LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Messed with sudoers.d, now I am prompted for password at every terminal (http://www.linuxquestions.org/questions/slackware-14/messed-with-sudoers-d-now-i-am-prompted-for-password-at-every-terminal-4175490039/)

Miranden 01-03-2014 04:06 PM

Messed with sudoers.d, now I am prompted for password at every terminal
 
Ach, I think I broke something. Whenever my laptop boots up, the screen brightness is always set to the very highest level. So for the past year or so, in order to set my screen brightness to a decent level as soon as I log in (I'm sure there is a way to do it sooner, but I don't know it), I have had the line "echo 1000 > /sys/class/backlight/intel_backlight/brightness" in root's .bashrc. I wanted to have it in my user's .bashrc so I wouldn't have to log in as root every time I boot up, but since that brightness file is owned by root, I wasn't able to do that easily. Therefore, I have just been logging in as root every time I restarted the computer, then exiting and logging in as a normal user when the backlight (and a couple of other things) have been set. But of course this is not an ideal situation.

So I finally resolved to figure out how to work sudo so that I could give my normal user the right to execute the command echo 1000 > /sys/class/backlight/intel_backlight/brightness without a password. I made a file called "set_brightness" in my /etc/sudoers.d/ directory using visudo. In this file, I put the line

Code:

miranden darkstar=NOPASSWD:/bin/sh -c 'echo 1000 > /sys/class/backlight/intel_backlight/brightness'
I then put
Code:

/bin/sh -c 'echo 1000 > /sys/class/backlight/intel_backlight/brightness'
in my ~/.bashrc. I did it this way because when I tried just putting it in as "miranden darkstar=NOPASSWD: echo 1000 > /sys/class/backlight/intel_backlight/brightness" in /etc/sudoers.d/set_brightness, I got a syntax error. I thought this was because the shell was what was actually performing the redirection, so that wouldn't work. However, the other way didn't work either. Every time I opened a terminal, it would prompt me for a password and then say I did not have permission to execute that command.

I finally got tired of fiddling with this, and I removed the file in /etc/sudoers.d. I must have overstepped my competence here however, because now sudo will not leave me alone. I still get prompted for a password every time I open a terminal, and when I enter it, it says that my user is not in the sudoers file, and the incident will be reported. Then it makes me enter my password again before it lets me have the shell.

What did I do and how big of a mess did I make? How do I get my system back to the way it was before I added that file to the sudoers.d directory?

Any help appreciated!

astrogeek 01-03-2014 04:22 PM

Quote:

Originally Posted by Miranden (Post 5091412)
So I finally resolved to figure out how to work sudo so that I could give my normal user the right to execute the command echo 1000 > /sys/class/backlight/intel_backlight/brightness without a password. I made a file called "set_brightness" in my /etc/sudoers.d/ directory using visudo. In this file, I put the line

Code:

miranden darkstar=NOPASSWD:/bin/sh -c 'echo 1000 > /sys/class/backlight/intel_backlight/brightness'
I then put
Code:

/bin/sh -c 'echo 1000 > /sys/class/backlight/intel_backlight/brightness'
in my ~/.bashrc. I did it this way because when I tried just putting it in as "echo 1000 > /sys/class/backlight/intel_backlight/brightness" in /etc/sudoers.d/set_brightness, I got a syntax error. I thought this was because the shell was what was actually performing the redirection, so that wouldn't work. However, the other way didn't work either. Every time I opened a terminal, it would prompt me for a password and then say I did not have permission to execute that command.

I finally got tired of fiddling with this, and I removed the file in /etc/sudoers.d. I must have overstepped my competence here however, because now sudo will not leave me alone. I still get prompted for a password every time I open a terminal, and when I enter it, it says that my user is not in the sudoers file, and the incident will be reported. Then it makes me enter my password again before it lets me have the shell.

What did I do and how big of a mess did I make? How do I get my system back to the way it was before I added that file to the sudoers.d directory?

Any help appreciated!

Just a guess as to why it is still prompting you - I think you left the line in your ~/.bashrc and you are no longer in the sudoers so it prompts then fails...

I think your approach is good as far as using sudo and doing it per user as it will then allow the user to adjust the level if necessary. But I would do this:

Code:

(as root of course)

visudo

Then add your line...

miranden darkstar=NOPASSWD:/bin/sh -c 'echo 1000 > /sys/class/backlight/intel_backlight/brightness'

Then in your ~/.bashrc...

Code:

sudo /bin/sh -c 'echo 1000 > /sys/class/backlight/intel_backlight/brightness'
That should work I think. If not, please post back what the results are.

On the other hand, to make it happen at boot time, add it to /etc/rc.d/rc.local...

Code:

/bin/sh -c 'echo 1000 > /sys/class/backlight/intel_backlight/brightness'

And be sure it is executable...

chmod +x /etc/rc.d/rc.local


Miranden 01-03-2014 06:51 PM

Aha, you are right in that I forgot to take the line out of my ~/.bashrc. However, I just realized I made a mistake in the code I quoted above. I did in fact have the line

Code:

sudo /bin/sh -c 'echo 1000 > /sys/class/backlight/intel_backlight/brightness'
in my ~/.bashrc. (When I wrote it above I left out the "sudo," which you corrected for me.) But it doesn't work. Just to be sure, I redid the file in sudoers.d with

Code:

visudo -f /etc/sudoers.d/set_brightness
and put the

Code:

miranden darkstar=NOPASSWD:/bin/sh -c 'echo 1000 > /sys/class/backlight/intel_backlight/brightness'
line back in so everything was exactly how it was before. Now, whenever I open a terminal, it says:

Code:

Password: {I enter password}
Sorry, user miranden is not allowed to execute '/bin/sh -c echo 1000 > /sys/class/backlight/intel_backlight/brightness' as root on darkstar.
bash-4.2$

So this is where I was before when I gave up. Your solution of putting it in /etc/rc.d/rc.local is much better, but since I've come this far with sudo it would be nice to understand where I'm going wrong.

Thanks for the help!

astrogeek 01-03-2014 10:04 PM

Quote:

Originally Posted by Miranden (Post 5091499)
Aha, you are right in that I forgot to take the line out of my ~/.bashrc. However, I just realized I made a mistake in the code I quoted above. I did in fact have the line

Code:

sudo /bin/sh -c 'echo 1000 > /sys/class/backlight/intel_backlight/brightness'
in my ~/.bashrc. (When I wrote it above I left out the "sudo," which you corrected for me.) But it doesn't work. Just to be sure, I redid the file in sudoers.d with

Aha! I thought so, having gotten frustrated and done similar things myself in times past!

Quote:

Originally Posted by Miranden (Post 5091499)
So this is where I was before when I gave up. Your solution of putting it in /etc/rc.d/rc.local is much better, but since I've come this far with sudo it would be nice to understand where I'm going wrong.

Thanks for the help!

Ok, this has been buzzing around in my sole remaining brain cell all evening. So back to the start...

Quote:

in my ~/.bashrc. I did it this way because when I tried just putting it in as "miranden darkstar=NOPASSWD: echo 1000 > /sys/class/backlight/intel_backlight/brightness" in /etc/sudoers.d/set_brightness, I got a syntax error. I thought this was because the shell was what was actually performing the redirection, so that wouldn't work. However, the other way didn't work either. Every time I opened a terminal, it would prompt me for a password and then say I did not have permission to execute that command.
So after a refresher reading of man sudo and trying a few variants, it occurred to me why visudo treats your original shell command as a syntax error... it is because it wants the full path to the given command to prevent evil aliases! So this should actually work (red for the new part) and allow you to pass any value:

Code:

visudo

miranden darkstar=NOPASSWD: /bin/echo * > /sys/class/backlight/intel_backlight/brightness

Then in your ~/.bashrc

sudo /bin/echo 1000 > /sys/class/backlight/intel_backlight/brightness

That combination should make it work via sudo. I have tried a similar command locally and it works fine - let me know!

Miranden 01-03-2014 11:47 PM

Drat, no luck. :| It looks like you were exactly right about the /bin/echo to prevent the aliases (who knew it was as simple as that!), because visudo did allow that syntax, and when I open a terminal it is attempting to write to the file. However, instead of writing to it, it says

Code:

bash: /sys/class/backlight/intel_backlight/brightness: Permission denied
bash-4.2$

I just don't get it. Permission denied? Truly that doesn't seem very sudo-ey at all. Does this maybe have something to do with the redirect in the command? I think I may have to have another look at man sudo myself (though you seem better able to make sense of it than I), and see if anything jumps out. :study:

astrogeek 01-04-2014 12:22 AM

Quote:

Originally Posted by Miranden (Post 5091653)
Drat, no luck. :| It looks like you were exactly right about the /bin/echo to prevent the aliases (who knew it was as simple as that!), because visudo did allow that syntax, and when I open a terminal it is attempting to write to the file. However, instead of writing to it, it says

Code:

bash: /sys/class/backlight/intel_backlight/brightness: Permission denied
bash-4.2$

I just don't get it. Permission denied? Truly that doesn't seem very sudo-ey at all. Does this maybe have something to do with the redirect in the command? I think I may have to have another look at man sudo myself (though you seem better able to make sense of it than I), and see if anything jumps out. :study:

That is surprising.

I do not have the same /sys/... obviously, so I added NOPASSWD:/bin/ls /root to my sudoer, then added sudo /bin/ls /root to my ~/.bashrc and it worked.

So just to double check, in the ~/.bashrc you did include "sudo" before the comand?

Also what does ls -l /sys/class/backlight/... say? And if that is a symlink, what are the permissions of the target?

Miranden 01-04-2014 12:57 AM

Quote:

Originally Posted by astrogeek (Post 5091665)
That is surprising.

I do not have the same /sys/... obviously, so I added NOPASSWD:/bin/ls /root to my sudoer, then added sudo /bin/ls /root to my ~/.bashrc and it worked.

So just to double check, in the ~/.bashrc you did include "sudo" before the comand?

Also what does ls -l /sys/class/backlight/... say? And if that is a symlink, what are the permissions of the target?

Yes, I did put the sudo in. Here is the line copied directly from my .bashrc

Code:

sudo /bin/echo 1000 > /sys/class/backlight/intel_backlight/brightness
And here are the permissions:

Code:

bash-4.2$ ls -l /sys/class/backlight/intel_backlight/brightness
-rw-r--r-- 1 root root 4.0K Jan  4 00:19 /sys/class/backlight/intel_backlight/brightness

My backlight keys do not work, so I routinely change the backlight in a terminal by switching to root and entering "echo {value} > /sys/class/backlight/intel_backlight/brightness." It works as expected, so I don't understand why this is different. I thought I must have made a typo somewhere or forgotten something, but I have checked several times and it is exactly as posted.

Here is my file in /etc/sudoers.d/:
Code:

bash-4.2# cat /etc/sudoers.d/set_brightness
miranden darkstar=NOPASSWD: /bin/echo * > /sys/class/backlight/intel_backlight/brightness
bash-4.2#

I have been awake too long, which is why I have copied and pasted everything directly. If I have missed something silly and obvious, please let me know. :)

I think I'll turn in and look tomorrow after some sleep.

Thanks again!

astrogeek 01-04-2014 01:16 AM

Quote:

Originally Posted by Miranden (Post 5091685)
I have been awake too long, which is why I have copied and pasted everything directly. If I have missed something silly and obvious, please let me know. :)

I think I'll turn in and look tomorrow after some sleep.

Thanks again!

I can certainly sympathize with that, unfortunately I have a few more hours to go...

I suspect we are both missing something very simple, here are a few thoughts that come immediately to mind...

Just to be very clear, assuming everything is as it appears but it fails from the ~/.bashrc, does it also fail if you type it in after login (i.e., from the terminal)?

Next, are we sure there is nothing else at play here, such as LDAP or SELinux?

And finally, I have not used the /etc/sudoers.d/... setup before, although it looks to be the same and simple. But just to be on familiar territory, can you remove the /etc/sudoers.d/ file that you made and do it the old fashioned way with visudo (and /etc/sudoers)?

The permissions make it writeable by root, so that should not be a problem - I think we are still missing something with sudo.

I'll check in later tomorrow myself. Thanks!

saivinoba 01-04-2014 02:42 AM

Can you check the following:
1. You have /bin/echo * in the sudoers file. Is it handling wildcard properly? May be we need to quote the command or put the exact value?
2. Is your hostname 'darkstar'?
3. astrogeek has valid point in that have you tried to manually enter the command (with sudo, ofcourse) when it failed to execute automatically with .bashrc?
4. Instead of being very specific about what you are allowed to echo, can you try to get permission to just use echo? Like,
Code:

miranden ALL = NOPASSWD: /bin/echo
(try generic host instead of specific hostname such as 'darkstar' first) and then put actual command in .bashrc like
Code:

sudo /bin/echo 1000 > /sys/class/backlight/intel_backlight/brightness

saivinoba 01-04-2014 05:39 AM

Hi,

Googled online for sudo and echo combination and found that it is not possible to use sudo echo. It seems '>' and '>>' are handled by the shell and not by sudoers. For that probably we should also have sudo permission to sh (or bash).

With 'tee' however we can achieve the same result. Change your /etc/sudoers.d/set_brightness as follows:
Code:

miranden ALL = NOPASSWD: /usr/bin/tee
Then in .bashrc put the following:
Code:

echo '1000' | sudo tee /sys/class/backlight/intel_backlight/brightness > /dev/null
I checked on my computer and it worked fine. Note: In the above line, sudo is for 'tee' only not for 'echo'. If you do not put '> /dev/null' at the end, each time you open terminal it will show '1000' before the prompt.

Once it works, you may change the hostname to 'darkstar' (if it is indeed your hostname) and confirm if it works.

P.S.: Is the brightness value really 1000 and not 100? On my computer it is 100.

Miranden 01-04-2014 12:45 PM

Quote:

Originally Posted by astrogeek (Post 5091690)
I can certainly sympathize with that, unfortunately I have a few more hours to go...

I suspect we are both missing something very simple, here are a few thoughts that come immediately to mind...

Just to be very clear, assuming everything is as it appears but it fails from the ~/.bashrc, does it also fail if you type it in after login (i.e., from the terminal)?

Should have tried that myself earlier. Yes it does.

Code:

sudo /bin/echo 500 > /sys/class/backlight/intel_backlight/brightness
bash: /sys/class/backlight/intel_backlight/brightness: Permission denied

Quote:

Next, are we sure there is nothing else at play here, such as LDAP or SELinux?
Nope, nothing like that.

Quote:

And finally, I have not used the /etc/sudoers.d/... setup before, although it looks to be the same and simple. But just to be on familiar territory, can you remove the /etc/sudoers.d/ file that you made and do it the old fashioned way with visudo (and /etc/sudoers)?
I would, but I'm not where to put the line in /etc/sudoers . . . will the very bottom work?

Miranden 01-04-2014 01:20 PM

Quote:

Originally Posted by saivinoba (Post 5091749)
Hi,

Googled online for sudo and echo combination and found that it is not possible to use sudo echo.

You can use sudo echo. I put "miranden darkstar = NOPASSWD: /usr/bin/echo" in /etc/sudoers
and it works. It looks like it is the redirect (">") that is the problem.

Quote:

It seems '>' and '>>' are handled by the shell and not by sudoers. For that probably we should also have sudo permission to sh (or bash).
Funny, that's what I thought from the very beginning. As I mentioned in my initial post, the first thing I tried to get around that was to use

Code:

miranden darkstar=NOPASSWD:/bin/sh -c 'echo 1000 > /sys/class/backlight/intel_backlight/brightness'
I got errors with that. (I wonder why?) But ever since then, I've been wondering if it had something to do with the shell handling redirect (> or >>). I guess I should have learned how to use tee! Somehow I've never gotten around to that command . . .

Quote:

Change your /etc/sudoers.d/set_brightness as follows:
Code:

miranden ALL = NOPASSWD: /usr/bin/tee
Then in .bashrc put the following:
Code:

echo '1000' | sudo tee /sys/class/backlight/intel_backlight/brightness > /dev/null
I checked on my computer and it worked fine. Note: In the above line, sudo is for 'tee' only not for 'echo'. If you do not put '> /dev/null' at the end, each time you open terminal it will show '1000' before the prompt.
It works! Thanks a lot! Of course astrogeek's solution of putting the line in /etc/rc.d/rc.local is the best way to go, but I am very glad to know how to work sudo as well. :D

Quote:

Once it works, you may change the hostname to 'darkstar' (if it is indeed your hostname) and confirm if it works.

P.S.: Is the brightness value really 1000 and not 100? On my computer it is 100.
My hostname is darkstar. I used the command "hostname" before I started this to be sure. And as far as the brightness, every card is different. On my computer it goes up to over 4000. Thank you for your help! This was literally keeping me up at night . . . :)

astrogeek 01-04-2014 01:51 PM

Well that was educational for all of us!

I'll add an appropriate note to my knowledge base!

Thanks to saivinoba for joining in with the key info!

Miranden 01-04-2014 01:58 PM

Yes it was! I will definitely be adding appropriate notes as well.

Thanks for all the help. Whew!


All times are GMT -5. The time now is 04:36 PM.