Using sudo, was Re: Adding/modifying users under MATE DE
On Mon 04 Feb 2019 at 10:34:22 (-0600), Richard Owlett wrote:
> I'm creating a Tcl script [to be run as user] which calls dumpe2fs ,
> requiring root privileges. On comp.lang.tcl I was pointed to [https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/]
> which pointed out that a user could be authorized to run specific
> executables.
>
> Although I'm the only person with any access to my machine, I have
> avoided using sudo in the past. That article dampened my qualms.
I just drop a file called sudoers-david into /etc/sudoers.d/
> Back in 2015, when wanting to modify users, I was pointed to
> "mate-system-tools". According to
> [https://tracker.debian.org/pkg/mate-system-tools] it has been removed
> from the repository.
>
> Is there a user friendly alternative?
>
> Following a series of links suggests using visudo. It doesn't look
> friendly.
I've never used it. As I'm in total control of my PCs, I can
be certain when I edit sudoers-david that there's no chance of
contention, so I just use nano.
> I'm not sure yet if it can create new users from scratch.
> There are references to adduser (and relatives) but
> [https://packages.debian.org/stretch/adduser] gives its home page as
> [http://alioth.debian.org/projects/adduser/] which seems to be
> defunct.
There's a reference to adduser in man sudoers where it's
showing how a group of secretaries might be allowed to add/
remove users and administrate printers. (They'd be called
Computing Service staff in my old university.) Personally
I add a few users when I first set up a Debian system and
that's it.
Here's a subset of my sudoers-david. I've left mainly the lines
for a user called unlock who had a userid used for nothing other
that unlocking /home (typically via ssh).
User_Alias ME = david
User_Alias LOCKER = unlock
Host_Alias MYHOSTS = mars, venus, etc
Cmnd_Alias UNLOCKING = /usr/bin/udisksctl unlock --block-device /dev/disk/*/*
Cmnd_Alias LOCKING = /usr/bin/udisksctl lock --block-device /dev/disk/*/*
Defaults:ME !authenticate
Defaults:LOCKER !authenticate
## who where = (as_whom) what
LOCKER MYHOSTS = UNLOCKING
LOCKER MYHOSTS = LOCKING
… so that user on those hosts can run those two commands as if root.
They (me, of course) login via ssh, their .bash_profile contains
sudo udisksctl unlock --block-device /dev/disk/by-id/ata-XXXXXXXXXXXXXX-part3
mount /home
echo Home is now mounted
as appropriate for each host's excrypted disks, and so they get
a prompt for the passphrase. Once typed, they logout.
The only other type of line I (think I) use in sudoers is
Runas_Alias EMAIL = Debian-exim
for commands like
Cmnd_Alias EMAILQUEUED = /bin/ls -lR /var/spool/exim4/
which can then do things with lines like:
ME MYHOSTS = (EMAIL) EMAILQUEUED
I have set this earlier for that user but I can't remember why:
Defaults!EMAILQUEUE noexec
Anyway, that little lot lets me run this function without
bothering with a password:
my-q ()
{
[ "$1" = "-?" ] && echo "Usage: $FUNCNAME
checks the outbound mail queue." 1>&2 && return 1;
ps -p $(pgrep exim4);
sudo -u Debian-exim ls -lR /var/spool/exim4/
}
Perhaps that not quite random assortment of lines will be enough to
help you decode the man page or just copy by (bad?) example.
Cheers,
David.
Reply to: