LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Add NOPASSWD in /etc/sudoers to only some specific commands (https://www.linuxquestions.org/questions/linux-security-4/add-nopasswd-in-etc-sudoers-to-only-some-specific-commands-4175607486/)

xpdin 06-07-2017 04:23 PM

Add NOPASSWD in /etc/sudoers to only some specific commands
 
Are there any risks for letting the beyond commands to be used with no password?

It is a home computer, with no other users using it, I only use the single default created user when Ubuntu was installed.

I would like to don't have to write at all the sudo password for these commands:

Code:

echo 100 > /sys/class/backlight/intel_backlight/brightness
   
    ethtool -s eth0 autoneg off speed 100 duplex full

    dhclient eth0

    apt-get update && apt-get upgrade && apt-get dist-upgrade -y

    apt-get autoremove && remove && clean && autoclean -y

Thank you.

Laserbeak 06-07-2017 04:57 PM

Quote:

Originally Posted by xpdin (Post 5720262)
Are there any risks for letting the beyond commands to be used with no password?

Sorry, I'm not really sure what the security implications would be doing this via sudo... what I guess I would do is create one liner scripts to do each these things and make them owned by root and change the permissions to 4755 (setuid) so they run as root even if you run it from an ordinary user account.

xpdin 06-07-2017 05:05 PM

Thank you Laserbeak,

Some recommendations how to do it from scratch please?

If it is not possible or it is a big risk(like having the password stored somewhere in plain text) to never write the password for every each command, maybe at least it is possible to write it only one after boot. Without to have to write it again until the next reboot, or after system sleeps or hibernates for example.

Regards.

Laserbeak 06-07-2017 05:10 PM

Quote:

Originally Posted by xpdin (Post 5720274)
Thank you Laserbeak,

Some recommendations how to do it from scratch please?

If it is not possible or it is a big risk(like having the password stored somewhere in plain text) to never write the password for every each command, maybe at least it is possible to write it only one after boot. Without to have to write it again until the next reboot, or after system sleeps or hibernates for example.

Regards.


As root you'd create a file containing:
Code:

#!/bin/bash
echo 100 > /sys/class/backlight/intel_backlight/brightness

and save to like /usr/local/bin/bright. Then type:

Code:

chmod 4755 /usr/local/bin/bright
Then whenever you ran "bright" it would run that command as root, even if you're logged in as an ordinary user.

Make sure /usr/local/bin is in your PATH environment variable.

BW-userx 06-07-2017 05:11 PM

Code:

## Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL

can be
Code:

## Same thing without a password
%sudo ALL=(ALL) NOPASSWD: ALL

depending on what group you use. You will still have to use sudo - it just removes the need to add the password. :D that is what I do :D

Laserbeak 06-07-2017 05:29 PM

Quote:

Originally Posted by BW-userx (Post 5720277)
Code:

## Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL

can be
Code:

## Same thing without a password
%sudo ALL=(ALL) NOPASSWD: ALL

depending on what group you use. You will still have to use sudo - it just removes the need to add the password. :D that is what I do :D

This could be useful too, but it seems to open up your system more than my way, which limits it to one command with specified options, so should be safer. Plus you don't have to type sudo. It's up to you... in UNIX there's almost always several ways to get something done :D

BW-userx 06-07-2017 06:01 PM

Quote:

Originally Posted by Laserbeak (Post 5720282)
This could be useful too, but it seems to open up your system more than my way, which limits it to one command with specified options, so should be safer. Plus you don't have to type sudo. It's up to you... in UNIX there's almost always several ways to get something done :D

yep!

Habitual 06-07-2017 06:52 PM

Sudo: you're doing it wrong - PDF @ 171 pages.
Sudo: you're doing it wrong - YouTubeVid @ 1h:11m

Get Some!

rknichols 06-07-2017 09:01 PM

Quote:

Originally Posted by Laserbeak (Post 5720276)
As root you'd create a file containing:
Code:

#!/bin/bash
echo 100 > /sys/class/backlight/intel_backlight/brightness

and save to like /usr/local/bin/bright. Then type:

Code:

chmod 4755 /usr/local/bin/bright
Then whenever you ran "bright" it would run that command as root, even if you're logged in as an ordinary user.

SetUID for scripts has been disallowed in Unix/Linux for a long, long time due to insurmountable security issues.

Laserbeak 06-08-2017 04:49 AM

Quote:

Originally Posted by rknichols (Post 5720332)
SetUID for scripts has been disallowed in Unix/Linux for a long, long time due to insurmountable security issues.

Well if setuid for a shell script doesn't work, then you'd have to do a simple C program that launches the program you want.

For example (totally untested since I don't have Linux, I have Mac OS X):

Code:

#include <unistd.h>

int main (int argc, char *argv[]) {

    setuid(0);

    execl ("ethtool", "-s", "eth0", "autoneg", "off", "speed", "100", "duplex", "full");
}


Piping something would be more complicated:

Code:

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/wait.h>

int main(int argc, const char * argv[]) {
   
   
        int descriptors[2];
        pipe(descriptors);
        pid_t pid = fork();
        if (pid == - 1)
            perror("Error: Can't Fork!\n");
        else if (pid == 0 ) { //child process
            dup2(descriptors[0], STDIN_FILENO);
            execl ("/sys/class/backlight/intel_backlight/brightness", "/sys/class/backlight/intel_backlight/brightness");
        } else {
            write (descriptors[1], "100", strlen("100"));
            wait(NULL);
        }

    return 0;
}

You'd have to compile them with gcc or equivalent and still have to chmod 4755, owned by root.

