LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 12-10-2006, 05:36 AM   #1
osle
LQ Newbie
 
Registered: Oct 2006
Posts: 8

Rep: Reputation: 0
How do I modify /etc/sudoers from an install ?


Hi all,

I wrote an application that for some of its commands requires root privileges.

I understand the best way to do this is by using sudo, and for that I needed to edit /etc/sudoers with visudo.

It all works fine, but here is my question:

What is the best way for an install package to edit /etc/sudoers?

And while we're at it, I have another question.
When I run sudo -l , it required a password. Why?
This is a user that I added myself, and it is in its own group. Does it have anything to do with groups?

Thanks in advance...

Last edited by osle; 12-10-2006 at 05:59 AM.
 
Old 12-10-2006, 09:04 AM   #2
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 197Reputation: 197
Whenever you run sudo, it should ask for a password, that's the whole point unless you configure it to be passwordless for that user.

And everyone tells you to edit with visudo but you can easily edit by just using vi /etc/sudoers or even piping whatever data you want into the file, I've never had problems editing by my own conventional means.
 
Old 12-10-2006, 09:51 AM   #3
tredegar
Guru
 
Registered: May 2003
Location: London, UK
Distribution: Ubuntu 10.04, mostly
Posts: 6,007

Rep: Reputation: 367Reputation: 367Reputation: 367Reputation: 367
I have been looking at /etc/sudoers, trying to answer this thread:
http://www.linuxquestions.org/questi...d.php?t=508870

To edit this file:
Open a terminal
Become root:
Code:
sudo -i
Edit the file:
Code:
visudo
Make changes
Save the changes (these will be saved to /etc/sudoers.tmp)
Exit your editor
Something will parse your /etc/sudoers.tmp file and report any errors. I find this is useful because it gives me a chance to correct bad syntax. (trickykid probably doesn't suffer from bad syntax!)
If there are no errors the .tmp file will be moved to /etc/sudoers
 
Old 12-10-2006, 09:56 AM   #4
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 197Reputation: 197
Quote:
Originally Posted by tredegar
Something will parse your /etc/sudoers.tmp file and report any errors. I find this is useful because it gives me a chance to correct bad syntax. (trickykid probably doesn't suffer from bad syntax!)
If there are no errors the .tmp file will be moved to /etc/sudoers
Nope, apparently not. Edited sudoers thousands of times, never got any type of issues with it.

Though, if you do want to include a sudoers as a template of some kind. Edit it using visudo, save the file and use that file as the template, copying out to destination hosts you want such sudoers configured with, that way you get around the bad syntax if you just don't trust yourself.
 
Old 12-10-2006, 10:04 AM   #5
tredegar
Guru
 
Registered: May 2003
Location: London, UK
Distribution: Ubuntu 10.04, mostly
Posts: 6,007

Rep: Reputation: 367Reputation: 367Reputation: 367Reputation: 367
Thanks trickykid .
But I'm still stuck trying to answer that post I referred to above.
Don't wish to hijack this thread but,I have added
%tredegar myhostname = NOPASSWD: /usr/bin/adept
to my sudoers file to try and make it so that when I run adept, it doesn't ask for a password, but it still does!
What am I doing wrong? (Maybe you could help me answer that thread, or even answer it yourself?!)

Edit: syntax!
 
Old 12-10-2006, 10:11 AM   #6
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,176
Blog Entries: 4

Rep: Reputation: 429Reputation: 429Reputation: 429Reputation: 429Reputation: 429
The thing is that I read the post as him asking how he can get a program to edit sudoers or gain root access. Wouldn't that be a terribly bad idea?
 
Old 12-10-2006, 10:23 AM   #7
tredegar
Guru
 
Registered: May 2003
Location: London, UK
Distribution: Ubuntu 10.04, mostly
Posts: 6,007

Rep: Reputation: 367Reputation: 367Reputation: 367Reputation: 367
Good point.
Perhaps we are barking up the wrong tree.
Maybe we should be telling him to make his application executable / writable only by root.
Then he just needs to invoke it with sudo application_name?
 
Old 12-10-2006, 10:40 AM   #8
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,176
Blog Entries: 4

Rep: Reputation: 429Reputation: 429Reputation: 429Reputation: 429Reputation: 429
Quote:
Originally Posted by tredegar
Good point.
Perhaps we are barking up the wrong tree.
Maybe we should be telling him to make his application executable / writable only by root.
Then he just needs to invoke it with sudo application_name?
You mean like every other application?
 
Old 12-10-2006, 11:08 AM   #9
sn68
Member
 
Registered: Oct 2005
Distribution: FC5
Posts: 338

Rep: Reputation: 30
If an application can modify root permissions without user intervention then it can probably do anything malicious as well, me smelling virus here or am I terribly wrong?
 
Old 12-10-2006, 11:29 AM   #10
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,176
Blog Entries: 4

Rep: Reputation: 429Reputation: 429Reputation: 429Reputation: 429Reputation: 429
My first thought was that he was asking for a way to install something as in Windows. But then I realised, if you run with a restricted account, it can't work in Windows either.

Basically, if it's not a virus, it's bad security - no install file should ever affect your sudo file or be able to gain root access unless you, the admin, explicitly and manually allow it.
 
Old 12-10-2006, 01:00 PM   #11
osle
LQ Newbie
 
Registered: Oct 2006
Posts: 8

Original Poster
Rep: Reputation: 0
thank you all for your replies. Some more clarifications...

First of all, yes, having an application that gains root privilege is a bad idea.
I didn't plan to write an application to modify /etc/sudoers, I mean for the install to do that, and you have to be root to install anyway...
Once the install adds this line to /etc/sudoers:
theuser ALL= NOPASSWD: /sbin/myapplication
theuser, and only theuser will be able to run my application.
From what I've read, this is the safest way to do this.

Second, I have used visudo to edit the file successfully, but how would the install do that? Surely we are not going to ask every user to manually edit the file. I'm sure there is a way but I don't know what it is, what is the common solution for this scenario.

Lastly, the man pages for sudo say the following about "sudo -l"
The -l (list) option will list out the allowed (and forbidden) commands for the user on the current host.

I don't believe running sudo with this switch requires root password, otherwise what is the point? And in fact, when I ran this command on a Linux server it didnt require a password, but when I ran it on the machine I am maintaining it did. What is it then?
 
Old 12-10-2006, 03:07 PM   #12
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 197Reputation: 197
echo "theuser ALL= NOPASSWD: /sbin/myapplication" >> /etc/sudoers

Or like I said before, create your base template sudoers file and have the installer copy that from a remote source, or include with your media if you want.

And when specifying a single user, you don't need the % in front.
 
Old 12-11-2006, 12:56 AM   #13
osle
LQ Newbie
 
Registered: Oct 2006
Posts: 8

Original Poster
Rep: Reputation: 0
Thanks trickykid !

Of course, a simple solution. Thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to modify network install kernel ? lets-eat-gary Linux - Networking 0 08-23-2006 07:12 PM
I deleted /etc/sudoers and creates a new file call sudoers but now it doesnt for visu abefroman Linux - Software 1 11-10-2005 05:03 PM
How to modify the library path variable?modify the Electronkz Linux - Newbie 1 04-13-2004 06:18 AM
modify file access & modify timestamps i2itstud Linux - General 1 05-20-2003 03:34 AM
Modify Boot Floppy or Install Without smithellis Linux - Newbie 0 05-07-2002 06:42 PM


All times are GMT -5. The time now is 02:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration