How to get root's environment with sudo?

pcunix · 07-27-2009, 02:51 PM

Quote:

Originally Posted by Alien Bob

You must be using Ubuntu.

Eric

:-)

Not particularly. But no, I can't think of any place I have Slackware installed and I imagine that was your point, right?

bassmadrigal · 07-27-2009, 11:48 PM

I think the only point he was originally trying to get out is that this isn't possible with a stock Slackware system. The way you made it sound is that is all he would have to do, but in reality he would have to tweak the sudoers file.

Me personally, I change my sudoers so that I can use sudo on any command without typing in a password. But then I am the only user on my system, so I am not worried about others going in a screwing it up. If I was on a multi-user system, it certainly wouldn't be that way.

Back to the original topic... Since I have sudo set up for my user, and I hate typing in the /usr/sbin or /sbin I have a .profile in my user directory that will add those paths. All the script contains is:

Code:

#!/bin/bash
PATH=$PATH:/usr/local/sbin:/sbin:/usr/sbin

This code will be executed when you login the first time. And yes, you can use sudo without a password, but it requires editing the /etc/sudoers file.

As others have mentioned, this is a security risk, so make sure that you fully understand what is being done.

Good Luck
Jeremy

w1k0 · 07-28-2009, 02:18 PM

Well... Back to the question.

To get root's environment use commands suggested by GrapefruiTgirl. Use command su - if you need command line interface or su if you need X Window applications. Before it you have to set X host with xhost `hostname` command. I put it in my system permanently in ~/.xinitrc file.

The usage of sudo is more sophisticated. Use it only to run carefully selected commands.

The main task is to prepare the appropriate sudoers file:

# cat /etc/sudoers

Code:

Defaults    timestamp_timeout = 0

User_Alias  FULL = john, mary
User_Alias  PART = ebenezer

Cmnd_Alias  KILL = /bin/kill, /bin/killall
Cmnd_Alias  HALT = /sbin/reboot, /sbin/halt, \
                   /usr/local/bin/suspend
Cmnd_Alias  MOUNT = /bin/mount, /bin/umount
Cmnd_Alias  CDWR = /usr/local/bin/cdwr

root ALL =  (ALL) ALL

FULL ALL =  NOPASSWD: KILL, HALT, MOUNT, \
                      CDWR

PART ALL =  PASSWD:   KILL, HALT, \
            NOPASSWD: MOUNT, CDWR

If you're familiar with vi use visudo to do it. Each entry in sudoers file has to be one single line so to break lines use \. In the above example are three users: john, mary and ebenezer. First two users have full access to all registered commands without password -- the last user has limited access.

To simplify running the above commands prepare the appropriate .bashrc file.

$ cat ~/.bashrc

Code:

export PS1="\u@\h:\w\$ "

alias ls='ls --color=auto -b -T 0'

alias c='perl -e '\''$_="@ARGV"; print eval $_, "\n"'\'''

alias kill="sudo /bin/kill"
alias killall="sudo /bin/killall"
alias reboot="sudo /sbin/reboot"
alias halt="sudo /sbin/halt"

alias suspend="sudo /usr/local/bin/suspend"

alias mount="sudo /bin/mount"
alias umount="sudo /bin/umount"

alias cdwr="sudo /usr/local/bin/cdwr"

To run some commands in console mode prepare the appropriate .bash_profile.

$ cat ~/.bash_profile

Code:

BASH_ENV=$HOME/.bashrc
USERNAME="john"

export USERNAME BASH_ENV

alias kill="sudo /bin/kill"
alias killall="sudo /bin/killall"
alias reboot="sudo /sbin/reboot"
alias halt="sudo /sbin/halt"

echo ; fortune ; echo

In some cases sudo works not exactly the same as su. See: Firewall problem in PPPOE. If you'll discover such problem use the command su with -c switch instead of sudo, for example: su -c /usr/sbin/pppoe-start.

rg3 · 07-28-2009, 03:35 PM

Back to some other question, I have no idea why sudo was created, but it does provide much more granularity than su in terms of controlling who can do what as which user. Also, the default configuration of asking for the user's own password is also useful in the sense that you can allow a specific user run a specific command as root without giving them the root password. In many environments, it's very important that only one or two people know the root password, while the rest of users are granted privileges on demand.

Anyway, su can be configured not to ask any password, indeed. You need to use /etc/suauth (usually the file does not exist), with something along these lines:

root:someuser:NOPASS

See man suauth for more details. Why you'd want to do that is beyond my imagination.

niels.horn · 07-28-2009, 04:08 PM

Quote:

Originally Posted by rg3

Anyway, su can be configured not to ask any password, indeed.

Now, now... I learn something new everyday...
I _never_ heard about this one!

I tested it and deleted the file immediately afterwards

escaflown · 07-28-2009, 08:22 PM

Quote:

Originally Posted by rg3

Anyway, su can be configured not to ask any password, indeed. You need to use /etc/suauth (usually the file does not exist), with something along these lines:

root:someuser:NOPASS

why will someone want to do that??? It just looks like creating an user with root privileges and an empty password.

rworkman · 07-28-2009, 08:45 PM

Quote:

Originally Posted by escaflown

why will someone want to do that??? It just looks like creating an user with root privileges and an empty password.

If you lock your terminal when you're away from the machine, and you have a secure password on your normal user account, one could argue that it's no less secure at all.

niels.horn · 07-28-2009, 09:00 PM

Quote:

Originally Posted by rworkman

If you lock your terminal when you're away from the machine, and you have a secure password on your normal user account, one could argue that it's no less secure at all.

If we could trust normal users to do things the way they are supposed to do it, we wouldn't need security

OK, I *am* biased (or paranoid?)... I work at a large financial institution and security of information is one of our main concerns.

We have a strict "lock your terminal" policy and security checks random workstations at lunch breaks etc., but unfortunately we cannot rely on users following all policies.

I know things are different if you only have one desktop at home.

I see this all in the following manner:
--> Windows machines are insecure by default and can be made reasonably secure with careful configuration
--> Linux machines are secure by default and can be made quite insecure by careless configuration

Just my $0.02 ...