[SOLVED] Question with sudoers per command - antiX oldforums archive

topic title: [SOLVED] Question with sudoers per command

9 posts • Page 1 of 1

Posts: 26 tuto: Joined: 07 Aug 2016

posted: 2016-09-01 02:49 #1

Hi antixers...

I am running AntiX 13.2 on desktop PC with few space in hard disk. I maked two users: (1) tesistas (this is the principal) and (2) pruebas (this is for test default settings only).

The tesistas user is used by several people, and as I want use some commands as fdisk, lsblk, lspcmcia, cat /var/log/*, etc., without have that write password, so I maked a sudoers per command file (named antiusers) in sudoers.d directory:

Code: Select all

tesistas@Tesistas:~
$ sudo visudo -f / etc/sudoers.d/antiusers
# sudoers file.
#
# --> This file was modified by tesistas user at 17/07/2016 18:43.
# --> The sudo package version is sudo_1.8.5p2-1+nmu3+deb7u1.
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in / etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#

# ***********************
#    DEFINED ALIAS
# ***********************
# ### User alias specification ### ##################
#

# At present, User_Alias have not been makes.
# ### Runas alias specification ### #################
#

# At present, Runas_Alias have not been makes.
# ### Host alias specification ### ###################
#

# At present, Host_Alias have not been makes.
# ### Cmnd alias specification ### ###################
#
Cmnd_Alias  SUDO_SET = /usr/sbin/visudo
Cmnd_Alias  LOGOUT = /usr/local/bin/restart-X
Cmnd_Alias  REBOOT = /usr/local/bin/shutdown -r now, /usr/local/bin/reboot
Cmnd_Alias  POWEROFF = /usr/local/bin/shutdown -h now, /usr/local/bin/halt, /usr/local/bin/poweroff
Cmnd_Alias  X_DM = /usr/local/bin/slim-login, /usr/local/bin/antixccslim.sh, / etc/init.d/slim *
Cmnd_Alias  DESKTOP_CHNG = /usr/local/bin/update-default-desktop
Cmnd_Alias  DESKTOP_ENV_SET = /usr/bin/rox, /bin/mknod -m 666 /dev/nvidia*, /sbin/modprobe -v nvidia, \
                              /sbin/modprobe -v nvidia-uvm, /usr/local/bin/nvidia-dev_creator.sh 

 
Cmnd_Alias  NET = sudoedit / etc/network/interfaces, /usr/local/bin/connectshares.sh, /usr/local/bin/disconnectshares.sh
Cmnd_Alias  WIDE_SET = sudoedit / etc/profile, sudoedit / etc/X11/*, sudoedit / etc/crontab, sudoedit / etc/fstab, \
                       sudoedit / etc/inittab, sudoedit / etc/udev/*, sudoedit /lib/udev/rules.d/*, \
                       sudoedit / etc/default/keyboard, sudoedit / etc/grub.d/*, sudoedit /boot/grub/menu.lst, \
                       sudoedit / etc/sudoers, sudoedit / etc/sudoers.d/*, sudoedit /usr/local/bin/*, \
               sudoedit /usr/local/share/doc/*, sudoedit / etc/apt/sources.list.d/*, \
                       sudoedit / etc/apt/preferences.d/*, sudoedit / etc/sysctl.conf, sudoedit / etc/sysctl.d/*, \
                       sudoedit /opt/*, sudoedit / etc/pam.d/*, sudoedit / etc/clamav/freshclam.conf               

                              
Cmnd_Alias  SEARCH = / etc/cron.daily/mlocate, /usr/bin/mlocate
Cmnd_Alias  DEV_SET = /sbin/fdisk -l, /sbin/fdisk.distrib, /sbin/blkid, /bin/lsblk -flm, /sbin/lspcmcia, \
                      /sbin/pccardctl, /sbin/udevadm
Cmnd_Alias  SYSTEM_CLEAN = /usr/bin/apt-get autoclean, /usr/bin/apt-get clean, /usr/bin/apt-get autoremove, \
                           /usr/sbin/orphaner, /usr/sbin/editkeep, /usr/bin/freshclam, /usr/bin/dpkg --purge
Cmnd_Alias  DIR_SYNC = /usr/bin/grsync, /usr/bin/grsync-batch
Cmnd_Alias  BACKUP = /usr/local/bin/remaster.sh, /usr/local/bin/remastercc.sh, /usr/local/bin/persist-makefs, \
                     /usr/local/bin/persist-save, /usr/local/bin/persist-config, /usr/local/bin/persist-enabled, \
                     /usr/local/bin/remaster-live, /usr/local/bin/run-mksquashfs, /usr/local/bin/antix2usb.py, \
             /usr/local/bin/antix2usb.sh, /usr/bin/luckybackup, /usr/local/bin/antixsnapshot-gui, \
             /usr/local/bin/antixsnapshot, /usr/sbin/partimage, /usr/sbin/gparted, /usr/bin/testdisk, \
             /usr/bin/photorec, /usr/bin/extundelete
Cmnd_Alias  UTILS = /usr/bin/sudoedit, /usr/bin/apt-get update, /usr/bin/apt-get upgrade, /usr/bin/apt-get -f install, \
                    /usr/bin/apt-get -s install, /bin/cp -u / etc/default/keyboard / etc/default/keyboard.old             

                
Cmnd_Alias  APPS_EXE = /bin/*, /usr/bin/gksu, /usr/bin/su-to-root, /usr/bin/ktsuss, /usr/bin/sux, /usr/sbin/synaptic, \ 
                       /usr/local/bin/antix-system.sh, /usr/bin/gparted, /usr/local/bin/grub-repair-antix, \
               /usr/sbin/update-grub, /usr/sbin/sysv-rc-conf, /usr/local/bin/user-management, \ 
               /usr/sbin/dpkg-reconfigure, /usr/bin/rutilt, /usr/bin/gufw, /usr/bin/ceni, /usr/bin/install-meta, \ 
               /usr/local/bin/group-management, /usr/bin/Xorg, /usr/bin/dpkg, /usr/bin/apt-get remove *, \ 
               /usr/bin/apt-get purge *, /usr/bin/apt-get install *, /usr/bin/apt-get autoremove, \ 
               /usr/bin/apt-get install --reinstall *, /usr/bin/apt-key, /usr/sbin/dmidecode, /usr/sbin/smartctl, \ 
               /usr/bin/gsmartcontrol, /usr/bin/make *, /usr/bin/install *, /sbin/swapoff, /sbin/swapon, \
               /sbin/sysctl            
Cmnd_Alias  LOGS_READ = /bin/cat /var/log/*
            
#
# ***********************
#    DEFINED OPTIONS
# ***********************
Defaults  env_reset
Defaults env_keep +="RESTARTED"
Defaults  mail_badpass
Defaults  secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults  timestamp_timeout=5
# ***********************
#     DEFINED RULES
# ***********************
# ### Root user privilege specification ###

root  ALL=(ALL:ALL) ALL

# ### Regulars users privileges specification ###

%users ALL=(root) NOPASSWD: LOGOUT, REBOOT, POWEROFF, DESKTOP_CHNG, DESKTOP_ENV_SET, NET, SEARCH, DEV_SET, \
                  SYSTEM_CLEAN, DIR_SYNC, UTILS, LOGS_READ
          
%users ALL=(root) PASSWD: SUDO_SET, X_DM, WIDE_SET, BACKUP, APPS_EXE
# ### Allow members of group sudo to execute any command ###

%sudo  ALL=(ALL:ALL) ALL

Code: Select all

tesistas@Tesistas:~
$ sudo visudo -cf / etc/sudoers.d/antiusers
[sudo] password for tesistas: 
/ etc/sudoers.d/antiusers: parsed OK

The anothers sudoers files are intact; here is the content of sudoers.d folder:

Code: Select all

total 36
-rw-r--r-- 1 root root 21215 Aug 31 21:28 antiusers
-r--r----- 1 root root   921 Aug 30 15:52 antixers
-r--r----- 1 root root   674 May 26  2013 antixers.dpkg-dist
-r--r----- 1 root root   958 Mar  1  2013 README

Code: Select all

tesistas@Tesistas:~
$ sudo visudo -f / etc/sudoers.d/antixers
# sudoers file.

%users ALL=(root) NOPASSWD: /sbin/halt

%users ALL=(root) NOPASSWD: /sbin/reboot

%users ALL=(root) NOPASSWD: /sbin/poweroff

%users ALL=(root) NOPASSWD: /sbin/blkid

%users ALL=(root) NOPASSWD: /sbin/fdisk.distrib

%users ALL=(root) NOPASSWD: /usr/bin/ceni

%users ALL=(root) NOPASSWD: /usr/bin/rox

%users ALL=(root) NOPASSWD: /usr/local/bin/persist-config

%users ALL=(root) NOPASSWD: /usr/local/bin/persist-save

%users ALL=(root) NOPASSWD: /usr/sbin/minstall

%users ALL=(root) NOPASSWD: /usr/local/bin/connectshares.sh

%users ALL=(root) NOPASSWD: /usr/local/bin/disconnectshares.sh

Defaults env_keep +="RESTARTED"

%users ALL=(root) NOPASSWD: /usr/local/bin/update-default-desktop

Here is the command"id" output:

Code: Select all

tesistas@Tesistas:~
$ id
uid=1000(tesistas) gid=1000(tesistas) groups=1000(tesistas),7(lp),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),102(crontab),103(fuse),109(netdev),110(mlocate),1001(storage)

and the command"groups" output:

Code: Select all

tesistas@Tesistas:~
$ groups
tesistas lp dialout cdrom floppy sudo audio dip video plugdev users crontab fuse netdev mlocate storage

I can read logs (per example), but when I use command"sudo fdisk -l", the prompt request the password. I not understand why?

I read the sudoers manpage and several sources on sudo/sudoers on net. I read that"users" group (%users in sudoers files) is a traditional group in Unix systems but Debian prefer use a group per user. So I think that maybe it could be that tesistas user is added to"users" group and lack a own group.

Please, can guide me...?

Sorry by my English use... __{{emoticon}}__

Last edited by tuto on 06 Sep 2016, 23:33, edited 1 time in total.

Posts: 1,445 skidoo: Joined: 09 Feb 2012

posted: 2016-09-01 07:51 #2

Excellent post -- you provided plenty of detail.

Code: Select all

total 36
-rw-r--r-- 1 root root 21215 Aug 31 21:28 antiusers
-r--r----- 1 root root   921 Aug 30 15:52 antixers
-r--r----- 1 root root   674 May 26  2013 antixers.dpkg-dist
-r--r----- 1 root root   958 Mar  1  2013 README

refer to /etc/sudoers.d/README
It states that all files within the sudoers.d directory are expected to bear 0440 permissions mask.

sudo chmod 440 /etc/sudoers.d/antiusers
After this change, retest. Do your rules now accomplish the desired result?

Posts: 26 tuto: Joined: 07 Aug 2016

posted: 2016-09-01 17:04 #3

Hi skidoo. Thanks by your aswering.

Small detail... It missed me by read the README file __{{emoticon}}__ __{{emoticon}}__

I did the changes on antiusers file:

Code: Select all

tesistas@Tesistas:~
$ sudo chmod 440 / etc/sudoers.d/*
tesistas@Tesistas:~
$ ls -l / etc/sudoers.d
total 36
-r--r----- 1 root root 21309 Sep  1 11:54 antiusers
-r--r----- 1 root root   921 Aug 30 15:52 antixers
-r--r----- 1 root root   674 May 26  2013 antixers.dpkg-dist
-r--r----- 1 root root   958 Mar  1  2013 README

Then, reboot the system, and when I use the commands

sudo fdisk -l

or

sudo lsblk -flm

, the prompt request me the password yet.

I did another changes:

(1) I modified the rules on %users into antiusers file:

Code: Select all

$ sudo visudo -f / etc/sudoers.d/antiusers
# sudoers file.
#
# --> This file was modified by tesistas user at 17/07/2016 18:43.
# --> The sudo package version is sudo_1.8.5p2-1+nmu3+deb7u1.
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in / etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#

# ***********************
#    DEFINED ALIAS
# ***********************
# ### User alias specification ### ##################
#

# At present, User_Alias have not been makes.
# ### Runas alias specification ### #################
#

# At present, Runas_Alias have not been makes.
# ### Host alias specification ### ###################
#

# At present, Host_Alias have not been makes.
# ### Cmnd alias specification ### ###################
#
Cmnd_Alias  SUDO_SET = /usr/sbin/visudo
Cmnd_Alias  LOGOUT = /usr/local/bin/restart-X
Cmnd_Alias  REBOOT = /usr/local/bin/shutdown -r now, /usr/local/bin/reboot
Cmnd_Alias  POWEROFF = /usr/local/bin/shutdown -h now, /usr/local/bin/halt, /usr/local/bin/poweroff
Cmnd_Alias  X_DM = /usr/local/bin/slim-login, /usr/local/bin/antixccslim.sh, / etc/init.d/slim *
Cmnd_Alias  DESKTOP_CHNG = /usr/local/bin/update-default-desktop
Cmnd_Alias  DESKTOP_ENV_SET = /usr/bin/rox, /bin/mknod -m 666 /dev/nvidia*, /sbin/modprobe -v nvidia, \
                              /sbin/modprobe -v nvidia-uvm, /usr/local/bin/nvidia-dev_creator.sh 
Cmnd_Alias  NET = sudoedit / etc/network/interfaces, /usr/local/bin/connectshares.sh, /usr/local/bin/disconnectshares.sh
Cmnd_Alias  WIDE_SET = sudoedit / etc/profile, sudoedit / etc/X11/*, sudoedit / etc/crontab, sudoedit / etc/fstab, \
                       sudoedit / etc/inittab, sudoedit / etc/udev/*, sudoedit /lib/udev/rules.d/*, \
                       sudoedit / etc/default/keyboard, sudoedit / etc/grub.d/*, sudoedit /boot/grub/menu.lst, \
                       sudoedit / etc/sudoers, sudoedit / etc/sudoers.d/*, sudoedit /usr/local/bin/*, \
             sudoedit /usr/local/share/doc/*, sudoedit / etc/apt/sources.list.d/*, \
                       sudoedit / etc/apt/preferences.d/*, sudoedit / etc/sysctl.conf, sudoedit / etc/sysctl.d/*, \
                       sudoedit /opt/*, sudoedit / etc/pam.d/*, sudoedit / etc/clamav/freshclam.conf             

                          
Cmnd_Alias  SEARCH = / etc/cron.daily/mlocate, /usr/bin/mlocate
Cmnd_Alias  DEV_SET = /sbin/fdisk -l, /sbin/fdisk.distrib, /sbin/blkid, /bin/lsblk -flm, /sbin/lspcmcia, \
                      /sbin/pccardctl, /sbin/udevadm
Cmnd_Alias  SYSTEM_CLEAN = /usr/bin/apt-get autoclean, /usr/bin/apt-get clean, /usr/bin/apt-get autoremove, \
                           /usr/sbin/orphaner, /usr/sbin/editkeep, /usr/bin/freshclam, /usr/bin/dpkg --purge
Cmnd_Alias  DIR_SYNC = /usr/bin/grsync, /usr/bin/grsync-batch
Cmnd_Alias  BACKUP = /usr/local/bin/remaster.sh, /usr/local/bin/remastercc.sh, /usr/local/bin/persist-makefs, \
                     /usr/local/bin/persist-save, /usr/local/bin/persist-config, /usr/local/bin/persist-enabled, \
                     /usr/local/bin/remaster-live, /usr/local/bin/run-mksquashfs, /usr/local/bin/antix2usb.py, \
           /usr/local/bin/antix2usb.sh, /usr/bin/luckybackup, /usr/local/bin/antixsnapshot-gui, \
           /usr/local/bin/antixsnapshot, /usr/sbin/partimage, /usr/sbin/gparted, /usr/bin/testdisk, \
           /usr/bin/photorec, /usr/bin/extundelete
Cmnd_Alias  UTILS = /usr/bin/sudoedit, /usr/bin/apt-get update, /usr/bin/apt-get upgrade, /usr/bin/apt-get -f install, \
                    /usr/bin/apt-get -s install, /bin/cp -u / etc/default/keyboard / etc/default/keyboard.old           

              
Cmnd_Alias  APPS_EXE = /bin/*, /usr/bin/gksu, /usr/bin/su-to-root, /usr/bin/ktsuss, /usr/bin/sux, /usr/sbin/synaptic, \ 
                       /usr/local/bin/antix-system.sh, /usr/bin/gparted, /usr/local/bin/grub-repair-antix, \
             /usr/sbin/update-grub, /usr/sbin/sysv-rc-conf, /usr/local/bin/user-management, \ 
             /usr/sbin/dpkg-reconfigure, /usr/bin/rutilt, /usr/bin/gufw, /usr/bin/ceni, /usr/bin/install-meta, \ 
             /usr/local/bin/group-management, /usr/bin/Xorg, /usr/bin/dpkg, /usr/bin/apt-get remove *, \ 
             /usr/bin/apt-get purge *, /usr/bin/apt-get install *, /usr/bin/apt-get autoremove, \ 
             /usr/bin/apt-get install --reinstall *, /usr/bin/apt-key, /usr/sbin/dmidecode, /usr/sbin/smartctl, \ 
             /usr/bin/gsmartcontrol, /usr/bin/make *, /usr/bin/install *, /sbin/swapoff, /sbin/swapon, \
             /sbin/sysctl         
Cmnd_Alias  LOGS_READ = /bin/cat /var/log/*
         
#
# ***********************
#    DEFINED OPTIONS
# ***********************
Defaults  env_reset
Defaults env_keep +="RESTARTED"
Defaults  mail_badpass
Defaults  secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults  timestamp_timeout=5
# ***********************
#     DEFINED RULES
# ***********************
# ### Root user privilege specification ###

root  ALL=(ALL:ALL) ALL

# ### Regulars users privileges specification ###

%users ALL=(ALL:ALL) NOPASSWD: LOGOUT, REBOOT, POWEROFF, DESKTOP_CHNG, DESKTOP_ENV_SET, NET, SEARCH, DEV_SET, \
                  SYSTEM_CLEAN, DIR_SYNC, UTILS, LOGS_READ
        
%users ALL=(root) PASSWD: SUDO_SET, X_DM, WIDE_SET, BACKUP, APPS_EXE
# ### Allow members of group sudo to execute any command ###

%sudo  ALL=(ALL:ALL) ALL

(2) I avoided the read of anothers sudoers files in / etc/sudoers.d directory:

Code: Select all

tesistas@Tesistas:~
$ ls -l / etc/sudoers.d
total 36
-r--r----- 1 root root 21309 Sep  1 11:54 antiusers
-r--r----- 1 root root   921 Aug 30 15:52 antixers~
-r--r----- 1 root root   674 May 26  2013 antixers.dpkg-dist~
-r--r----- 1 root root   958 Mar  1  2013 README

Reboot the system, and the prompt request me the password yet for run commands"sudo lsblk -flm" or"sudo fdisk -l".

I believe that a possible cause maybe that tesistas user pertain to group users (%users) and haven't your own group added to sudo group.

Posts: 1,445 skidoo: Joined: 09 Feb 2012

posted: 2016-09-02 04:52 #4

think that maybe it could be that tesistas user is added to"users" group and lack a own group

I don't think this should be necessary, but you could
(consult man sudo to verify this is the correct syntax, and)
manually assign 'sudo' group membership to user 'testistas'
# usermod -aG sudo testistas

This, I think, is the hangup:
When multiple rules match for a user, they are applied in order.
When multiple rules match, the last match (even though it is not necessarily the most specific) is used.

As posted, your last line is
%sudo ALL=(ALL:ALL) ALL
You probably just need to move the NOPASSWORD [...] SEARCH, DEV_SET, \ SYSTEM_CLEAN, DIR_SYNC,[...] line to the bottom

Posts: 26 tuto: Joined: 07 Aug 2016

posted: 2016-09-02 19:34 #5

After read sudoers manpage again, I verified that the latest rule, from several rules, is applied. So, I changed the rules for use own only, being as the tesistas user pertain to sudo group

skidoo wrote:Código:
tesistas@Tesistas:~
$ id
uid=1000(tesistas) gid=1000(tesistas) groups=1000(tesistas),7(lp),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),102(crontab),103(fuse),109(netdev),110(mlocate),1001(storage)

:

Code: Select all

...

# ### Regulars users privileges specification ###

# %users ALL=(ALL:ALL) NOPASSWD: LOGOUT, REBOOT, POWEROFF, DESKTOP_CHNG, DESKTOP_ENV_SET, NET, SEARCH, DEV_SET, \
                  SYSTEM_CLEAN, DIR_SYNC, UTILS, LOGS_READ
        
# %users ALL=(root) PASSWD: SUDO_SET, X_DM, WIDE_SET, BACKUP, APPS_EXE
# ### Allow members of group sudo to execute any command ###

%sudo  ALL=(ALL:ALL) NOPASSWD: LOGOUT, REBOOT, POWEROFF, DESKTOP_CHNG, DESKTOP_ENV_SET, NET, SEARCH, DEV_SET, \
                  SYSTEM_CLEAN, DIR_SYNC, UTILS, LOGS_READ, PASSWD: SUDO_SET, X_DM, WIDE_SET, BACKUP, APPS_EXE

After reboot, I can use without password almost every commands into Cmnd_List tagged with no PASSWD in the rule. However, I can't yet run without password the commands"blkid, lsblk". Well I added the user tesistas at sudo group explicitly.
This result tells me that these commands may be executed by root user only or another user with superuser privileges inserting the password, possibly by lack of another administrative, group as adm or wheel groups.

I have to do the tests...

Posts: 26 tuto: Joined: 07 Aug 2016

posted: 2016-09-06 03:23 #6

Hello... again... __{{emoticon}}__

Here I posts the updates on the intent for set my antiusers sudoers file per command (path / etc/sudoers.d):

1 -) I added the tesistas user to adm group with the order"sudo usermod -aG adm tesistas".
After reboot, the the execution of commands"blkid, lsblk" from terminal requests the password.

2 -) I added the tesistas user to your own group (tesistas). Reboot and re-test and same result.

3 -) As a positive control (and for to test this time only), I changed the principal sudoers file (in directory / etc), adding the tesistas user below root's rule:

Code: Select all

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in / etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL
tesistas ALL=(ALL:ALL) NOPASSWD: ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on"#include" directives:

#includedir / etc/sudoers.d

and I avoided that antiusers file was readed, adding the"~" symbol as suffix:

Code: Select all

tesistas@Tesistas:~
$ ls -l / etc/sudoers.d
total 36
-r--r----- 1 root root 23854 Sep  5 22:18 antiusers~
-r--r----- 1 root root   921 Sep  2 10:55 antixers~
-r--r----- 1 root root   674 Sep  2 10:56 antixers.dpkg-dist~
-r--r----- 1 root root   958 Mar  1  2013 README

Then, after system reboot, the execution of commands"blkid, lsblk" from terminal requests the password.

Ok, my conclussion is that these commands could be running as superuser necessarily.

Then I use the antiusers sudoers file in / etc/sudoers.d and I will keep without changes the original / etc/sudoers file. Anymore, I will keep the tesistas user joined to sudo, users and adm groups. In this case (antiX), is not necessary that each user be joined to your own group, while be added to users group.

__{{emoticon}}__

Posts: 1,445 skidoo: Joined: 09 Feb 2012

posted: 2016-09-06 06:18 #7

Then, after system reboot, the execution of commands"blkid, lsblk" from terminal requests the password.

Ok, my conclusion is that these commands could be running as superuser necessarily.

Under the default (not modified) policy, my non-root"demo" antix user can launch 'blkid' and 'lsblk' ~~ sudo not needed to launch these.
If I command"sudo blkid" yes (of course) a password prompt is displayed; the same prompt would occur if commanding"sudo ls" or anything else.

Hmm, this is a liveboot session. Maybe a more strict default policy is applied after install to hard disk?

Posts: 26 tuto: Joined: 07 Aug 2016

posted: 2016-09-06 14:20 #8

skidoo wrote: Under the default (not modified) policy, my non-root"demo" antix user can launch 'blkid' and 'lsblk' ~~ sudo not needed to launch these.
If I command"sudo blkid" yes (of course) a password prompt is displayed; the same prompt would occur if commanding"sudo ls" or anything else.

Hmm, this is a liveboot session. Maybe a more strict default policy is applied after install to hard disk?

Ok, I verified well this behavior from antiX-13.2 live-CD. From session tesistas although with lsblk can be launch as regular user, blkid need sudo:

Code: Select all

tesistas@Tesistas:~
$ blkid
bash: blkid: command not found

Precisely, a sudoers file per command with NOPASSWD tag that act on a specified command COMMAND, allow that COMMAND it could be launched by regular user without need password, using the order"sudo COMMAND". This behavior I'v used before on a installation Debian Wheezy+IceWM+SpaceFM (before of to use antiX) in this same hardware, and it worked without problems.

I believe is possible that be some policy of antiX system.

Posts: 26 tuto: Joined: 07 Aug 2016

posted: 2016-09-06 23:32 #9

Update:

Talking systematically, for my low level of programming knowledge, there are many variables in play, this topic was turning it a bit confusing. So, I applied on I know, the scientific research method. Inferring that the possible wrong was in my antiusers sudoers file, I follow these steps:

1) I commented all Cmnd_List in the antiusers file, using the rule with %users group. Saved changes and rebooted system.

2) I uncommented a Cmnd_List each time, saving changes and rebooting system, probing launch from terminal the commands"sudo blikd -o full" and"sudo / etc/cron.daily/mlocate". Thus, I able to determine that the problem was the generic path to commands"/bin/*" into the Cmnd_List APPS_EXE, because that directory's commands are signalling in others Cmnd_List.

3) So, I remove the expression"/bin/*" from Cmnd_List APPS_EXE, and now I can use my own sudoers file as I as wished.

Finally, the sudoers per command (antiusers) file, it was thus:

Code: Select all

# sudoers file.
#
# --> This file was modified by tesistas user at 17/07/2016 18:43.
# --> The tesistas user pertain at users group. 
# --> The users group pertain at sudo group.
# --> The sudo package version is sudo_1.8.5p2-1+nmu3+deb7u1.
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in / etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#

# ***********************
#    DEFINED ALIAS
# ***********************

# ### User alias specification ### ####################

User_Alias ANTIX_USERS = tesistas, pruebas
# ### Runas alias specification ### ##################

# At present, Runas_Alias have not been makes.
# ### Host alias specification ### ##################

# At present, Host_Alias have not been makes.
# ### Cmnd alias specification ### ##################
Cmnd_Alias  SUDO_SET = /usr/sbin/visudo -f / etc/sudoers.d/antiusers

Cmnd_Alias  SUDO_CHECK = /usr/sbin/visudo -cf / etc/sudoers.d/antiusers

Cmnd_Alias  LOGOUT = /usr/local/bin/restart-X

Cmnd_Alias  REBOOT = /usr/local/bin/shutdown -r now, /usr/local/bin/reboot

Cmnd_Alias  POWEROFF = /usr/local/bin/shutdown -h now, /usr/local/bin/halt, /usr/local/bin/poweroff

Cmnd_Alias  X_DM = /usr/local/bin/slim-login, /usr/local/bin/antixccslim.sh, / etc/init.d/slim *

Cmnd_Alias  DESKTOP_CHNG = /usr/local/bin/update-default-desktop

Cmnd_Alias  DESKTOP_ENV_SET = /usr/bin/rox, /bin/mknod -m 666 /dev/nvidia*, /sbin/modprobe -v nvidia, \
/sbin/modprobe -v nvidia-uvm, /usr/local/bin/nvidia-dev_creator.sh 

Cmnd_Alias  NET = sudoedit / etc/network/interfaces, /usr/local/bin/connectshares.sh, /usr/local/bin/disconnectshares.sh

Cmnd_Alias  WIDE_SET = sudoedit / etc/profile, sudoedit / etc/X11/*, sudoedit / etc/crontab, sudoedit / etc/fstab, \
sudoedit / etc/inittab, sudoedit / etc/udev/*, sudoedit /lib/udev/rules.d/*, \
sudoedit / etc/default/keyboard, sudoedit / etc/grub.d/*, sudoedit /boot/grub/menu.lst, \
sudoedit / etc/sudoers, sudoedit / etc/sudoers.d/*, sudoedit /usr/local/bin/*, \
sudoedit /usr/local/share/doc/*, sudoedit / etc/apt/sources.list.d/*, \
sudoedit / etc/apt/preferences.d/*, sudoedit / etc/sysctl.conf, sudoedit / etc/sysctl.d/*, \
sudoedit /opt/*, sudoedit / etc/pam.d/*, sudoedit / etc/clamav/freshclam.conf
                              
Cmnd_Alias  SEARCH = / etc/cron.daily/mlocate, /usr/bin/mlocate, /usr/bin/updatedb

Cmnd_Alias  DEV_SET = /sbin/fdisk -l, /sbin/fdisk.distrib, /sbin/blkid -o full, /bin/lsblk -flm, /sbin/lspcmcia *, \
/sbin/pccardctl *, /sbin/udevadm *

Cmnd_Alias  SYSTEM_CLEAN = /usr/bin/apt-get autoclean, /usr/bin/apt-get clean, /usr/bin/apt-get autoremove, \
/usr/sbin/orphaner, /usr/sbin/editkeep, /usr/bin/freshclam, /usr/bin/dpkg --purge

Cmnd_Alias  DIR_SYNC = /usr/bin/grsync, /usr/bin/grsync-batch

Cmnd_Alias  BACKUP = /usr/local/bin/remaster.sh, /usr/local/bin/remastercc.sh, /usr/local/bin/persist-makefs, \
/usr/local/bin/persist-save, /usr/local/bin/persist-config, /usr/local/bin/persist-enabled, \
/usr/local/bin/remaster-live, /usr/local/bin/run-mksquashfs, /usr/local/bin/antix2usb.py, \
/usr/local/bin/antix2usb.sh, /usr/bin/luckybackup, /usr/local/bin/antixsnapshot-gui, \
/usr/local/bin/antixsnapshot, /usr/sbin/partimage, /usr/sbin/gparted, /usr/bin/testdisk, \
/usr/bin/photorec, /usr/bin/extundelete

Cmnd_Alias  UTILS = /usr/bin/sudoedit, /usr/bin/apt-get update, /usr/bin/apt-get upgrade, /usr/bin/apt-get -f install, \
/usr/bin/apt-get -s install, /usr/bin/apt-get --simulate install, /usr/bin/apt-get -s remove, \
/usr/bin/apt-get --simulate remove, /bin/cat / etc/sudoers.d/README                   

Cmnd_Alias FILES_BACKUP = /bin/cp -u / etc/default/keyboard / etc/default/keyboard.old, \
/bin/cp -u / etc/fstab / etc/fstab.old, /bin/cp -u /boot/grub/menu.lst /boot/grub/menu.lst.old, \
/bin/cp -u / etc/slim.conf / etc/slim.conf.old, /bin/cp -u / etc/rc.local / etc/rc.local.old, \
/bin/cp -u / etc/network/interfaces / etc/network/interfaces.old, \
/bin/cp -u / etc/inittab / etc/inittab.old, /bin/cp -u / etc/X11/xorg.conf / etc/X11/xorg.conf.old

Cmnd_Alias  APPS_EXE = /usr/bin/gksu, /usr/bin/su-to-root, /usr/bin/ktsuss, /usr/bin/sux, /usr/sbin/synaptic, \
/usr/local/bin/antix-system.sh, /usr/bin/gparted, /usr/local/bin/grub-repair-antix, \
/usr/sbin/update-grub, /usr/sbin/sysv-rc-conf, /usr/local/bin/user-management, \ 
/usr/sbin/dpkg-reconfigure, /usr/bin/rutilt, /usr/bin/gufw, /usr/bin/ceni, /usr/bin/install-meta, \ 
/usr/local/bin/group-management, /usr/bin/Xorg, /usr/bin/dpkg, /usr/bin/apt-get remove *, \ 
/usr/bin/apt-get purge *, /usr/bin/apt-get install *, /usr/bin/apt-get autoremove, \ 
/usr/bin/apt-get install --reinstall *, /usr/bin/apt-key, /usr/sbin/dmidecode, /usr/sbin/smartctl, \ 
/usr/bin/gsmartcontrol, /usr/bin/make *, /usr/bin/install *, /sbin/swapoff, /sbin/swapon, \
/sbin/sysctl            

Cmnd_Alias  LOGS_READ = /bin/cat /var/log/*, /var/log/*

            
#
# ***********************
#    DEFINED OPTIONS
# ***********************

Defaults  env_reset

Defaults env_keep +="RESTARTED"

Defaults  mail_badpass

Defaults  secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Defaults  timestamp_timeout=5
# ***********************
#     DEFINED RULES
# ***********************

ANTIX_USERS  ALL=(ALL:ALL) NOPASSWD: SUDO_CHECK, LOGOUT, REBOOT, POWEROFF, DESKTOP_CHNG, DESKTOP_ENV_SET, NET, SEARCH, \
                                          DEV_SET, SYSTEM_CLEAN, DIR_SYNC, UTILS, FILES_BACKUP, LOGS_READ, PASSWD: SUDO_SET, X_DM, \
                                          WIDE_SET, BACKUP, APPS_EXE

I give this topic as solved, and I thanks to skidoo by your help. He gave me very good ideas where to look __{{emoticon}}__

9 posts • Page 1 of 1