PDA

View Full Version : sudo and NOPASSWD



sentry
17th May 2006, 06:51 PM
I'm trying to set up my sudo file to allow myself to run both yum and yumex. My entry looks like this...

user_a ALL= NOPASSWD: /usr/bin/yum, /usr/bin/yumex

Now yum runs fine without me needing to input a password, which is the behavior I'm looking for. yumex does not, it actually throws this error:

Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified

Traceback (most recent call last):
File "/usr/share/yumex/yumexmain.py", line 24, in ?
import gtk
File "/usr/lib/python2.4/site-packages/gtk-2.0/gtk/__init__.py", line 45, in ? from _gtk import *
RuntimeError: could not open display

Is this because sudo tries to send gui to a non existant root X session? If it is the case how would I redirect it to the calling user?

Or is it just something else completely?

Any tips or feedback would be appreciated. I'm not really certain if my sudo file is set up correctly, I'm far from experienced at doing this.

giulix
18th May 2006, 09:27 AM
Are you running this from the system console in graphical mode ?

sentry
18th May 2006, 02:45 PM
I'm running this in an gnome-terminal window inside an X session.

giulix
18th May 2006, 04:44 PM
You mean from a remote machine, right ? Then you'll probably have to set the $DISPLAY environment variable accordingly and maybe fiddle a bit with xauth, I am not sure. It's been ages since I tried that the last time... :( Now I use vnc.

sentry
18th May 2006, 05:28 PM
Sorry, the machine is actually local to me, I'm in front of it right now. I'm logged into X as myself.

I think maybe it's just an error in the yumex code? Doesn't make much sense but it may be true.

sentry
18th May 2006, 09:18 PM
*bump*, anyone?

brunson
18th May 2006, 09:49 PM
Are you running in X? Is your DISPLAY variable set to :0? Can you run "xterm" from the prompt? If you just run "yumex" without the sudo, does it pop up a window prompting for the root password?

egurski
18th May 2006, 10:02 PM
I don't want to burst your bubble, but from a security standpont, allowing any user to run as sudo without a password is a definite security breach!!!! This means if you leave your terminal unattended, and forget to lock it, someone can then take control of your machine and cause extensive damage.

Additionally, if you are logged on remotely, then it's even worse....

However, that said,,,,
Have you tried running any other X-window application? Try running sudo xclock and see if that works.

If you logon remotely, I would usede ssh -Y clientname (which will transfer the X-window to your machine)

Just my $0.02

brunson
18th May 2006, 10:14 PM
But then again, the question was: "how do i make this work", not "gee, what do you think of the security implications of doing this".

Everyone in my home (both me AND my wife) know the root password to the laptop sitting on the coffee table. If someone breaks into my house and sit's in front of that computer, I've got much bigger problems than them updating my firefox to the latest version. Not every computer is a server sitting on the internet open to attack from marauding hackers.

When someone asks for your opinion on security, feel free to jump in.

SHtRO
18th May 2006, 10:18 PM
Just to be clear, allowing "sudo" with no password is a limited security issue. It all depends on how and where you operate and what the user can run. That being said, allowing a user to run as sudo without a password is security "hole", it is only a breach if security is circumvented, but using a password is not much of a problem and probably something you want to do if you are actually updating your system.

I also found that you need to "sudo yumex" in a straightforward fashion, don't use any fancy args to sudo which might change your environment or shell.

I recommend giving your user much wider access via password and debugging before tightening.

SHtRO
19th May 2006, 12:02 AM
Regarding the original problem, make certain you are running "sudo yumex" with no arguments to avoid resetting your environment.

Also, while I agree it is a security "hole" not a security "breach" it is a good idea to use a password if you are updating your computer. It only takes a second and you can make it the same password you'd use to login.

But yeah, I agree with brunson, security is very contextually dependent. After all if your computer is in a vault behind a firewall with no incoming traffic allowed you could probably just run it without a password at all and just use "sudo" for any admin...but that is another discussion... That's why those options exist.

sentry
19th May 2006, 01:45 PM
I don't want to burst your bubble, but from a security standpont, allowing any user to run as sudo without a password is a definite security breach!!!! This means if you leave your terminal unattended, and forget to lock it, someone can then take control of your machine and cause extensive damage.

Additionally, if you are logged on remotely, then it's even worse....