I have no way to really test these, since I don't have your system.

Turbocapitalist 06-08-2017 05:08 AM

Quote:

Originally Posted by xpdin (Post 5720262)
Are there any risks for letting the beyond commands to be used with no password?

Not really, if you also specify the exact parameters allowed.

See the links that Habitual posted for good guidance on getting up to speed with sudo and of course the manual page for sudoers.

You'll have to set the exact paths inside sudoers. Here the permissions would apply to the group xpdin:

Code:

%xpdin ALL=(root:root) NOPASSWD: /usr/bin/tee /sys/class/backlight/intel_backlight/brightness
   
%xpdin ALL=(root:root) NOPASSWD: /sbin/ethtool -s eth0 autoneg off speed 100 duplex full

%xpdin ALL=(root:root) NOPASSWD: /sbin/dhclient eth0, /sbin/dhclient -v eth0

%xpdin ALL=(root:root) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade, \
        /usr/bin/apt-get dist-upgrade -y, /usr/bin/apt-get autoremove, \
        /usr/bin/apt-get clean, /usr/bin/apt-get autoclean -y

The only questionable one is the tee which would allow you to send anything to the backlight settings, not just "100"

Code:

echo 100 | sudo tee /sys/class/backlight/intel_backlight/brightness
If some of these actions are too long to type, you might also try saving them as shell aliases or shell functions.

pan64 06-08-2017 07:09 AM

Quote:

Originally Posted by rknichols (Post 5720332)
SetUID for scripts has been disallowed in Unix/Linux for a long, long time due to insurmountable security issues.

As far as I know the executable is not the script, but the interpreter (bash itself). Therefore using setuid on script is simply meaningless. You ought to use it on the binary.

BW-userx 06-08-2017 07:45 AM

if it is just one user as he stated he could also uses alias in the bashrc
give himself no passwd in sudoers then (example)
Code:

alias updateMe="sudo xbps-install -Suy"


good morning userx
userx%voider ⚡ ~ ⚡> updateMe
[*] Updating `https://repo.voidlinux.eu/current/x86_64-repodata' ...
x86_64-repodata: 1272KB [avg rate: 15KB/s]
userx%voider ⚡ ~ ⚡>


Laserbeak 06-08-2017 10:06 PM

You could also do it in Perl, it definitely allows suid scripts and is usually easier than C.

xpdin 06-10-2017 03:38 PM

Thank you very much to all for your replies.

Can someone say please, are there any disadvantages or advantages between the next method and the methods from the above posts?

Code:

sudo su
Create
Code:

/usr/local/bin/scriptname
and write the beyond lines in it:


Code:

#!/bin/bash
   
command in here without sudo
   
# the end of the scriptname


Create
Code:

/etc/sudoers.d/scriptname
and write the following lines in it:

Code:

User_Alias scriptname=username
Cmnd_Alias scriptabreviaton=/home/globalisation/r
scriptname ALL=NOPASSWD: scriptabreviaton


Add at the end of
Code:

/etc/sudoers
the next two lines:


Code:

 
username ALL=(ALL:ALL) ALL
username ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/scriptname


Code:

chown root:root /etc/sudoers.d/scriptname
chown root:root /usr/local/bin/scriptname
chmod 0700 /usr/local/bin/scriptname
chmod 0440 /etc/sudoers.d/scriptname

From the regular user name:

Code:

sudo /usr/local/bin/scriptname
It shouldn't ask for sudo password any more.

Everywhere when it is written "scriptname", "usernme", "scriptabreviaton" every each of them should be the same.

Turbocapitalist 06-11-2017 01:39 AM

I've moved around some of your reply to make it easier to answer.

Quote:

Originally Posted by xpdin (Post 5721386)
Thank you very much to all for your replies.
Can someone say please, are there any disadvantages or advantages between the next method and the methods from the above posts?

Code:

sudo su

If you want a login shell for root, try sudo -i instead.

Quote:

Originally Posted by xpdin (Post 5721386)
Create
Code:

/usr/local/bin/scriptname
and write the beyond lines in it:


Code:

#!/bin/bash
   
command in here without sudo
   
# the end of the scriptname

Code:

chown root:root /etc/sudoers.d/scriptname
chown root:root /usr/local/bin/scriptname
chmod 0700 /usr/local/bin/scriptname
chmod 0440 /etc/sudoers.d/scriptname


Yes, that looks good, depending on the details of the command. You have the script out of the way where only root can change it.

Instead of changing both configuration files, I'd put the following in /etc/sudoers.d/scriptname and leave /etc/sudoers alone.

Code:

username ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/scriptname


All times are GMT -5. The time now is 02:55 PM.