Add NOPASSWD in /etc/sudoers to only some specific commands

xpdin · 06-07-2017, 04:23 PM

Are there any risks for letting the beyond commands to be used with no password?

It is a home computer, with no other users using it, I only use the single default created user when Ubuntu was installed.

I would like to don't have to write at all the sudo password for these commands:

Code:

echo 100 > /sys/class/backlight/intel_backlight/brightness
    
    ethtool -s eth0 autoneg off speed 100 duplex full

    dhclient eth0

    apt-get update && apt-get upgrade && apt-get dist-upgrade -y

    apt-get autoremove && remove && clean && autoclean -y

Thank you.

Laserbeak · 06-07-2017, 04:57 PM

Quote:

Originally Posted by xpdin

Are there any risks for letting the beyond commands to be used with no password?

Sorry, I'm not really sure what the security implications would be doing this via sudo... what I guess I would do is create one liner scripts to do each these things and make them owned by root and change the permissions to 4755 (setuid) so they run as root even if you run it from an ordinary user account.

xpdin · 06-07-2017, 05:05 PM

Thank you Laserbeak,

Some recommendations how to do it from scratch please?

If it is not possible or it is a big risk(like having the password stored somewhere in plain text) to never write the password for every each command, maybe at least it is possible to write it only one after boot. Without to have to write it again until the next reboot, or after system sleeps or hibernates for example.

Regards.

Laserbeak · 06-07-2017, 05:10 PM

Quote:

Originally Posted by xpdin

Thank you Laserbeak,

Some recommendations how to do it from scratch please?

If it is not possible or it is a big risk(like having the password stored somewhere in plain text) to never write the password for every each command, maybe at least it is possible to write it only one after boot. Without to have to write it again until the next reboot, or after system sleeps or hibernates for example.

Regards.

As root you'd create a file containing:

Code:

#!/bin/bash
echo 100 > /sys/class/backlight/intel_backlight/brightness

and save to like /usr/local/bin/bright. Then type:

Code:

chmod 4755 /usr/local/bin/bright

Then whenever you ran "bright" it would run that command as root, even if you're logged in as an ordinary user.

Make sure /usr/local/bin is in your PATH environment variable.

BW-userx · 06-07-2017, 05:11 PM

Code:

## Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL

can be

Code:

## Same thing without a password
%sudo ALL=(ALL) NOPASSWD: ALL

depending on what group you use. You will still have to use sudo - it just removes the need to add the password.

that is what I do

Laserbeak · 06-07-2017, 05:29 PM

Quote:

Originally Posted by BW-userx

Code:

## Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL

can be

Code:

## Same thing without a password
%sudo ALL=(ALL) NOPASSWD: ALL

depending on what group you use. You will still have to use sudo - it just removes the need to add the password.

that is what I do

This could be useful too, but it seems to open up your system more than my way, which limits it to one command with specified options, so should be safer. Plus you don't have to type sudo. It's up to you... in UNIX there's almost always several ways to get something done

BW-userx · 06-07-2017, 06:01 PM

Quote:

Originally Posted by Laserbeak

This could be useful too, but it seems to open up your system more than my way, which limits it to one command with specified options, so should be safer. Plus you don't have to type sudo. It's up to you... in UNIX there's almost always several ways to get something done

yep!

Habitual · 06-07-2017, 06:52 PM

Sudo: you're doing it wrong - PDF @ 171 pages.
Sudo: you're doing it wrong - YouTubeVid @ 1h:11m

Get Some!

rknichols · 06-07-2017, 09:01 PM

Quote:

Originally Posted by Laserbeak

As root you'd create a file containing:

Code:

#!/bin/bash
echo 100 > /sys/class/backlight/intel_backlight/brightness

and save to like /usr/local/bin/bright. Then type:

Code:

chmod 4755 /usr/local/bin/bright

Then whenever you ran "bright" it would run that command as root, even if you're logged in as an ordinary user.

SetUID for scripts has been disallowed in Unix/Linux for a long, long time due to insurmountable security issues.

Laserbeak · 06-08-2017, 04:49 AM

Quote:

Originally Posted by rknichols

SetUID for scripts has been disallowed in Unix/Linux for a long, long time due to insurmountable security issues.

Well if setuid for a shell script doesn't work, then you'd have to do a simple C program that launches the program you want.

For example (totally untested since I don't have Linux, I have Mac OS X):

Code:

#include <unistd.h>

int main (int argc, char *argv[]) {

    setuid(0);

    execl ("ethtool", "-s", "eth0", "autoneg", "off", "speed", "100", "duplex", "full");
}

Piping something would be more complicated:

Code:

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/wait.h>

int main(int argc, const char * argv[]) {
    
    
        int descriptors[2];
        pipe(descriptors);
        pid_t pid = fork();
        if (pid == - 1)
            perror("Error: Can't Fork!\n");
        else if (pid == 0 ) { //child process
            dup2(descriptors[0], STDIN_FILENO);
            execl ("/sys/class/backlight/intel_backlight/brightness", "/sys/class/backlight/intel_backlight/brightness");
        } else {
            write (descriptors[1], "100", strlen("100"));
            wait(NULL);
        }

    return 0;
}

You'd have to compile them with gcc or equivalent and still have to chmod 4755, owned by root.

I have no way to really test these, since I don't have your system.

Turbocapitalist · 06-08-2017, 05:08 AM

Quote:

Originally Posted by xpdin

Are there any risks for letting the beyond commands to be used with no password?

Not really, if you also specify the exact parameters allowed.

See the links that Habitual posted for good guidance on getting up to speed with sudo and of course the manual page for sudoers.

You'll have to set the exact paths inside sudoers. Here the permissions would apply to the group xpdin:

Code:

%xpdin ALL=(root:root) NOPASSWD: /usr/bin/tee /sys/class/backlight/intel_backlight/brightness
    
%xpdin ALL=(root:root) NOPASSWD: /sbin/ethtool -s eth0 autoneg off speed 100 duplex full

%xpdin ALL=(root:root) NOPASSWD: /sbin/dhclient eth0, /sbin/dhclient -v eth0

%xpdin ALL=(root:root) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade, \
        /usr/bin/apt-get dist-upgrade -y, /usr/bin/apt-get autoremove, \
        /usr/bin/apt-get clean, /usr/bin/apt-get autoclean -y

The only questionable one is the tee which would allow you to send anything to the backlight settings, not just "100"

Code:

echo 100 | sudo tee /sys/class/backlight/intel_backlight/brightness

If some of these actions are too long to type, you might also try saving them as shell aliases or shell functions.

pan64 · 06-08-2017, 07:09 AM

Quote:

Originally Posted by rknichols

SetUID for scripts has been disallowed in Unix/Linux for a long, long time due to insurmountable security issues.

As far as I know the executable is not the script, but the interpreter (bash itself). Therefore using setuid on script is simply meaningless. You ought to use it on the binary.

BW-userx · 06-08-2017, 07:45 AM

if it is just one user as he stated he could also uses alias in the bashrc
give himself no passwd in sudoers then (example)

Code:

alias updateMe="sudo xbps-install -Suy"


good morning userx
userx%voider ⚡ ~ ⚡> updateMe
[*] Updating `https://repo.voidlinux.eu/current/x86_64-repodata' ...
x86_64-repodata: 1272KB [avg rate: 15KB/s]
userx%voider ⚡ ~ ⚡>

Laserbeak · 06-08-2017, 10:06 PM

You could also do it in Perl, it definitely allows suid scripts and is usually easier than C.

xpdin · 06-10-2017, 03:38 PM

Thank you very much to all for your replies.

Can someone say please, are there any disadvantages or advantages between the next method and the methods from the above posts?

Code:

sudo su

Create

Code:

/usr/local/bin/scriptname

and write the beyond lines in it:

Code:

#!/bin/bash
    
command in here without sudo
    
# the end of the scriptname

Create

Code:

/etc/sudoers.d/scriptname

and write the following lines in it:

Code:

User_Alias scriptname=username
Cmnd_Alias scriptabreviaton=/home/globalisation/r
scriptname ALL=NOPASSWD: scriptabreviaton

Add at the end of

Code:

/etc/sudoers

the next two lines:

Code:

  
username ALL=(ALL:ALL) ALL
username ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/scriptname

Code:

chown root:root /etc/sudoers.d/scriptname
chown root:root /usr/local/bin/scriptname
chmod 0700 /usr/local/bin/scriptname
chmod 0440 /etc/sudoers.d/scriptname

From the regular user name:

Code:

sudo /usr/local/bin/scriptname

It shouldn't ask for sudo password any more.

Everywhere when it is written "scriptname", "usernme", "scriptabreviaton" every each of them should be the same.