LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 02-14-2011, 02:59 PM   #1
zimbot
Member
 
Registered: Nov 2005
Location: cincinnati , ohio . USA
Distribution: ubuntu , Opensuse , CentOS
Posts: 122

Rep: Reputation: 17
sudo list


friends
i have a bash script that I am using for doung tape backups

The meat of the bash script is
sudo tar --totals -H pax -cvf /dev/st0 *

this all works just fine.
BUT of course tape functions have to be ran as root--
therefore sudo , requiring the standard user to enter the root password.
I would like to be in a situation where the standard user does not need ( does not know ) the root password.

I think my solution is add that standard user
user named dog to the sudo list.

I have reviewed the sudo man page and looked at
http://www.susegeek.com/security/how...y-in-opensuse/

i am still fuzzy.
my Q.

1 -- will adding user 'dog' to this sudo list do what i expect meaning i can run:
sudo tar --totals -H pax -cvf /dev/st0 *
and the user is not queried for the root password

2 -- how do i do that ? and do i make a cmd alais for only : "tar --totals -H pax -cvf /dev/st0 *"

my distro is OpenSuse

thanks
 
Old 02-14-2011, 03:36 PM   #2
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
Yes, it's feasible to make a command alias. You can also just edit /etc/sudoers:

Code:
Cmnd_Alias BACKUP = /bin/tar --totals -H pax -cvf /dev/st0 *
Defaults!BACKUP runas_default=root, always_set_home, mail_always, mailto=root
dog   ALL = (root) NOPASSWD: BACKUP
NB: The call must start with tar --totals -H pax -cvf /dev/st0, i.e.:

Code:
$ sudo tar --totals -H pax -cvf /dev/st0 *
The * in /etc/sudoers is not the * on the command line. Inside /etc/sudoers it means anything, on the command line it will be replaced by the shell with the filenames in the current working directory.

Last edited by Reuti; 02-14-2011 at 03:41 PM. Reason: Added NB.
 
Old 02-15-2011, 03:23 AM   #3
Valery Reznic
ELF Statifier author
 
Registered: Oct 2007
Posts: 666

Rep: Reputation: 133Reputation: 133
Quote:
Originally Posted by Reuti View Post
Yes, it's feasible to make a command alias. You can also just edit /etc/sudoers:

Code:
Cmnd_Alias BACKUP = /bin/tar --totals -H pax -cvf /dev/st0 *

BACKUP alias supposed to accept additional arguments, so one can specify --use-compress-program (nice switch of tar) with any program of his liking to be run as root.

I think following should fix problem:
Code:
Cmnd_Alias BACKUP = /bin/tar --totals -H pax -cvf /dev/st0 -- *
'--' will stop option processing by tar, so any additional arguments will be considered as files for backup, not as additional switches
 
1 members found this post helpful.
Old 02-15-2011, 03:30 AM   #4
hurryi
Member
 
Registered: Apr 2010
Distribution: RHEL
Posts: 77

Rep: Reputation: 7
Quote:
Originally Posted by zimbot View Post
BUT of course tape functions have to be ran as root--
therefore sudo , requiring the standard user to enter the root password.
btw thats not true, if NOPASSWD is not specified it will ask for pw but not for root pw but user password
 
Old 02-15-2011, 03:38 AM   #5
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
Quote:
Originally Posted by hurryi View Post
btw thats not true, if NOPASSWD is not specified it will ask for pw but not for root pw but user password
In fact: it can be adjusted by specifying "targetpw" or "!targetpw" as default for certain rules.
 
Old 02-15-2011, 03:48 AM   #6
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
Quote:
Originally Posted by Valery Reznic View Post
BACKUP alias supposed to accept additional arguments, so one can specify --use-compress-program (nice switch of tar) with any program of his liking to be run as root.

I think following should fix problem:
Code:
Cmnd_Alias BACKUP = /bin/tar --totals -H pax -cvf /dev/st0 -- *
'--' will stop option processing by tar, so any additional arguments will be considered as files for backup, not as additional switches
Good catch. As the arguments has to match, it will imply that you always have to specify --. But as the other arguments also have to match, it's acceptable. The syntax to sudoers could be more flexible, like specifying a set of forbidden and allowed options for each command.
 
Old 02-15-2011, 04:18 AM   #7
Valery Reznic
ELF Statifier author
 
Registered: Oct 2007
Posts: 666

Rep: Reputation: 133Reputation: 133
Quote:
Originally Posted by Reuti View Post
Good catch. As the arguments has to match, it will imply that you always have to specify --. But as the other arguments also have to match, it's acceptable. The syntax to sudoers could be more flexible, like specifying a set of forbidden and allowed options for each command.
I don't think forbidden options is good idea: let's say we forbid --use-compress-program for tar. For now we are safe.
But next update to the tar may bring new functionality, new options and among them - dangerous one from sudo point of view.

Allowed option looks better, but IMO sudo configuration is already too flexible (== complex and error prone)
 
Old 02-15-2011, 04:40 AM   #8
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
Quote:
Originally Posted by Valery Reznic View Post
Allowed option looks better, but IMO sudo configuration is already too flexible (== complex and error prone)
Agreed. For now the command aliases behave like the shell expansion regarding character ranges and asterisk resolution and it's sometimes hard to create an alias with exactly the intended purpose and allowed options. One might end up with having several combinations of the allowed options in one and the same alias definition to limit it to these.

It might be better to have a well defined syntax there for specifying these restrictions in BNF style.
 
Old 02-28-2011, 12:57 PM   #9
zimbot
Member
 
Registered: Nov 2005
Location: cincinnati , ohio . USA
Distribution: ubuntu , Opensuse , CentOS
Posts: 122

Original Poster
Rep: Reputation: 17
sudo - standard user can do just a few things as root

Friends,

I have spent some time looking at these reponses

i did a visudo and looked at my sudo user file / i made no changes.

I would like just a bit more advice

if I wanted to grant the user "dog"
the rights to run only the following


needed sudo commands , 6 in number

sudo tar --totals -H pax -cvf /dev/st0 *
( and this would have to be : sudo tar --totals -H pax -cvf /dev/st0 --*
( i think understand that is because of the * and a need to escape it...yes?
sudo tar -tvf /dev/st0
sudo mt -f /dev/st0 eject
sudo tar -xvf /dev/st0
sudo mt -f /dev/st0 rewind
sudo mt -f /dev/st0 status

each of these will be 1 line in a greater shell script
meaning - I do NOT have to enter the name of the shell script { bu01.sh )
but the actuall sudo line WITHIN the shell script
such as sudo mt -f /dev/st0 eject


I have read the man and done other googling - but i am still uncertain.

I could have 1 user ( dog )
who would have 6 'command he could call and not have to have the root password.
I think i understand that it is possible that the dog user will HAVE to respond with HIS
password. that seems like a good idea to me.

again , my real goal is to have some scripts where a standard user can do some mt backup duties and i do not have to give out the root password

Thanks!



here i have a list of what I might *think* i need to enter and a possible alias name


sudo tar --totals -H pax -cvf /dev/st0 *
bakup0 : alias

tell
sudo tar -tvf /dev/st0
telltp0 : alias

eject
sudo mt -f /dev/st0 eject
sudo mt -f /dev/st0 eject
ejectp0 : alias

restore
sudo tar -xvf /dev/st0n
retoretp0 : alias

rewind
sudo mt -f /dev/st0 rewind
rewindtp0 : alias
 
Old 02-28-2011, 01:21 PM   #10
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
Quote:
Originally Posted by zimbot View Post
here i have a list of what I might *think* i need to enter and a possible alias name


sudo tar --totals -H pax -cvf /dev/st0 *
bakup0 : alias

tell
sudo tar -tvf /dev/st0
telltp0 : alias

eject
sudo mt -f /dev/st0 eject
sudo mt -f /dev/st0 eject
ejectp0 : alias

restore
sudo tar -xvf /dev/st0n
retoretp0 : alias

rewind
sudo mt -f /dev/st0 rewind
rewindtp0 : alias
Where do you want to enter this - what syntax is it?
 
Old 02-28-2011, 01:57 PM   #11
zimbot
Member
 
Registered: Nov 2005
Location: cincinnati , ohio . USA
Distribution: ubuntu , Opensuse , CentOS
Posts: 122

Original Poster
Rep: Reputation: 17
well
( speaking simply , cause simple seems to be as much as i can do
I wish to have a this called as part of a greater shell script

example the most complex script is the backUP itself
where as you can see it is called
down in the script
sudo tar --totals -H pax -cvf /dev/st0 *
( marked in red )
and of course , you are asked for the root password.
the user experience that i am looking for is when the script is ran
the user is only asked for HIS password ( eg the dog user , the limited user - or no password query-- but NOT for the root password. the idea is this person would not know the root password.

[ also this script below is the most complex thing i have ever made ; could not have done it without google & the good & wise folk found at LINUXQUESTIONS.org

thanks much!

------------start of script named ppsbu.sh
#!/bin/sh
##~~~~~~~~~~~~~~~~~~~~~~~~~~~~# vers 11 ; 2.25.2011 js
##~~~~~~~~~~~~~~~~~~~~~~~~~~~~# backUP
##-----------< assumes a chgrp users of /media
##-----------< assumes a 755 dir of /home/pps/pps_list
#######################################################

###----------------># start is there a tape test
sudo mt -f /dev/st0 status | grep error
if [[ $? -ne error ]]
then
echo "ALERT ========= you need a tape "
exit
else
echo " all is well-- you got a tape"
fi
###----------------># end is there a tape test
#
####----# get JobNum # enter w spaces
echo “Please provide the jobNum -----! 5 digits NO SPACES !”
read jobNum
echo “Thanks…Processing Your ${jobNum} Now”
###---i need a date
start=$(date)
Ntime=$(date)
CalcStart=$(date +%s)
echo $Ntime > /home/pps/pps_list/${jobNum}.txt

#---
#cd /media/*
cd /media/
#echo "dir is: `pwd`"

##-----how big is it # find in Num of bytes the size of dir
dirSize=$(du -bs /media/$jobNum* | awk '{print $1}')
echo $dirSize

##--end how big

####---# make a txt file - later it might get upld--dunno
####-for the tape the 00index.txt
echo $jobNum > /media/00index.txt
echo $Ntime >> /media/00index.txt
ls -Rlh >> /media/00index.txt

###-for big saver
ls -Rlh >> /home/pps/pps_list/${jobNum}.txt
echo $dirSize " bytes" >> /home/pps/pps_list/${jobNum}.txt

ls -R > /home/pps/pps_list/${jobNum}_short.txt
echo $dirSize " Bytes" >> /home/pps/pps_list/${jobNum}_short.txt
####----------------------------------------------------# the do
####----# make tape , assume 0
sudo tar --totals -H pax -cvf /dev/st0 *

###-----# start happytest
if [[ $? -ne 0 ]]
then
echo " backUP halt or error "
exit1
else

############
end=$(date)
CalcEnd=$(date +%s)
echo $end >> /home/pps/pps_list/${jobNum}.txt

diff=$(( $CalcEnd - $CalcStart ))
## my dif effort needs work - need to do min only
#echo "Task Duration "$diff >> /home/pps/pps_list/${jobNum}.txt

####-remove the 00index.txt
rm /media/00index.txt
####----------------------------------------------------# end do
####---------------------------------------------# Start mail
# email subject
SUBJECT="The Back Up Job Number: "$jobNum

# Email To ?
########### group
EMAIL="bu@mydom.com"
########### devel
#EMAIL="me@mydom.com"

# Email text/message
EMAILMESSAGE="/tmp/emailmessage.txt"
echo "saver drive backed up to tape"> $EMAILMESSAGE
echo ".................................................. " >>$EMAILMESSAGE
echo "the job: " $jobNum >>$EMAILMESSAGE
echo $dirSize " Bytes" >>$EMAILMESSAGE
echo " " >>$EMAILMESSAGE
echo "Start Time: "$start >>$EMAILMESSAGE
echo " " >>$EMAILMESSAGE
echo " End Time: "$(date) >>$EMAILMESSAGE
echo "-------------------------------------------------- " >>$EMAILMESSAGE
echo "machine = armstrong" >>$EMAILMESSAGE
echo ".................................................. " >>$EMAILMESSAGE
echo " " >>$EMAILMESSAGE
echo "total seconds "$diff >>$EMAILMESSAGE
####hour=`echo $diff/3600 | bc`
echo " " >>$EMAILMESSAGE
hour=$(echo $diff/3600 | bc -l)
echo "that is r N $hour hour" >> $EMAILMESSAGE

# send an email using /bin/mail
/bin/mail -s "$SUBJECT" "$EMAIL" < $EMAILMESSAGE
#echo "subject is " $SUBJECT
#####----------------------------------------------# end mail

echo "*********************************************************"
echo " . "
echo "backup " ${jobNum} " DONE "
echo " . "
echo "It took "$diff

echo "--------------------------------------------------::good"
fi
###-----# end happytest
####- eject tape ** the whole eject merged w a tell maybe
#sudo mt -f /dev/st0 eject
#mt -f /dev/st0 eject
echo "eject with a 88888 then Label and be sure to Slide the RED for copy PROTECT NOW"
 
Old 02-28-2011, 02:08 PM   #12
zimbot
Member
 
Registered: Nov 2005
Location: cincinnati , ohio . USA
Distribution: ubuntu , Opensuse , CentOS
Posts: 122

Original Poster
Rep: Reputation: 17
so i think an iten that i am confused on is
in my shell script where i may have
sudo mt -f /dev/st0 status
or
sudo tar --totals -H pax -cvf /dev/st0 *

these need to be command alias -- and then do i call that alias in the scripu
such as
sudo tar --totals -H pax -cvf /dev/st0 --*
is the command alias "bakup0" ?

so in my script do i have this "magic word " this alias that explodes to
sudo tar --totals -H pax -cvf /dev/st0 --*

so my script would look more like..
<snip>

####----# make tape , assume 0
bakup0
###-----# start happytest
</snip>
 
Old 02-28-2011, 04:04 PM   #13
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
There is no alias needed. You just have to code the exact syntax of the command in /etc/sudoers. I suggest to start with the very first lines of your script and enhance it when you see it's working so far. For now I think you will never get an error about a missing tape.

NB: You have the option in sudo to ask for a) no password, b) the user's password, c) the target user's password.

Last edited by Reuti; 02-28-2011 at 04:04 PM. Reason: Typo
 
Old 03-01-2011, 05:30 PM   #14
zimbot
Member
 
Registered: Nov 2005
Location: cincinnati , ohio . USA
Distribution: ubuntu , Opensuse , CentOS
Posts: 122

Original Poster
Rep: Reputation: 17
what do you mean by "start with the very first lines of your script and enhance it when you see it's working so far"

so , do you think if i do the following

1 su ( and give the root password ) i am now super , and in OpenSUSE the text turns red

2 i enter : visudo -f /etc/sudoers
I now see the /etc/sudoers file
a snip is below and if I add the following to the bottom
<snip>
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now

# and i just add the script?
/bin/tar --totals -H pax -cvf /dev/st0 --*
mt -f /dev/st0 status
</snip>

or do i add the entire script - just pasted to the bottom of etc/sudoers?
and that would work?

and by work , i mean the user dog could run the script backup0.sh and only be asked for the dog password and NOT root
 
Old 03-01-2011, 05:52 PM   #15
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
No. In #2 I gave you the necessary idea for the /etc/sudoers file. Then get your script working under a normal user account up to end is there a tape test and test the error case. Now add the following lines in bunches and check whether they are working as intendent each time.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: The Ultimate Sudo FAQ — To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 01:36 AM
Please list some GUI frontend you know for "sudo" command. cshong Linux - Newbie 3 01-15-2011 04:06 PM
'sudo' cant list "/root/install*" ?? Komal_rg Linux - Newbie 6 10-29-2009 03:47 AM
Is there a list of SUDO commands anywhere? NFI Linux - Newbie 7 06-28-2009 07:19 PM
sudo command, sources.list mbuchoff Linux - Newbie 9 02-16-2007 07:32 AM


All times are GMT -5. The time now is 07:20 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration