friends
i have a bash script that I am using for doung tape backups

The meat of the bash script is
sudo tar --totals -H pax -cvf /dev/st0 *

this all works just fine.
BUT of course tape functions have to be ran as root--
therefore sudo , requiring the standard user to enter the root password.
I would like to be in a situation where the standard user does not need ( does not know ) the root password.

I think my solution is add that standard user
user named dog to the sudo list.

I have reviewed the sudo man page and looked at
http://www.susegeek.com/security/how...y-in-opensuse/

i am still fuzzy.
my Q.

1 -- will adding user 'dog' to this sudo list do what i expect meaning i can run:
sudo tar --totals -H pax -cvf /dev/st0 *
and the user is not queried for the root password

2 -- how do i do that ? and do i make a cmd alais for only : "tar --totals -H pax -cvf /dev/st0 *"

my distro is OpenSuse

thanks

Yes, it's feasible to make a command alias. You can also just edit /etc/sudoers:

NB: The call must start with tar --totals -H pax -cvf /dev/st0, i.e.:

The * in /etc/sudoers is not the * on the command line. Inside /etc/sudoers it means anything, on the command line it will be replaced by the shell with the filenames in the current working directory.

BACKUP alias supposed to accept additional arguments, so one can specify --use-compress-program (nice switch of tar) with any program of his liking to be run as root.

I think following should fix problem:
'--' will stop option processing by tar, so any additional arguments will be considered as files for backup, not as additional switches

1 members found this post helpful.

btw thats not true, if NOPASSWD is not specified it will ask for pw but not for root pw but user password

In fact: it can be adjusted by specifying "targetpw" or "!targetpw" as default for certain rules.

Good catch. As the arguments has to match, it will imply that you always have to specify --. But as the other arguments also have to match, it's acceptable. The syntax to sudoers could be more flexible, like specifying a set of forbidden and allowed options for each command.

I don't think forbidden options is good idea: let's say we forbid --use-compress-program for tar. For now we are safe.
But next update to the tar may bring new functionality, new options and among them - dangerous one from sudo point of view.

Allowed option looks better, but IMO sudo configuration is already too flexible (== complex and error prone)

Agreed. For now the command aliases behave like the shell expansion regarding character ranges and asterisk resolution and it's sometimes hard to create an alias with exactly the intended purpose and allowed options. One might end up with having several combinations of the allowed options in one and the same alias definition to limit it to these.

It might be better to have a well defined syntax there for specifying these restrictions in BNF style.

Friends,

I have spent some time looking at these reponses

i did a visudo and looked at my sudo user file / i made no changes.

I would like just a bit more advice

if I wanted to grant the user "dog"
the rights to run only the following


needed sudo commands , 6 in number

sudo tar --totals -H pax -cvf /dev/st0 *
( and this would have to be : sudo tar --totals -H pax -cvf /dev/st0 --*
( i think understand that is because of the * and a need to escape it...yes?
sudo tar -tvf /dev/st0
sudo mt -f /dev/st0 eject
sudo tar -xvf /dev/st0
sudo mt -f /dev/st0 rewind
sudo mt -f /dev/st0 status

each of these will be 1 line in a greater shell script
meaning - I do NOT have to enter the name of the shell script { bu01.sh )
but the actuall sudo line WITHIN the shell script
such as sudo mt -f /dev/st0 eject


I have read the man and done other googling - but i am still uncertain.

I could have 1 user ( dog )
who would have 6 'command he could call and not have to have the root password.
I think i understand that it is possible that the dog user will HAVE to respond with HIS
password. that seems like a good idea to me.

again , my real goal is to have some scripts where a standard user can do some mt backup duties and i do not have to give out the root password

Thanks!



here i have a list of what I might *think* i need to enter and a possible alias name


sudo tar --totals -H pax -cvf /dev/st0 *
bakup0 : alias

tell
sudo tar -tvf /dev/st0
telltp0 : alias

eject
sudo mt -f /dev/st0 eject
sudo mt -f /dev/st0 eject
ejectp0 : alias

restore
sudo tar -xvf /dev/st0n
retoretp0 : alias

rewind
sudo mt -f /dev/st0 rewind
rewindtp0 : alias

Where do you want to enter this - what syntax is it?

well
( speaking simply , cause simple seems to be as much as i can do
I wish to have a this called as part of a greater shell script

example the most complex script is the backUP itself
where as you can see it is called
down in the script
sudo tar --totals -H pax -cvf /dev/st0 *
( marked in red )
and of course , you are asked for the root password.
the user experience that i am looking for is when the script is ran
the user is only asked for HIS password ( eg the dog user , the limited user - or no password query-- but NOT for the root password. the idea is this person would not know the root password.

[ also this script below is the most complex thing i have ever made ; could not have done it without google & the good & wise folk found at LINUXQUESTIONS.org

thanks much!

------------start of script named ppsbu.sh
#!/bin/sh
##~~~~~~~~~~~~~~~~~~~~~~~~~~~~# vers 11 ; 2.25.2011 js
##~~~~~~~~~~~~~~~~~~~~~~~~~~~~# backUP
##-----------< assumes a chgrp users of /media
##-----------< assumes a 755 dir of /home/pps/pps_list
#######################################################

###----------------># start is there a tape test
sudo mt -f /dev/st0 status | grep error
if [[ $? -ne error ]]
then
echo "ALERT ========= you need a tape "
exit
else
echo " all is well-- you got a tape"
fi
###----------------># end is there a tape test
#
####----# get JobNum # enter w spaces
echo “Please provide the jobNum -----! 5 digits NO SPACES !”
read jobNum
echo “Thanks…Processing Your ${jobNum} Now”
###---i need a date
start=$(date)
Ntime=$(date)
CalcStart=$(date +%s)
echo $Ntime > /home/pps/pps_list/${jobNum}.txt

#---
#cd /media/*
cd /media/
#echo "dir is: `pwd`"

##-----how big is it # find in Num of bytes the size of dir
dirSize=$(du -bs /media/$jobNum* | awk '{print $1}')
echo $dirSize

##--end how big

####---# make a txt file - later it might get upld--dunno
####-for the tape the 00index.txt
echo $jobNum > /media/00index.txt
echo $Ntime >> /media/00index.txt
ls -Rlh >> /media/00index.txt

###-for big saver
ls -Rlh >> /home/pps/pps_list/${jobNum}.txt
echo $dirSize " bytes" >> /home/pps/pps_list/${jobNum}.txt

ls -R > /home/pps/pps_list/${jobNum}_short.txt
echo $dirSize " Bytes" >> /home/pps/pps_list/${jobNum}_short.txt
####----------------------------------------------------# the do
####----# make tape , assume 0
sudo tar --totals -H pax -cvf /dev/st0 *
###-----# start happytest
if [[ $? -ne 0 ]]
then
echo " backUP halt or error "
exit1
else

############
end=$(date)
CalcEnd=$(date +%s)
echo $end >> /home/pps/pps_list/${jobNum}.txt

diff=$(( $CalcEnd - $CalcStart ))
## my dif effort needs work - need to do min only
#echo "Task Duration "$diff >> /home/pps/pps_list/${jobNum}.txt

####-remove the 00index.txt
rm /media/00index.txt
####----------------------------------------------------# end do
####---------------------------------------------# Start mail
# email subject
SUBJECT="The Back Up Job Number: "$jobNum

# Email To ?
########### group
EMAIL="bu@mydom.com"
########### devel
#EMAIL="me@mydom.com"

# Email text/message
EMAILMESSAGE="/tmp/emailmessage.txt"
echo "saver drive backed up to tape"> $EMAILMESSAGE
echo ".................................................. " >>$EMAILMESSAGE
echo "the job: " $jobNum >>$EMAILMESSAGE
echo $dirSize " Bytes" >>$EMAILMESSAGE
echo " " >>$EMAILMESSAGE
echo "Start Time: "$start >>$EMAILMESSAGE
echo " " >>$EMAILMESSAGE
echo " End Time: "$(date) >>$EMAILMESSAGE
echo "-------------------------------------------------- " >>$EMAILMESSAGE
echo "machine = armstrong" >>$EMAILMESSAGE
echo ".................................................. " >>$EMAILMESSAGE
echo " " >>$EMAILMESSAGE
echo "total seconds "$diff >>$EMAILMESSAGE
####hour=`echo $diff/3600 | bc`
echo " " >>$EMAILMESSAGE
hour=$(echo $diff/3600 | bc -l)
echo "that is r N $hour hour" >> $EMAILMESSAGE

# send an email using /bin/mail
/bin/mail -s "$SUBJECT" "$EMAIL" < $EMAILMESSAGE
#echo "subject is " $SUBJECT
#####----------------------------------------------# end mail

echo "*********************************************************"
echo " . "
echo "backup " ${jobNum} " DONE "
echo " . "
echo "It took "$diff

echo "--------------------------------------------------::good"
fi
###-----# end happytest
####- eject tape ** the whole eject merged w a tell maybe
#sudo mt -f /dev/st0 eject
#mt -f /dev/st0 eject
echo "eject with a 88888 then Label and be sure to Slide the RED for copy PROTECT NOW"

so i think an iten that i am confused on is
in my shell script where i may have
sudo mt -f /dev/st0 status
or
sudo tar --totals -H pax -cvf /dev/st0 *

these need to be command alias -- and then do i call that alias in the scripu
such as
sudo tar --totals -H pax -cvf /dev/st0 --*
is the command alias "bakup0" ?

so in my script do i have this "magic word " this alias that explodes to
sudo tar --totals -H pax -cvf /dev/st0 --*

so my script would look more like..
<snip>

####----# make tape , assume 0
bakup0
###-----# start happytest
</snip>

There is no alias needed. You just have to code the exact syntax of the command in /etc/sudoers. I suggest to start with the very first lines of your script and enhance it when you see it's working so far. For now I think you will never get an error about a missing tape.

NB: You have the option in sudo to ask for a) no password, b) the user's password, c) the target user's password.

what do you mean by "start with the very first lines of your script and enhance it when you see it's working so far"

so , do you think if i do the following

1 su ( and give the root password ) i am now super , and in OpenSUSE the text turns red

2 i enter : visudo -f /etc/sudoers
I now see the /etc/sudoers file
a snip is below and if I add the following to the bottom
<snip>
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now

# and i just add the script?
/bin/tar --totals -H pax -cvf /dev/st0 --*
mt -f /dev/st0 status
</snip>

or do i add the entire script - just pasted to the bottom of etc/sudoers?
and that would work?

and by work , i mean the user dog could run the script backup0.sh and only be asked for the dog password and NOT root

No. In #2 I gave you the necessary idea for the /etc/sudoers file. Then get your script working under a normal user account up to end is there a tape test and test the error case. Now add the following lines in bunches and check whether they are working as intendent each time.