Using sudo, was Re: Adding/modifying users under MATE DE

[David Wright <deblis@lionunicorn.co.uk>]

On Mon 04 Feb 2019 at 10:34:22 (-0600), Richard Owlett wrote:
> I'm creating a Tcl script [to be run as user] which calls dumpe2fs ,
> requiring root privileges. On comp.lang.tcl I was pointed to [https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/]
> which pointed out that a user could be authorized to run specific
> executables.
> 
> Although I'm the only person with any access to my machine, I have
> avoided using sudo in the past. That article dampened my qualms.

I just drop a file called sudoers-david into /etc/sudoers.d/
 
> Back in 2015, when wanting to modify users, I was pointed to
> "mate-system-tools". According to
> [https://tracker.debian.org/pkg/mate-system-tools] it has been removed
> from the repository.
> 
> Is there a user friendly alternative?
> 
> Following a series of links suggests using visudo. It doesn't look
> friendly.

I've never used it. As I'm in total control of my PCs, I can
be certain when I edit sudoers-david that there's no chance of
contention, so I just use nano.

> I'm not sure yet if it can create new users from scratch.
> There are references to adduser (and relatives) but
> [https://packages.debian.org/stretch/adduser] gives its home page as
> [http://alioth.debian.org/projects/adduser/] which seems to be
> defunct.

There's a reference to adduser in   man sudoers   where it's
showing how a group of secretaries might be allowed to add/
remove users and administrate printers. (They'd be called
Computing Service staff in my old university.) Personally
I add a few users when I first set up a Debian system and
that's it.

Here's a subset of my sudoers-david. I've left mainly the lines
for a user called unlock who had a userid used for nothing other
that unlocking /home (typically via ssh).

User_Alias      ME = david
User_Alias      LOCKER = unlock
Host_Alias      MYHOSTS = mars, venus, etc

Cmnd_Alias      UNLOCKING = /usr/bin/udisksctl unlock --block-device /dev/disk/*/*
Cmnd_Alias      LOCKING = /usr/bin/udisksctl lock --block-device /dev/disk/*/*

Defaults:ME     !authenticate
Defaults:LOCKER !authenticate

## who          where           = (as_whom)             what

LOCKER          MYHOSTS         =                       UNLOCKING
LOCKER          MYHOSTS         =                       LOCKING

… so that user on those hosts can run those two commands as if root.
They (me, of course) login via ssh, their .bash_profile contains

sudo udisksctl unlock --block-device /dev/disk/by-id/ata-XXXXXXXXXXXXXX-part3
mount /home
echo Home is now mounted

as appropriate for each host's excrypted disks, and so they get
a prompt for the passphrase. Once typed, they logout.

The only other type of line I (think I) use in sudoers is

Runas_Alias     EMAIL = Debian-exim

for commands like

Cmnd_Alias      EMAILQUEUED = /bin/ls -lR /var/spool/exim4/

which can then do things with lines like:

ME              MYHOSTS         = (EMAIL)               EMAILQUEUED

I have set this earlier for that user but I can't remember why:

Defaults!EMAILQUEUE     noexec

Anyway, that little lot lets me run this function without
bothering with a password:

my-q ()
{
    [ "$1" = "-?" ] && echo "Usage:	$FUNCNAME
	checks the outbound mail queue." 1>&2 && return 1;
    ps -p $(pgrep exim4);
    sudo -u Debian-exim ls -lR /var/spool/exim4/
}

Perhaps that not quite random assortment of lines will be enough to
help you decode the man page or just copy by (bad?) example.

Cheers,
David.