike
Unfortunately, I can't run "su root -c cmd" or "su - root -c cmd" because I don't have the root account enabled, i.e. no password. That's really why I'm trying to use sudo to begin with.

I would like to try adding the env_keep tag, but I really don't know the syntax to use, and was unable to figure it out from the man page you link to. More precisely, where and how do I put "env_keep" in the line:

john ALL=(ALL) NOPASSWD: CMDS_AS_ROOT

Sorry to trouble you with this detail, but I'm not really a programmer, and that man page has absolutely no examples of using the "Sudoers Options" like env_keep.
 
Old 05-12-2008, 10:21 PM   #8
imadoofus
LQ Newbie
 
Registered: May 2008
Posts: 6

Rep: Reputation: 0
You can try running
Code:
xhost +
to disable access controls for your session before running your sudo command.
 
Old 05-13-2008, 08:54 AM   #9
CJS
Member
 
Registered: May 2008
Location: California, USA
Distribution: Ubuntu 8.10
Posts: 247

Original Poster
Rep: Reputation: 49
Quote:
Originally Posted by imadoofus View Post
You can try running
Code:
xhost +
to disable access controls for your session before running your sudo command.
Thanks, that actually worked but with errors: this time when running swscanner it returned an error "kdeinit: Aborting. $HOME not set!" in the terminal, and then a warning dialog pops up with:
Code:
Could not read network connection list.
//.DCOPServer_Home-PC__0

Please check that the "dcopserver" is running!
And yes, dcopserver was running, and the contents of ~/.DCOPServer_Home-PC__0 is simply:
Code:
local/Home-PC:/tmp/.ICE-unix/dcop5539-1210681879
5539
And then if I click OK on the warning, swscanner loads up just fine! So despite the errors it worked.

Also, to further troubleshoot I tried adding the following to sudoers:
Code:
john ALL=NOPASSWD: ALL
And even without using "xhost +" I was able to get swscanner to load just fine w/o a password. But as I've shown in my previous posts, if I try to allow ONLY swscanner to not require a password, it fails. Doesn't that seem like a bug with sudoers?

Any further insight/help would be greatly appreciated! Thanks.
 
Old 05-13-2008, 12:08 PM   #10
eggixyz
Member
 
Registered: Apr 2008
Posts: 310

Rep: Reputation: 30
Hey There,

Probably what you've just uncovered (by making it work by allowing ALL to run without password) is a dependant program that swscanner needs to have running tandem in order for it to function correctly. So, knowing that it works if you let everything have free reign, gets you one step closer to the best solution.

Best wishes,

Mike
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
After adding default gw, the tcpdump & route command work strange. meir_katz Linux - Newbie 2 01-01-2008 06:27 AM
using shutdown command without root privilege chobin Programming 2 06-15-2006 11:51 AM
I deleted /etc/sudoers and creates a new file call sudoers but now it doesnt for visu abefroman Linux - Software 1 11-10-2005 06:03 PM
How to execute root-privilege programs in KDE autostart? rylan76 Linux - Software 3 07-31-2005 05:40 AM
help with sudoers: can only specify one command kc8tbe Linux - Newbie 0 10-25-2003 05:15 PM


All times are GMT -5. The time now is 03:47 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration