[opensuse-factory] how to make sudo useful?
hi, i have been bitten by this too many times to count already. After setting reasonable permissions for group wheel in sudoers file, i get this: matejcik@ws-pool1:~> yast2 Absolute path to 'yast2' is '/sbin/yast2', so running it may require superuser privileges (eg. root). matejcik@ws-pool1:~> sudo yast2 sudo: yast2: command not found the question: how the <cobe> do i convince sudo that it should, in fact, use root's path? alternately, how do i add 'sbin' to user path permanently (systemwide) and make sudo remember it? optional third question: shouldn't the first proposed behavior (having sudo use root's paths) be the default? if not, why? thanks for any hints. m. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Aug 18, 10 16:11:14 +0200, Jan Matejek wrote:
hi,
i have been bitten by this too many times to count already. After setting reasonable permissions for group wheel in sudoers file, i get this:
matejcik@ws-pool1:~> yast2 Absolute path to 'yast2' is '/sbin/yast2', so running it may require superuser privileges (eg. root). matejcik@ws-pool1:~> sudo yast2 sudo: yast2: command not found
the question: how the <cobe> do i convince sudo that it should, in fact, use root's path?
Not only sudo's fault. Why the <cobe> was /sbin/ removed from users path in the first place? Are these tools no longer meant to be called by users: traceroute, ip, ifconfig, yast, showmount, ... -> they all have excellent reporting modes, that do not need root privileges. /etc/profile has a section titled 'Make path more comfortable' if test "$UID" = 0 ; then test -d /opt/kde3/sbin && PATH=/opt/kde3/sbin:$PATH PATH=/sbin:/usr/sbin:/usr/local/sbin:$PATH fi Anyway, this does not appear to not work for sudo. cheers, JW- -- o \ Juergen Weigert paint it green! __/ _=======.=======_ <V> | jw@suse.de back to ascii! __/ _---|____________\/ \ | 0911 74053-508 __/ (____/ /\ (/) | _____________________________/ _/ \_ vim:set sw=2 wm=8 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) "You are trying to use packages from project 'openSUSE:11.3'. Note that malicious packages can compromise your system." -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
* Juergen Weigert <jw@suse.de> [2010-08-18 16:29]:
Not only sudo's fault. Why the <cobe> was /sbin/ removed from users path in the first place? Are these tools no longer meant to be called by users: traceroute, ip, ifconfig, yast, showmount, ... -> they all have excellent reporting modes, that do not need root privileges.
/etc/profile has a section titled 'Make path more comfortable' if test "$UID" = 0 ; then test -d /opt/kde3/sbin && PATH=/opt/kde3/sbin:$PATH PATH=/sbin:/usr/sbin:/usr/local/sbin:$PATH fi Anyway, this does not appear to not work for sudo.
It does if you use sudo -s to start a shell. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Dne 18.8.2010 16:29, Juergen Weigert napsal(a):
On Aug 18, 10 16:11:14 +0200, Jan Matejek wrote:
hi,
i have been bitten by this too many times to count already. After setting reasonable permissions for group wheel in sudoers file, i get this:
matejcik@ws-pool1:~> yast2 Absolute path to 'yast2' is '/sbin/yast2', so running it may require superuser privileges (eg. root). matejcik@ws-pool1:~> sudo yast2 sudo: yast2: command not found
the question: how the <cobe> do i convince sudo that it should, in fact, use root's path?
Not only sudo's fault. Why the <cobe> was /sbin/ removed from users path in the first place? Are these tools no longer meant to be called by users: traceroute, ip, ifconfig, yast, showmount, ... -> they all have excellent reporting modes, that do not need root privileges.
/etc/profile has a section titled 'Make path more comfortable' if test "$UID" = 0 ; then test -d /opt/kde3/sbin && PATH=/opt/kde3/sbin:$PATH PATH=/sbin:/usr/sbin:/usr/local/sbin:$PATH fi Anyway, this does not appear to not work for sudo.
commenting out the if/fi did the trick for me, and sudo seems to work correctly as long as /usr/sbin is in my user path - so thanks for this tip. (but note that /etc/profile is only picked up at login, so making this change on a running system will not start working magically) regards m.
cheers, JW-
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
* Jan Matejek <jan.matejek@novell.com> [2010-08-18 16:12]:
the question: how the <cobe> do i convince sudo that it should, in fact, use root's path?
You can define secure_path which will override the user's PATH.
alternately, how do i add 'sbin' to user path permanently (systemwide) and make sudo remember it?
The systemwide path is set in /etc/profile. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Le 18/08/2010 16:11, Jan Matejek a écrit :
the question: how the <cobe> do i convince sudo that it should, in fact, use root's path?
I just removed "#" in front of the option in sudoers and all works as expected jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Dne 18.8.2010 16:53, jdd napsal(a):
Le 18/08/2010 16:11, Jan Matejek a écrit :
the question: how the <cobe> do i convince sudo that it should, in fact, use root's path?
I just removed "#" in front of the option in sudoers and all works as expected
and which "the option" would this be? i don't see any option related to paths m.
jdd
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Le 18/08/2010 17:14, Jan Matejek a écrit :
and which "the option" would this be? i don't see any option related to paths m.
the option related to wheel... # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL ^ remove I had nothing more to do (beside giving the admins the wheel group) may be I was lucky :-) jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Wed, Aug 18, 2010 at 06:19:46PM +0200, jdd wrote:
Le 18/08/2010 17:14, Jan Matejek a écrit :
and which "the option" would this be? i don't see any option related to paths m.
the option related to wheel...
# Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL ^ remove
I had nothing more to do (beside giving the admins the wheel group)
may be I was lucky :-)
jdd
I would be worried if you need luck to get this working. try adding to /etc/bash.bashrc alias sudo='PATH=/usr/local/sbin:/usr/sbin:/sbin:$PATH sudo' then 'sudo yast2' works -- Bernhard M. Wiedemann software engineer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010-08-20 12:08, Bernhard M. Wiedemann wrote:
try adding to /etc/bash.bashrc
No, add it to "/etc/bash.bashrc.local". - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Elessar)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkxue4MACgkQU92UU+smfQUJtACeKWDykjWQ9nEiorMJaXLRrFMX EGoAn1u31LJV9Tup7RGr329rcLFrT5JN =uVml -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Dne 20.8.2010 12:08, Bernhard M. Wiedemann napsal(a):
try adding to /etc/bash.bashrc alias sudo='PATH=/usr/local/sbin:/usr/sbin:/sbin:$PATH sudo'
then 'sudo yast2' works
ouch! this is so much of a kludge that it hurts. i mean, this is exactly what is wrong with SUSE - it makes natural things hard to do -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Mon, Aug 23, 2010 at 03:26:51PM +0200, Jan Matejek wrote:
Dne 20.8.2010 12:08, Bernhard M. Wiedemann napsal(a):
try adding to /etc/bash.bashrc alias sudo='PATH=/usr/local/sbin:/usr/sbin:/sbin:$PATH sudo'
then 'sudo yast2' works
ouch! this is so much of a kludge that it hurts. i mean, this is exactly what is wrong with SUSE - it makes natural things hard to do
What are you talking about? You consider /sbin and /usr/sbin should be part of the default PATH? File a feature request, better submit a change or document it. Fix it, don't whine! BTW I'm happy not having every command - in particular those requiring higher priviledges - in the default PATH of all user. Please pass the FATE ID here that I'm able to give me -1. ;) Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
Dne 23.8.2010 16:15, Lars Müller napsal(a):
ouch! this is so much of a kludge that it hurts. i mean, this is exactly what is wrong with SUSE - it makes natural things hard to do
What are you talking about?
You consider /sbin and /usr/sbin should be part of the default PATH?
I don't give half a rat's behind about PATH, as long as it contains everything i want to execute. Which, interestingly, is the case, as somebody went to great lengths to link most useful tools from /sbin to /bin What i do care about is, when bash tells me that i need superuser privileges, i come back with those and it still doesn't help - as is the case with my original post.
File a feature request, better submit a change or document it.
https://features.opensuse.org/310406
Fix it, don't whine!
gladly - except that there seems to be a general confusion regarding paths, so i am not sure what is the right way to fix it (see feature #310311). modifying default PATH is good enough for me, but maybe not for general public? regards m.
BTW I'm happy not having every command - in particular those requiring higher priviledges - in the default PATH of all user.
Please pass the FATE ID here that I'm able to give me -1. ;)
Lars
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
* Jan Matejek <jan.matejek@novell.com> [2010-08-23 19:18]:
https://features.opensuse.org/310406
Fix it, don't whine!
gladly - except that there seems to be a general confusion regarding paths, so i am not sure what is the right way to fix it (see feature #310311). modifying default PATH is good enough for me, but maybe not for general public?
IMO it should definetly be discussed within the scope of https://features.opensuse.org/310311 so that whatever the result may be we have consistency across the system. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Jan Matejek wrote:
Dne 23.8.2010 16:15, Lars Müller napsal(a):
File a feature request, better submit a change or document it.
https://features.opensuse.org/310406
Fix it, don't whine!
gladly - except that there seems to be a general confusion regarding paths, so i am not sure what is the right way to fix it (see feature #310311). modifying default PATH is good enough for me, but maybe not for general public?
I filed feature #310311 to agree on an ordering for the elements in PATH and to have the hardcoded places use the same values. Including sbin in a normal user's PATH by default is yet another feature that can be discusses independently. Also, adding sbin to a users' path could be implemented via /etc/profile only so it only takes effect if a shell is involved. We do not necessarily need to implement it in the hardcoded places too. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
* Ludwig Nussel <ludwig.nussel@suse.de> [2010-08-24 10:42]:
Jan Matejek wrote:
Dne 23.8.2010 16:15, Lars Müller napsal(a):
File a feature request, better submit a change or document it.
https://features.opensuse.org/310406
Fix it, don't whine!
gladly - except that there seems to be a general confusion regarding paths, so i am not sure what is the right way to fix it (see feature #310311). modifying default PATH is good enough for me, but maybe not for general public?
I filed feature #310311 to agree on an ordering for the elements in PATH and to have the hardcoded places use the same values. Including sbin in a normal user's PATH by default is yet another feature that can be discusses independently. Also, adding sbin to a users' path could be implemented via /etc/profile only so it only takes effect if a shell is involved. We do not necessarily need
That is already implemented in /etc/profile: [...] if test "$UID" = 0 ; then test -d /opt/kde3/sbin && PATH=/opt/kde3/sbin:$PATH PATH=/sbin:/usr/sbin:/usr/local/sbin:$PATH fi [...] Hence, when you do a "sudo -s" already results in the correct PATH. Note that it is not necessary to modify a user's PATH in order to change the PATH that sudo is using, we could simply put Defaults secure_path = /sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/usr/bin:/bin into /etc/sudoers to provide a secure PATH including sbin. I think that would be a more sensible solution which does not unecessarily pollute users PATHs. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010-08-24 11:13, Guido Berhoerster wrote:
* Ludwig Nussel <> [2010-08-24 10:42]:
I think that would be a more sensible solution which does not unecessarily pollute users PATHs.
I don't understand it all, but I don't think all users should have the /sbin in their path, only those users that do admin things. I think there should be a list of "special" users. Not all users should be bothered with the update applet, for example. - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Elessar)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkx0XM4ACgkQU92UU+smfQUiDACfdYiixwygQuvab8WMXEqI7EHJ gCgAn1ovE1RpWO49tRmSu7OuD4JMUXQe =O6mb -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Guido Berhoerster wrote:
Note that it is not necessary to modify a user's PATH in order to change the PATH that sudo is using, we could simply put
Defaults secure_path = /sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/usr/bin:/bin
into /etc/sudoers to provide a secure PATH including sbin. I think that would be a more sensible solution which does not unecessarily pollute users PATHs.
That means sudo will not find programs in the users' PATH (e.g. ~/bin) anymore though. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
* Ludwig Nussel <ludwig.nussel@suse.de> [2010-08-27 12:48]:
Guido Berhoerster wrote:
Note that it is not necessary to modify a user's PATH in order to change the PATH that sudo is using, we could simply put
Defaults secure_path = /sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/usr/bin:/bin
into /etc/sudoers to provide a secure PATH including sbin. I think that would be a more sensible solution which does not unecessarily pollute users PATHs.
That means sudo will not find programs in the users' PATH (e.g. ~/bin) anymore though.
That's right, but I find that actually more secure while still providing convenience for system commands. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
* Jan Matejek <jan.matejek@novell.com> [2010-08-23 15:26]:
Dne 20.8.2010 12:08, Bernhard M. Wiedemann napsal(a):
try adding to /etc/bash.bashrc alias sudo='PATH=/usr/local/sbin:/usr/sbin:/sbin:$PATH sudo'
then 'sudo yast2' works
ouch! this is so much of a kludge that it hurts. i mean, this is exactly what
Yes it is, and there is absolutely no need for such kludges at all. It has been pointed out almost a week ago that you can either set secure_path in /etc/sudoers or modify PATH in /etc/profile. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Dne 23.8.2010 16:17, Guido Berhoerster napsal(a):
* Jan Matejek <jan.matejek@novell.com> [2010-08-23 15:26]:
Dne 20.8.2010 12:08, Bernhard M. Wiedemann napsal(a):
try adding to /etc/bash.bashrc alias sudo='PATH=/usr/local/sbin:/usr/sbin:/sbin:$PATH sudo'
then 'sudo yast2' works
ouch! this is so much of a kludge that it hurts. i mean, this is exactly what
Yes it is, and there is absolutely no need for such kludges at all. It has been pointed out almost a week ago that you can either set secure_path in /etc/sudoers or modify PATH in /etc/profile.
well, in that case, why did you even suggest such horrible thing? ;) (for the record, i did solve my problem by modifying /etc/profile as suggested. i still think that the modification should be there by default, but oh well) regards m. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Mon, Aug 23, 2010 at 05:31:58PM +0200, Jan Matějek wrote: [ 8< ]
(for the record, i did solve my problem by modifying /etc/profile as suggested. i still think that the modification should be there by default, but oh well)
Please file a feature request and let users vote. Cf. http://lists.opensuse.org/opensuse-factory/2010-08/msg00238.html To complain about this doesn't help. I still consider this a feature and not a bug. As long as no feature request or bug got filed it looks like the majority including you agrees with the current implementation. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
* Jan Matějek <jmatejek@suse.cz> [2010-08-23 17:32]:
Dne 23.8.2010 16:17, Guido Berhoerster napsal(a):
* Jan Matejek <jan.matejek@novell.com> [2010-08-23 15:26]:
Dne 20.8.2010 12:08, Bernhard M. Wiedemann napsal(a):
try adding to /etc/bash.bashrc alias sudo='PATH=/usr/local/sbin:/usr/sbin:/sbin:$PATH sudo'
then 'sudo yast2' works
ouch! this is so much of a kludge that it hurts. i mean, this is exactly what
Yes it is, and there is absolutely no need for such kludges at all. It has been pointed out almost a week ago that you can either set secure_path in /etc/sudoers or modify PATH in /etc/profile.
well, in that case, why did you even suggest such horrible thing? ;)
Huh, me?! Check your quoting above, I would never ever suggest something like that... -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Dne 23.8.2010 19:00, Guido Berhoerster napsal(a):
Huh, me?! Check your quoting above, I would never ever suggest something like that...
my apologies - i got confused by names looking vaguely alike :/ will not happen again m. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (10)
-
Bernhard M. Wiedemann -
Carlos E. R. -
Carlos E. R. -
Guido Berhoerster -
Jan Matejek -
Jan Matějek -
jdd -
Juergen Weigert -
Lars Müller -
Ludwig Nussel