Hello, If I write in the sudoers file: jdd ALL=(ALL:ALL) NOPASSWD: ALL I can use any root command from my jdd account (through ssh). I would like to be only able to use "sudo -i" and I can't my goal is to be able to go full root if necessary, but not execute any other command to prevent environment (and others) problem how can I achieve this thanks jdd -- c'est quoi, usenet? http://www.dodin.org/wiki/pmwiki.php?n=Usenet.Usenet
On Fri, Aug 18, 2023 at 10:42 AM jdd@dodin.org <jdd@dodin.org> wrote:
Hello,
If I write in the sudoers file:
jdd ALL=(ALL:ALL) NOPASSWD: ALL
I can use any root command from my jdd account (through ssh).
I would like to be only able to use "sudo -i" and I can't
I am not sure I can parse this sentence. Copy and paste the full command line that does not work and all its output and explains what exactly is wrong with it.
my goal is to be able to go full root if necessary, but not execute any other command to prevent environment (and others) problem
Using sudo to only run interactive shell rather defeats the very purpose of the sudo ...
how can I achieve this
thanks jdd -- c'est quoi, usenet? http://www.dodin.org/wiki/pmwiki.php?n=Usenet.Usenet
Le 18/08/2023 à 10:35, Andrei Borzenkov a écrit :
I am not sure I can parse this sentence. Copy and paste the full command line that does not work and all its output and explains what exactly is wrong with it.
it's not a command line but a sudoers line (see the other answer) thanks jdd -- c'est quoi, usenet? http://www.dodin.org/wiki/pmwiki.php?n=Usenet.Usenet
To restrict use of the sudo command, I believe you need a rule like <user> <host>=(<asUser>:<asGroup>) <command> where ALL indicates authorized to run the command on any host, as any user, and as any group. In your case you may limit any of these three by replacing ALL in the appropriate position (or leaving out the asUser or asGroup); so jdd ALL=(ALL:ALL) /usr/bin/sudo -i or jdd remoteserver=(someuser:somegroup) /usr/bin/sudo -i The command must be fully qualified, and if you want to restrict a comand's arguments you must specify them in the rule; e.g. in the example above, the sudo command is only authorized to run with the -i option present. See the man (5) sudoers file for examples, in the section Runas_Spec for more details. HTH, Leslie On 2023-08-18 02:42:12 jdd@dodin.org wrote:
Hello,
If I write in the sudoers file:
jdd ALL=(ALL:ALL) NOPASSWD: ALL
I can use any root command from my jdd account (through ssh).
I would like to be only able to use "sudo -i" and I can't
my goal is to be able to go full root if necessary, but not execute any other command to prevent environment (and others) problem
how can I achieve this
thanks jdd -- Platform: Linux Distribution: openSUSE Leap 15.4 - x86_64
Le 18/08/2023 à 10:44, J Leslie Turriff a écrit :
jdd ALL=(ALL:ALL) /usr/bin/sudo -i
I tried that, but jdd@localhost:~> sudo -i [sudo] Mot de passe de jdd : I'm asked for password may be there needs some escape for the -i?? (double quotes don't fit) thanks jdd -- c'est quoi, usenet? http://www.dodin.org/wiki/pmwiki.php?n=Usenet.Usenet
On Fri, Aug 18, 2023 at 1:03 PM jdd@dodin.org <jdd@dodin.org> wrote:
Le 18/08/2023 à 10:44, J Leslie Turriff a écrit :
jdd ALL=(ALL:ALL) /usr/bin/sudo -i
I tried that, but
jdd@localhost:~> sudo -i [sudo] Mot de passe de jdd :
I'm asked for password
"sudo -i" runs a shell defined for you in /etc/passwd, this is the command you need to allow.
On Fri, Aug 18, 2023 at 12:02:59PM +0200, jdd@dodin.org wrote:
Le 18/08/2023 à 10:44, J Leslie Turriff a écrit :
jdd ALL=(ALL:ALL) /usr/bin/sudo -i
I tried that, but
jdd@localhost:~> sudo -i [sudo] Mot de passe de jdd :
I'm asked for password
While I have to admint I do not really understand what you are trying to accomplish by running sudo within sudo, if you want to be able to sudo without a password, you have to include NOPASSWORD: in your sudoers line (like in the example in your original post). A. -- Ansgar Esztermann Sysadmin Dep. Theoretical and Computational Biophysics https://www.mpinat.mpg.de/person/11315/3883774
Le 18/08/2023 à 12:45, Ansgar Esztermann-Kirchner a écrit :
While I have to admint I do not really understand what you are trying to accomplish by running sudo within sudo,
I don't I only want to run "sudo -i" within my jdd account and go root as expected without being asked for a password. But it's better if I can't issue by error an other root command as jdd If I write in visudo: jdd ALL=(ALL:ALL) NOPASSWD: ALL I can give sudo -i, but also any other root command if I write jdd ALL=(ALL:ALL) NOPASSWD: /usr/bin/sudo -i I'm asked the jdd passwd :-( (And if I give it login is refused) thanks jdd -- c'est quoi, usenet? http://www.dodin.org/wiki/pmwiki.php?n=Usenet.Usenet
Hi, all -- ...and then jdd@dodin.org said... % ... % if I write % % jdd ALL=(ALL:ALL) NOPASSWD: /usr/bin/sudo -i % % I'm asked the jdd passwd :-( (And if I give it login is refused) I hate to say it, but here is a case where actual pasting would be helpful. Are you running /usr/bin/sudo -i or sudo -i when this doesn't work for you? :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt
Le 19/08/2023 à 05:11, David T-G a écrit :
% if I write % % jdd ALL=(ALL:ALL) NOPASSWD: /usr/bin/sudo -i
Are you running
/usr/bin/sudo -i
when this doesn't work for you?
I just tested the two and the result is the same. ALL works, but the above line asks for jdd passwd. Notice that without any than default, the prompt is not for jdd but for root passwd jdd -- c'est quoi, usenet? http://www.dodin.org/wiki/pmwiki.php?n=Usenet.Usenet
On Sat, 19 Aug 2023 10:16, jdd@dodin.org <jdd@...> wrote:
Le 19/08/2023 à 05:11, David T-G a écrit :
% if I write % % jdd ALL=(ALL:ALL) NOPASSWD: /usr/bin/sudo -i
Are you running
/usr/bin/sudo -i
when this doesn't work for you?
I just tested the two and the result is the same. ALL works, but the above line asks for jdd passwd. Notice that without any than default, the prompt is not for jdd but for root passwd
Frist of all: Be lazy. Trick is to "encapsulate" the command in question in a dedicated script and call that. %><-- Begin of file /root/bin/makeroot #!/usr/bin/bash exec /usr/bin/sudo -i %><---End of file /root/bin/makeroot Create that file, make it executeable and create a sudoers line for it. e.G.: jdd ALL=(ALL:ALL) NOPASSWD: /root/bin/makeroot now comes the lazy part, create an alias for the command: alias makeroot="/usr/bin/sudo /root/bin/makeroot" This has worked for me in the past, and serves me well today. HtH - Yamaban.
Le 19/08/2023 à 11:57, Yamaban a écrit :
Trick is to "encapsulate" the command in question in a dedicated script and call that.
%><-- Begin of file /root/bin/makeroot #!/usr/bin/bash exec /usr/bin/sudo -i %><---End of file /root/bin/makeroot
the exec is not even necessary :-), and better make it in /home/jdd/bin/
Create that file, make it executeable and create a sudoers line for it. e.G.: jdd ALL=(ALL:ALL) NOPASSWD: /root/bin/makeroot
ok (I named it makeroot.sh) jdd ALL = (ALL:ALL) NOPASSWD: /home/jdd/bin/makeroot.sh and then as jdd "sudo /home/jdd/bin/makeroot.sh" worked (makes me root) then alias mr="sudo /home/jdd/bin/makeroot.sh" did the trick (mr works) I had only to add this alias line in .bashrc to make it permanent I guess there may be a simpler solution, but it works... so thanks all :-) jdd -- c'est quoi, usenet? http://www.dodin.org/wiki/pmwiki.php?n=Usenet.Usenet
On 19.08.2023 15:08, jdd@dodin.org wrote:
Le 19/08/2023 à 11:57, Yamaban a écrit :
Trick is to "encapsulate" the command in question in a dedicated script and call that.
%><-- Begin of file /root/bin/makeroot #!/usr/bin/bash exec /usr/bin/sudo -i %><---End of file /root/bin/makeroot
the exec is not even necessary :-), and better make it in /home/jdd/bin/
Create that file, make it executeable and create a sudoers line for it. e.G.: jdd ALL=(ALL:ALL) NOPASSWD: /root/bin/makeroot
ok (I named it makeroot.sh)
jdd ALL = (ALL:ALL) NOPASSWD: /home/jdd/bin/makeroot.sh
and then as jdd "sudo /home/jdd/bin/makeroot.sh" worked (makes me root)
That is rather roundabout way of doing sudo sudo -i
then
alias mr="sudo /home/jdd/bin/makeroot.sh"
did the trick (mr works)
I had only to add this alias line in .bashrc to make it permanent
I guess there may be a simpler solution, but it works... so
thanks all :-) jdd
On 2023-08-19 04:16, jdd@dodin.org wrote:
Le 19/08/2023 à 05:11, David T-G a écrit :
% if I write % % jdd ALL=(ALL:ALL) NOPASSWD: /usr/bin/sudo -i
Are you running
/usr/bin/sudo -i
when this doesn't work for you?
I just tested the two and the result is the same. ALL works, but the above line asks for jdd passwd. Notice that without any than default, the prompt is not for jdd but for root passwd
Notice that asking for the user password instead of root's password is preferred ;-) There is a setting in the config file that changes that. Defaults targetpw # ask for the password of the target user i.e. root -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.5 (Laicolasse))
Le 19/08/2023 à 16:12, Carlos E. R. a écrit :
Notice that asking for the user password instead of root's password is preferred ;-)
it's often preferred, but openSUSE default is root passwd. I myself prefer root passwd to have two different passwords for being root, but here it's not relevant, once setup done I will only connect with ssh without password. I can also be root with su -, I don't even remember why I use sudo on this virtual machine :-) - I probably had good reasons :-) jdd -- c'est quoi, usenet? http://www.dodin.org/wiki/pmwiki.php?n=Usenet.Usenet
On 2023-08-19 12:09, jdd@dodin.org wrote:
Le 19/08/2023 à 16:12, Carlos E. R. a écrit :
Notice that asking for the user password instead of root's password is preferred ;-)
it's often preferred, but openSUSE default is root passwd.
It is the default for the initial configuration of the machine, assuming that you change it later when you configure sudo for the rest of life ;-) ## In the default (unconfigured) configuration, sudo asks for the root password. ## This allows use of an ordinary user account for administration of a freshly ## installed system. When configuring sudo, delete the two ## following lines: Defaults targetpw # ask for the password of the target user i.e. root ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.5 (Laicolasse))
My mistake; I left out the NOPASSWD option. | jdd ALL=(ALL:ALL) NOPASSWD /usr/bin/sudo -i Leslie On 2023-08-18 05:02:59 jdd@dodin.org wrote:
Le 18/08/2023 à 10:44, J Leslie Turriff a écrit :
jdd ALL=(ALL:ALL) /usr/bin/sudo -i
I tried that, but
jdd@localhost:~> sudo -i [sudo] Mot de passe de jdd :
I'm asked for password
may be there needs some escape for the -i?? (double quotes don't fit)
thanks jdd
Le 22/08/2023 à 01:14, J Leslie Turriff a écrit :
My mistake; I left out the NOPASSWD option.
| jdd ALL=(ALL:ALL) NOPASSWD /usr/bin/sudo -i
already tested, asks for jdd passwd may be some environment problem, need to be run as a special user (root or jdd?) jdd -- c'est quoi, usenet? http://www.dodin.org/wiki/pmwiki.php?n=Usenet.Usenet
participants (7)
-
Andrei Borzenkov -
Ansgar Esztermann-Kirchner -
Carlos E. R. -
David T-G -
J Leslie Turriff -
jdd@dodin.org -
Yamaban