Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I wrote an application that for some of its commands requires root privileges.
I understand the best way to do this is by using sudo, and for that I needed to edit /etc/sudoers with visudo.
It all works fine, but here is my question:
What is the best way for an install package to edit /etc/sudoers?
And while we're at it, I have another question.
When I run sudo -l , it required a password. Why?
This is a user that I added myself, and it is in its own group. Does it have anything to do with groups?
Whenever you run sudo, it should ask for a password, that's the whole point unless you configure it to be passwordless for that user.
And everyone tells you to edit with visudo but you can easily edit by just using vi /etc/sudoers or even piping whatever data you want into the file, I've never had problems editing by my own conventional means.
Make changes
Save the changes (these will be saved to /etc/sudoers.tmp)
Exit your editor
Something will parse your /etc/sudoers.tmp file and report any errors. I find this is useful because it gives me a chance to correct bad syntax. (trickykid probably doesn't suffer from bad syntax!)
If there are no errors the .tmp file will be moved to /etc/sudoers
Something will parse your /etc/sudoers.tmp file and report any errors. I find this is useful because it gives me a chance to correct bad syntax. (trickykid probably doesn't suffer from bad syntax!)
If there are no errors the .tmp file will be moved to /etc/sudoers
Nope, apparently not. Edited sudoers thousands of times, never got any type of issues with it.
Though, if you do want to include a sudoers as a template of some kind. Edit it using visudo, save the file and use that file as the template, copying out to destination hosts you want such sudoers configured with, that way you get around the bad syntax if you just don't trust yourself.
Thanks trickykid .
But I'm still stuck trying to answer that post I referred to above.
Don't wish to hijack this thread but,I have added
%tredegar myhostname = NOPASSWD: /usr/bin/adept
to my sudoers file to try and make it so that when I run adept, it doesn't ask for a password, but it still does!
What am I doing wrong? (Maybe you could help me answer that thread, or even answer it yourself?!)
Good point.
Perhaps we are barking up the wrong tree.
Maybe we should be telling him to make his application executable / writable only by root.
Then he just needs to invoke it with sudo application_name?
Good point.
Perhaps we are barking up the wrong tree.
Maybe we should be telling him to make his application executable / writable only by root.
Then he just needs to invoke it with sudo application_name?
If an application can modify root permissions without user intervention then it can probably do anything malicious as well, me smelling virus here or am I terribly wrong?
My first thought was that he was asking for a way to install something as in Windows. But then I realised, if you run with a restricted account, it can't work in Windows either.
Basically, if it's not a virus, it's bad security - no install file should ever affect your sudo file or be able to gain root access unless you, the admin, explicitly and manually allow it.
thank you all for your replies. Some more clarifications...
First of all, yes, having an application that gains root privilege is a bad idea.
I didn't plan to write an application to modify /etc/sudoers, I mean for the install to do that, and you have to be root to install anyway...
Once the install adds this line to /etc/sudoers: theuser ALL= NOPASSWD: /sbin/myapplication
theuser, and only theuser will be able to run my application.
From what I've read, this is the safest way to do this.
Second, I have used visudo to edit the file successfully, but how would the install do that? Surely we are not going to ask every user to manually edit the file. I'm sure there is a way but I don't know what it is, what is the common solution for this scenario.
Lastly, the man pages for sudo say the following about "sudo -l"
The -l (list) option will list out the allowed (and forbidden) commands for the user on the current host.
I don't believe running sudo with this switch requires root password, otherwise what is the point? And in fact, when I ran this command on a Linux server it didnt require a password, but when I ran it on the machine I am maintaining it did. What is it then?
Or like I said before, create your base template sudoers file and have the installer copy that from a remote source, or include with your media if you want.
And when specifying a single user, you don't need the % in front.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.