However, that said,,,,
Have you tried running any other X-window application? Try running sudo xclock and see if that works.

If you logon remotely, I would usede ssh -Y clientname (which will transfer the X-window to your machine)

Just my $0.02
That's fine, I'm only allowing a user to run yum and yumex look at my original post and you'll see. Xclock doesn't work nor does any other root required command.

This is just an experiment I'm doing because I'm building a machine for a 60 year old who probably won't remember to update her machine. So I figure I'll include a something in her .bash_profile to launch yumex automatically for her. Taken in this context I'm actually trying to do something that is counter-intuitive to most of us to improve her security by making sure things are patched. Running it without a password is strictly to reduce complexity and to keep things simple for her at first. This way I can gradually introduce her to *nix-ism's without overwhelming her.

I wouldn't do this for my own machines, don't get me wrong.

sentry
19th May 2006, 01:50 PM
Are you running in X? Is your DISPLAY variable set to :0? Can you run "xterm" from the prompt? If you just run "yumex" without the sudo, does it pop up a window prompting for the root password?

Display variable is set to :0:0 and yumex does pop up a password dialogue box. So I'm really baffled as to why sudo hoses it.

I think it may just be a bug, maybe I should report it to the devs.

sentry
19th May 2006, 01:54 PM
Regarding the original problem, make certain you are running "sudo yumex" with no arguments to avoid resetting your environment.

Same error message unfortunately.

SHtRO
19th May 2006, 05:51 PM
SElinux enabled/disabled?

steve1961
19th May 2006, 05:55 PM
Try editing your sudoers file so that the relevant bit looks like this:

# User privilege specification
root ALL=(ALL) ALL
your_user_name ALL=(ALL) NOPASSWD: ALL

update:I know this has security implications, but this works on my machine for yum. However, I've just tried to run sudo yumex and it doesn't work.

sentry
19th May 2006, 07:39 PM
SElinux enabled/disabled?
My SElinux is Enabled.

SHtRO
19th May 2006, 07:46 PM
Does the problem happen with SElinux disabled? I do not have the problem mentioned, even when copying your config exactly (but for the username). Since software versions are the same, I suspect another security issue is involved.

After all if you can "sudo su -" and you can run apps, but "sudo appname" doesn't work there is something else in the way.

Unfortunately, I can't help any further as I do not have SElinux enabled in the lab.

sentry
19th May 2006, 08:00 PM
Strange but I disabled SElinux and rebooted but I tried to run sudo yumex and I received the same error.

Running yumex resulted in the standard password dialogue box popping up.

I don't know, I give up. I'm going to see if I can file it with the devs.

Thanks for the feedback from all who posted.

egurski
19th May 2006, 09:43 PM
That's fine, I'm only allowing a user to run yum and yumex look at my original post and you'll see. Xclock doesn't work nor does any other root required command.

This is just an experiment I'm doing because I'm building a machine for a 60 year old who probably won't remember to update her machine. So I figure I'll include a something in her .bash_profile to launch yumex automatically for her. Taken in this context I'm actually trying to do something that is counter-intuitive to most of us to improve her security by making sure things are patched. Running it without a password is strictly to reduce complexity and to keep things simple for her at first. This way I can gradually introduce her to *nix-ism's without overwhelming her.

I wouldn't do this for my own machines, don't get me wrong.

Now that I see what you're tryiung to do , perhaps you should enable the nightly "Yum" update and enable "anacron".

Why? --- "Anacron" will run any scheduled jobs that were not run due to "Down time". Setting "Nightly Yum updates" ebnabled, will then be run by "anacron" when the user powers on their machine.

Now I know you're saying what if a new kerenl is installed? Well, one of two things --- First, then next time they reboot the machine, they will get the new kernel. Secondly, if you're concerned about using the latest kernel, then you can add these to their profile:

rpm -qa | grep kerne l |sort
uname -r

Of course, you can then add some code with a massage to indicate that they should reboot their machine if a newer kernel exists.

This will give you the installed kernels as well as the currently running kernel.

All of this does not require "sudo", and is completely automatic.

This would be much easier for the user and better than "MS' Automatic Updates"

SHtRO
19th May 2006, 09:51 PM
Nice solution!

sentry
19th May 2006, 10:04 PM
That is a perfect solution. Thanks :)

Edit: Do you think I should file this as a bug with the yumex people?