Adding command privilege to /etc/sudoers doesn't work for some programs
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Adding command privilege to /etc/sudoers doesn't work for some programs
I'm using Ubuntu 7.10. I edited my sudoers file to include the following lines at the end:
Code:
Cmnd_Alias CMDS_AS_ROOT = /usr/local/kde/bin/swscanner
john ALL=(ALL) NOPASSWD: CMDS_AS_ROOT
Most programs/bash scripts seem to work fine with this so that I can run them as root w/o entering a password. But for some reason "swscanner" will not work when I try to run it without a password using the above changes to my sudoers file. For those who aren't familiar, swscanner is "Simple Wireless Scanner" to scan for wireless networks (www.swscanner.org). It returns an error:
Code:
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified
swscanner: cannot connect to X server :0.0
In other words, without the above changes to my sudoers file, swscanner runs fine with a simple "gksudo /usr/local/kde/bin/swscanner" command (but I have to enter the password). But as soon as I change my sudoers to make it run without a password, and I use the same command "sudo /usr/local/kde/bin/swscanner", it returns the error above.
So am I missing some subtlety of how programs are run with the above changes to my sudoers file? Any help or insight would be greatly appreciated! Thanks in advance.
or, if that doesn't do the trick, write a simple wrapper (probably a better idea, maybe, if you "only" want to set DISPLAY and not leave anything to chance)
. /your/.profile
DISPLAY=127.0.0.1:0.0 # substitute appropriate IP here
export DISPLAY
/usr/local/kde/bin/swscanner
Hope that helps Basically you just need to make sure you've got a login shell started before that command executes and that the x DISPLAY variable is all set.
Thanks for the idea, but it unfortunately didn't work. I noticed that "bash -l" doesn't seem to allow any arguments; for instance using ls as an argument, I get an error:
Code:
$ bash -l ls
/bin/ls: /bin/ls: cannot execute binary file
Also, doing a "sudo -l" returns:
Code:
User john may run the following commands on this host:
(ALL) ALL
(ALL) NOPASSWD: /bin/bash -l /usr/local/kde/bin/swscanner
So doing "gksudo /usr/local/kde/bin/swscanner" still asks for a password.
Quote:
or, if that doesn't do the trick, write a simple wrapper (probably a better idea, maybe, if you "only" want to set DISPLAY and not leave anything to chance)
. /your/.profile
DISPLAY=127.0.0.1:0.0 # substitute appropriate IP here
export DISPLAY
/usr/local/kde/bin/swscanner
I tried your script exactly and it didn't work, and I assume that 127.0.0.1 (localhost) is truly what I want--I'm trying to run it on my machine, in my current session. Running that script doesn't return any errors to the terminal either.
I also noticed that without adding swscanner to sudoers (this is the original case where it works, but requires a password), then:
Code:
$ sudo echo $DISPLAY
:0.0
So in the case where it works, DISPLAY is :0.0, not 127.0.0.1:0.0. Once I add swscanner to the sudoers file, sudo echo $DISPLAY is still :0.0, so I don't understand at all why swscanner then wouldn't run like it did before.
Thanks for the help, Mike, but I still can't get it to work and I still obviously don't understand what's really going on. If you have any more ideas please let me know.
I was wrong in my assumption that :0.0 would be equivalent to 127.0.0.1:0.0
I think the next step would be to test a few options as a user who can run it, without sudo.
Try all other IP addresses for the host with :0.0 at the end.
Also, try doing
unset DISPLAY
and then
DISPLAY=:0.0
export DISPLAY
and see if that works. Maybe it'll be easier than I thought
Best wishes,
Mike
Thanks, Mike, but trying other IP addresses for the host didn't work, and doing the unset...export routine didn't work either. Personally I think this could be a bug with sudoers--what do you think? All I tried to do was disable the password, and then sudo/gksudo can't run the program anymore. Unless by disabling the password the command is now run with different environmental variables, I just don't see why it would break.
Yes, I think, in the end, it'll be a problem with the environment.
Try this. Take sudo out of the equation and run
su root -c /usr/local/kde/bin/swscanner
and
su - root -c /usr/local/kde/bin/swscanner
and let me know if either of those work. The first su shouldn't read root's /.profile or /.bashrc, and the second (with the - symbol) should.
There is an env_keep option that you can set in /etc/sudoers that might help, also:
From: http://www.gratisoft.us/sudo/man/sud...udoers_options
env_keep
Environment variables to be preserved in the user's environment when the env_reset option is in effect. This allows fine-grained control over the environment sudo-spawned processes will receive. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of variables to keep is displayed when sudo is run by root with the -V option.
Yes, I think, in the end, it'll be a problem with the environment.
Try this. Take sudo out of the equation and run
su root -c /usr/local/kde/bin/swscanner
and
su - root -c /usr/local/kde/bin/swscanner
and let me know if either of those work. The first su shouldn't read root's /.profile or /.bashrc, and the second (with the - symbol) should.
There is an env_keep option that you can set in /etc/sudoers that might help, also:
From: http://www.gratisoft.us/sudo/man/sud...udoers_options
env_keep
Environment variables to be preserved in the user's environment when the env_reset option is in effect. This allows fine-grained control over the environment sudo-spawned processes will receive. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of variables to keep is displayed when sudo is run by root with the -V option.
Best wishes,
Mike
Unfortunately, I can't run "su root -c cmd" or "su - root -c cmd" because I don't have the root account enabled, i.e. no password. That's really why I'm trying to use sudo to begin with.
I would like to try adding the env_keep tag, but I really don't know the syntax to use, and was unable to figure it out from the man page you link to. More precisely, where and how do I put "env_keep" in the line:
john ALL=(ALL) NOPASSWD: CMDS_AS_ROOT
Sorry to trouble you with this detail, but I'm not really a programmer, and that man page has absolutely no examples of using the "Sudoers Options" like env_keep.
to disable access controls for your session before running your sudo command.
Thanks, that actually worked but with errors: this time when running swscanner it returned an error "kdeinit: Aborting. $HOME not set!" in the terminal, and then a warning dialog pops up with:
Code:
Could not read network connection list.
//.DCOPServer_Home-PC__0
Please check that the "dcopserver" is running!
And yes, dcopserver was running, and the contents of ~/.DCOPServer_Home-PC__0 is simply:
And then if I click OK on the warning, swscanner loads up just fine! So despite the errors it worked.
Also, to further troubleshoot I tried adding the following to sudoers:
Code:
john ALL=NOPASSWD: ALL
And even without using "xhost +" I was able to get swscanner to load just fine w/o a password. But as I've shown in my previous posts, if I try to allow ONLY swscanner to not require a password, it fails. Doesn't that seem like a bug with sudoers?
Any further insight/help would be greatly appreciated! Thanks.
Probably what you've just uncovered (by making it work by allowing ALL to run without password) is a dependant program that swscanner needs to have running tandem in order for it to function correctly. So, knowing that it works if you let everything have free reign, gets you one step closer to the best solution.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.