LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-07-2017, 04:23 PM   #1
xpdin
Member
 
Registered: May 2015
Posts: 30

Rep: Reputation: Disabled
Add NOPASSWD in /etc/sudoers to only some specific commands


Are there any risks for letting the beyond commands to be used with no password?

It is a home computer, with no other users using it, I only use the single default created user when Ubuntu was installed.

I would like to don't have to write at all the sudo password for these commands:

Code:
echo 100 > /sys/class/backlight/intel_backlight/brightness
    
    ethtool -s eth0 autoneg off speed 100 duplex full

    dhclient eth0

    apt-get update && apt-get upgrade && apt-get dist-upgrade -y

    apt-get autoremove && remove && clean && autoclean -y
Thank you.

Last edited by xpdin; 06-07-2017 at 05:06 PM.
 
Old 06-07-2017, 04:57 PM   #2
Laserbeak
Member
 
Registered: Jan 2017
Location: Manhattan, NYC NY
Distribution: Mac OS X, iOS, Solaris
Posts: 508

Rep: Reputation: 143Reputation: 143
Quote:
Originally Posted by xpdin View Post
Are there any risks for letting the beyond commands to be used with no password?
Sorry, I'm not really sure what the security implications would be doing this via sudo... what I guess I would do is create one liner scripts to do each these things and make them owned by root and change the permissions to 4755 (setuid) so they run as root even if you run it from an ordinary user account.
 
Old 06-07-2017, 05:05 PM   #3
xpdin
Member
 
Registered: May 2015
Posts: 30

Original Poster
Rep: Reputation: Disabled
Thank you Laserbeak,

Some recommendations how to do it from scratch please?

If it is not possible or it is a big risk(like having the password stored somewhere in plain text) to never write the password for every each command, maybe at least it is possible to write it only one after boot. Without to have to write it again until the next reboot, or after system sleeps or hibernates for example.

Regards.
 
Old 06-07-2017, 05:10 PM   #4
Laserbeak
Member
 
Registered: Jan 2017
Location: Manhattan, NYC NY
Distribution: Mac OS X, iOS, Solaris
Posts: 508

Rep: Reputation: 143Reputation: 143
Quote:
Originally Posted by xpdin View Post
Thank you Laserbeak,

Some recommendations how to do it from scratch please?

If it is not possible or it is a big risk(like having the password stored somewhere in plain text) to never write the password for every each command, maybe at least it is possible to write it only one after boot. Without to have to write it again until the next reboot, or after system sleeps or hibernates for example.

Regards.

As root you'd create a file containing:
Code:
#!/bin/bash
echo 100 > /sys/class/backlight/intel_backlight/brightness
and save to like /usr/local/bin/bright. Then type:

Code:
chmod 4755 /usr/local/bin/bright
Then whenever you ran "bright" it would run that command as root, even if you're logged in as an ordinary user.

Make sure /usr/local/bin is in your PATH environment variable.

Last edited by Laserbeak; 06-07-2017 at 05:13 PM.
 
Old 06-07-2017, 05:11 PM   #5
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware (current), FreeBSD, Win10, It varies
Posts: 9,952

Rep: Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148
Code:
## Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL
can be
Code:
## Same thing without a password
%sudo ALL=(ALL) NOPASSWD: ALL
depending on what group you use. You will still have to use sudo - it just removes the need to add the password. that is what I do
 
Old 06-07-2017, 05:29 PM   #6
Laserbeak
Member
 
Registered: Jan 2017
Location: Manhattan, NYC NY
Distribution: Mac OS X, iOS, Solaris
Posts: 508

Rep: Reputation: 143Reputation: 143
Quote:
Originally Posted by BW-userx View Post
Code:
## Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL
can be
Code:
## Same thing without a password
%sudo ALL=(ALL) NOPASSWD: ALL
depending on what group you use. You will still have to use sudo - it just removes the need to add the password. that is what I do
This could be useful too, but it seems to open up your system more than my way, which limits it to one command with specified options, so should be safer. Plus you don't have to type sudo. It's up to you... in UNIX there's almost always several ways to get something done
 
Old 06-07-2017, 06:01 PM   #7
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware (current), FreeBSD, Win10, It varies
Posts: 9,952

Rep: Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148
Quote:
Originally Posted by Laserbeak View Post
This could be useful too, but it seems to open up your system more than my way, which limits it to one command with specified options, so should be safer. Plus you don't have to type sudo. It's up to you... in UNIX there's almost always several ways to get something done
yep!
 
Old 06-07-2017, 06:52 PM   #8
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Sudo: you're doing it wrong - PDF @ 171 pages.
Sudo: you're doing it wrong - YouTubeVid @ 1h:11m

Get Some!
 
1 members found this post helpful.
Old 06-07-2017, 09:01 PM   #9
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,541

Rep: Reputation: 2080Reputation: 2080Reputation: 2080Reputation: 2080Reputation: 2080Reputation: 2080Reputation: 2080Reputation: 2080Reputation: 2080Reputation: 2080Reputation: 2080
Quote:
Originally Posted by Laserbeak View Post
As root you'd create a file containing:
Code:
#!/bin/bash
echo 100 > /sys/class/backlight/intel_backlight/brightness
and save to like /usr/local/bin/bright. Then type:

Code:
chmod 4755 /usr/local/bin/bright
Then whenever you ran "bright" it would run that command as root, even if you're logged in as an ordinary user.
SetUID for scripts has been disallowed in Unix/Linux for a long, long time due to insurmountable security issues.
 
Old 06-08-2017, 04:49 AM   #10
Laserbeak
Member
 
Registered: Jan 2017
Location: Manhattan, NYC NY
Distribution: Mac OS X, iOS, Solaris
Posts: 508

Rep: Reputation: 143Reputation: 143
Quote:
Originally Posted by rknichols View Post
SetUID for scripts has been disallowed in Unix/Linux for a long, long time due to insurmountable security issues.
Well if setuid for a shell script doesn't work, then you'd have to do a simple C program that launches the program you want.

For example (totally untested since I don't have Linux, I have Mac OS X):

Code:
#include <unistd.h>

int main (int argc, char *argv[]) {

    setuid(0);

    execl ("ethtool", "-s", "eth0", "autoneg", "off", "speed", "100", "duplex", "full");
}

Piping something would be more complicated:

Code:
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/wait.h>

int main(int argc, const char * argv[]) {
    
    
        int descriptors[2];
        pipe(descriptors);
        pid_t pid = fork();
        if (pid == - 1)
            perror("Error: Can't Fork!\n");
        else if (pid == 0 ) { //child process
            dup2(descriptors[0], STDIN_FILENO);
            execl ("/sys/class/backlight/intel_backlight/brightness", "/sys/class/backlight/intel_backlight/brightness");
        } else {
            write (descriptors[1], "100", strlen("100"));
            wait(NULL);
        }

    return 0;
}
You'd have to compile them with gcc or equivalent and still have to chmod 4755, owned by root.

I have no way to really test these, since I don't have your system.
 
Old 06-08-2017, 05:08 AM   #11
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,547
Blog Entries: 3

Rep: Reputation: 2825Reputation: 2825Reputation: 2825Reputation: 2825Reputation: 2825Reputation: 2825Reputation: 2825Reputation: 2825Reputation: 2825Reputation: 2825Reputation: 2825
Quote:
Originally Posted by xpdin View Post
Are there any risks for letting the beyond commands to be used with no password?
Not really, if you also specify the exact parameters allowed.

See the links that Habitual posted for good guidance on getting up to speed with sudo and of course the manual page for sudoers.

You'll have to set the exact paths inside sudoers. Here the permissions would apply to the group xpdin:

Code:
%xpdin ALL=(root:root) NOPASSWD: /usr/bin/tee /sys/class/backlight/intel_backlight/brightness
    
%xpdin ALL=(root:root) NOPASSWD: /sbin/ethtool -s eth0 autoneg off speed 100 duplex full

%xpdin ALL=(root:root) NOPASSWD: /sbin/dhclient eth0, /sbin/dhclient -v eth0

%xpdin ALL=(root:root) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade, \
        /usr/bin/apt-get dist-upgrade -y, /usr/bin/apt-get autoremove, \
        /usr/bin/apt-get clean, /usr/bin/apt-get autoclean -y
The only questionable one is the tee which would allow you to send anything to the backlight settings, not just "100"

Code:
echo 100 | sudo tee /sys/class/backlight/intel_backlight/brightness
If some of these actions are too long to type, you might also try saving them as shell aliases or shell functions.

Last edited by Turbocapitalist; 06-08-2017 at 05:10 AM.
 
Old 06-08-2017, 07:09 AM   #12
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,346

Rep: Reputation: 5479Reputation: 5479Reputation: 5479Reputation: 5479Reputation: 5479Reputation: 5479Reputation: 5479Reputation: 5479Reputation: 5479Reputation: 5479Reputation: 5479
Quote:
Originally Posted by rknichols View Post
SetUID for scripts has been disallowed in Unix/Linux for a long, long time due to insurmountable security issues.
As far as I know the executable is not the script, but the interpreter (bash itself). Therefore using setuid on script is simply meaningless. You ought to use it on the binary.
 
Old 06-08-2017, 07:45 AM   #13
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware (current), FreeBSD, Win10, It varies
Posts: 9,952

Rep: Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148
if it is just one user as he stated he could also uses alias in the bashrc
give himself no passwd in sudoers then (example)
Code:
alias updateMe="sudo xbps-install -Suy"


good morning userx
userx%voider ⚡ ~ ⚡> updateMe
[*] Updating `https://repo.voidlinux.eu/current/x86_64-repodata' ...
x86_64-repodata: 1272KB [avg rate: 15KB/s]
userx%voider ⚡ ~ ⚡>

Last edited by BW-userx; 06-08-2017 at 07:47 AM.
 
Old 06-08-2017, 10:06 PM   #14
Laserbeak
Member
 
Registered: Jan 2017
Location: Manhattan, NYC NY
Distribution: Mac OS X, iOS, Solaris
Posts: 508

Rep: Reputation: 143Reputation: 143
You could also do it in Perl, it definitely allows suid scripts and is usually easier than C.
 
Old 06-10-2017, 03:38 PM   #15
xpdin
Member
 
Registered: May 2015
Posts: 30

Original Poster
Rep: Reputation: Disabled
Thank you very much to all for your replies.

Can someone say please, are there any disadvantages or advantages between the next method and the methods from the above posts?

Code:
sudo su
Create
Code:
/usr/local/bin/scriptname
and write the beyond lines in it:


Code:
#!/bin/bash
    
command in here without sudo
    
# the end of the scriptname

Create
Code:
/etc/sudoers.d/scriptname
and write the following lines in it:

Code:
User_Alias scriptname=username
Cmnd_Alias scriptabreviaton=/home/globalisation/r
scriptname ALL=NOPASSWD: scriptabreviaton

Add at the end of
Code:
/etc/sudoers
the next two lines:


Code:
  
username ALL=(ALL:ALL) ALL
username ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/scriptname

Code:
chown root:root /etc/sudoers.d/scriptname
chown root:root /usr/local/bin/scriptname
chmod 0700 /usr/local/bin/scriptname
chmod 0440 /etc/sudoers.d/scriptname
From the regular user name:

Code:
sudo /usr/local/bin/scriptname
It shouldn't ask for sudo password any more.

Everywhere when it is written "scriptname", "usernme", "scriptabreviaton" every each of them should be the same.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Sudo question specific commands on specific directories slufoot80 Linux - Security 6 12-30-2014 08:57 AM
[SOLVED] User not in sudoers: How to add user? Permtion Denied for sudoers file esgol Linux - Newbie 3 07-13-2012 07:44 AM
sudoers problem with using NOPASSWD in conjuction with runas everett-tek Linux - Newbie 3 07-29-2009 07:36 PM
[SOLVED] sudoers specific permission RaptorX Slackware 14 07-21-2009 01:56 AM
Why does "joe ALL=NOPASSWD: ALL" in sudoers not work? lumix Linux - Newbie 3 06-19-2008 12:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:13 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration