Messed with sudoers.d, now I am prompted for password at every terminal
 

Ach, I think I broke something. Whenever my laptop boots up, the screen brightness is always set to the very highest level. So for the past year or so, in order to set my screen brightness to a decent level as soon as I log in (I'm sure there is a way to do it sooner, but I don't know it), I have had the line "echo 1000 > /sys/class/backlight/intel_backlight/brightness" in root's .bashrc. I wanted to have it in my user's .bashrc so I wouldn't have to log in as root every time I boot up, but since that brightness file is owned by root, I wasn't able to do that easily. Therefore, I have just been logging in as root every time I restarted the computer, then exiting and logging in as a normal user when the backlight (and a couple of other things) have been set. But of course this is not an ideal situation.

So I finally resolved to figure out how to work sudo so that I could give my normal user the right to execute the command echo 1000 > /sys/class/backlight/intel_backlight/brightness without a password. I made a file called "set_brightness" in my /etc/sudoers.d/ directory using visudo. In this file, I put the line

I then put in my ~/.bashrc. I did it this way because when I tried just putting it in as "miranden darkstar=NOPASSWD: echo 1000 > /sys/class/backlight/intel_backlight/brightness" in /etc/sudoers.d/set_brightness, I got a syntax error. I thought this was because the shell was what was actually performing the redirection, so that wouldn't work. However, the other way didn't work either. Every time I opened a terminal, it would prompt me for a password and then say I did not have permission to execute that command.

I finally got tired of fiddling with this, and I removed the file in /etc/sudoers.d. I must have overstepped my competence here however, because now sudo will not leave me alone. I still get prompted for a password every time I open a terminal, and when I enter it, it says that my user is not in the sudoers file, and the incident will be reported. Then it makes me enter my password again before it lets me have the shell.

What did I do and how big of a mess did I make? How do I get my system back to the way it was before I added that file to the sudoers.d directory?

Any help appreciated!

Just a guess as to why it is still prompting you - I think you left the line in your ~/.bashrc and you are no longer in the sudoers so it prompts then fails...

I think your approach is good as far as using sudo and doing it per user as it will then allow the user to adjust the level if necessary. But I would do this:

Then in your ~/.bashrc...

That should work I think. If not, please post back what the results are.

On the other hand, to make it happen at boot time, add it to /etc/rc.d/rc.local...

Aha, you are right in that I forgot to take the line out of my ~/.bashrc. However, I just realized I made a mistake in the code I quoted above. I did in fact have the line

in my ~/.bashrc. (When I wrote it above I left out the "sudo," which you corrected for me.) But it doesn't work. Just to be sure, I redid the file in sudoers.d with

and put the

line back in so everything was exactly how it was before. Now, whenever I open a terminal, it says:

So this is where I was before when I gave up. Your solution of putting it in /etc/rc.d/rc.local is much better, but since I've come this far with sudo it would be nice to understand where I'm going wrong.

Thanks for the help!

Aha! I thought so, having gotten frustrated and done similar things myself in times past!

Ok, this has been buzzing around in my sole remaining brain cell all evening. So back to the start...

So after a refresher reading of man sudo and trying a few variants, it occurred to me why visudo treats your original shell command as a syntax error... it is because it wants the full path to the given command to prevent evil aliases! So this should actually work (red for the new part) and allow you to pass any value:

That combination should make it work via sudo. I have tried a similar command locally and it works fine - let me know!

Drat, no luck. :| It looks like you were exactly right about the /bin/echo to prevent the aliases (who knew it was as simple as that!), because visudo did allow that syntax, and when I open a terminal it is attempting to write to the file. However, instead of writing to it, it says

I just don't get it. Permission denied? Truly that doesn't seem very sudo-ey at all. Does this maybe have something to do with the redirect in the command? I think I may have to have another look at man sudo myself (though you seem better able to make sense of it than I), and see if anything jumps out. :study:

That is surprising.

I do not have the same /sys/... obviously, so I added NOPASSWD:/bin/ls /root to my sudoer, then added sudo /bin/ls /root to my ~/.bashrc and it worked.

So just to double check, in the ~/.bashrc you did include "sudo" before the comand?

Also what does ls -l /sys/class/backlight/... say? And if that is a symlink, what are the permissions of the target?

Yes, I did put the sudo in. Here is the line copied directly from my .bashrc

And here are the permissions:

My backlight keys do not work, so I routinely change the backlight in a terminal by switching to root and entering "echo {value} > /sys/class/backlight/intel_backlight/brightness." It works as expected, so I don't understand why this is different. I thought I must have made a typo somewhere or forgotten something, but I have checked several times and it is exactly as posted.

Here is my file in /etc/sudoers.d/:
I have been awake too long, which is why I have copied and pasted everything directly. If I have missed something silly and obvious, please let me know. :)

I think I'll turn in and look tomorrow after some sleep.

Thanks again!

I can certainly sympathize with that, unfortunately I have a few more hours to go...

I suspect we are both missing something very simple, here are a few thoughts that come immediately to mind...

Just to be very clear, assuming everything is as it appears but it fails from the ~/.bashrc, does it also fail if you type it in after login (i.e., from the terminal)?

Next, are we sure there is nothing else at play here, such as LDAP or SELinux?

And finally, I have not used the /etc/sudoers.d/... setup before, although it looks to be the same and simple. But just to be on familiar territory, can you remove the /etc/sudoers.d/ file that you made and do it the old fashioned way with visudo (and /etc/sudoers)?

The permissions make it writeable by root, so that should not be a problem - I think we are still missing something with sudo.

I'll check in later tomorrow myself. Thanks!

Can you check the following:
1. You have /bin/echo * in the sudoers file. Is it handling wildcard properly? May be we need to quote the command or put the exact value?
2. Is your hostname 'darkstar'?
3. astrogeek has valid point in that have you tried to manually enter the command (with sudo, ofcourse) when it failed to execute automatically with .bashrc?
4. Instead of being very specific about what you are allowed to echo, can you try to get permission to just use echo? Like,
(try generic host instead of specific hostname such as 'darkstar' first) and then put actual command in .bashrc like

Hi,

Googled online for sudo and echo combination and found that it is not possible to use sudo echo. It seems '>' and '>>' are handled by the shell and not by sudoers. For that probably we should also have sudo permission to sh (or bash).

With 'tee' however we can achieve the same result. Change your /etc/sudoers.d/set_brightness as follows:Then in .bashrc put the following:I checked on my computer and it worked fine. Note: In the above line, sudo is for 'tee' only not for 'echo'. If you do not put '> /dev/null' at the end, each time you open terminal it will show '1000' before the prompt.

Once it works, you may change the hostname to 'darkstar' (if it is indeed your hostname) and confirm if it works.

P.S.: Is the brightness value really 1000 and not 100? On my computer it is 100.

Should have tried that myself earlier. Yes it does.

Nope, nothing like that.

I would, but I'm not where to put the line in /etc/sudoers . . . will the very bottom work?

You can use sudo echo. I put "miranden darkstar = NOPASSWD: /usr/bin/echo" in /etc/sudoers
and it works. It looks like it is the redirect (">") that is the problem.

Funny, that's what I thought from the very beginning. As I mentioned in my initial post, the first thing I tried to get around that was to use

I got errors with that. (I wonder why?) But ever since then, I've been wondering if it had something to do with the shell handling redirect (> or >>). I guess I should have learned how to use tee! Somehow I've never gotten around to that command . . .

It works! Thanks a lot! Of course astrogeek's solution of putting the line in /etc/rc.d/rc.local is the best way to go, but I am very glad to know how to work sudo as well. :D

My hostname is darkstar. I used the command "hostname" before I started this to be sure. And as far as the brightness, every card is different. On my computer it goes up to over 4000. Thank you for your help! This was literally keeping me up at night . . . :)

Well that was educational for all of us!

I'll add an appropriate note to my knowledge base!

Thanks to saivinoba for joining in with the key info!

Yes it was! I will definitely be adding appropriate notes as well.

Thanks for all the help. Whew!