You are not logged in.
Hello,
how can I disable the password prompt when using "trizen -Syu"?
I have already set
myusername ALL=NOPASSWD:/usr/sbin/trizen -Syu
in my /etc/sudoers, but this doesn't change the behaviour of trizen.
Thanks!
Offline
Mod note: moving to AUR Issues
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
Try
myusername ALL=(ALL) NOPASSWD: /usr/bin/trizen -Syu
Offline
trizen is not and should not be the command invoking the password prompt. You'll have to add pacman.
Last edited by V1del (2020-10-21 07:29:35)
Offline
Try
myusername ALL=(ALL) NOPASSWD: /usr/bin/trizen -Syu
Thanks, but this didn't change the behaviour of trizen. It still wants the password.
Offline
trizen is not and should not be the command invoking the password prompt. You'll have to add pacman.
I did that:
myusername ALL=(ALL) NOPASSWD:/usr/sbin/pacman -Syu
but it didn't help. Any further suggestions?
Edit: the above helps in a certain sense, because
sudo pacman -Syu
now runs without password.
Last edited by indianahorst (2020-10-24 09:15:27)
Offline
It won't run -Syu from what I know it will run a combination of -Sy (...show package list), -Su (...actual update) and -U (... what's actually of relevance here for the AUR part)
If you just want to test whether this works just specify pacman. If you really care about disallowing passwordless removal then you can think about the subcommands
Last edited by V1del (2020-10-24 10:43:50)
Offline
It won't run -Syu from what I know it will run a combination of -Sy (...show package list), -Su (...actual update) and -U (... what's actually of relevance here for the AUR part)
If you just want to test whether this works just specify pacman. If you really care about disallowing passwordless removal then you can think about the subcommands
I have now changed the entries in the sudoers file:
myusername ALL=(ALL) NOPASSWD:/usr/sbin/trizen
myusername ALL=(ALL) NOPASSWD:/usr/sbin/pacman
It didn't change the behaviour of trizen, it still wants the sudo password. Any further suggestions?
Offline
Is use_sudo configured in trizens config file? is autorepeat configured? it will use https://github.com/trizen/trizen/blob/m … rizen#L759 'sudo -v' during autorepeat so that's what you will want in that case (... which would be a pretty horrifying idea I might add).
Last edited by V1del (2020-10-28 08:33:43)
Offline
Is use_sudo configured in trizens config file? is autorepeat configured? it will use https://github.com/trizen/trizen/blob/m … rizen#L759 'sudo -v' during autorepeat so that's what you will want in that case (... which would be a pretty horrifying idea I might add).
Yes, both are configured:
Snippet from .config/trizen/trizen.conf
sudo_autorepeat => 1, # bool -- Automatically repeat `sudo -v` in the background after a `sudo` command was first executed.
sudo_autorepeat_at_runtime => 1, # bool -- Execute `sudo -v` when `trizen` is first executed and apply the behavior of `sudo_autorepeat`.
sudo_autorepeat_interval => 36000, # int -- Interval, in seconds, after which `sudo -v` is executed in background (with `sudo_autorepeat`).
sudo_command => "/usr/bin/sudo", # str -- Command used when special permissions are required and `use_sudo` is set to 1.
sudo_remove_timestamp => 0, # bool -- Remove the cached sudo credentials before `makepkg` is executed (`sudo --remove-timestamp`).
syntax_highlighting => 0, # bool -- Syntax highlighting of the build files, using the `highlight` tool from [community].
syntax_highlighting_cmd => "/usr/bin/highlight -O ansi", # str -- The `highlight` command used in highlighting the syntax of the build files (with `syntax_highlighting`).
use_github_api => 1, # bool -- Check GitHub sources for updates using GitHub's API. (during `--devel --needed`)
use_gitlab_api => 1, # bool -- Check GitLab sources for updates using GitLab's API. (during `--devel --needed`)
use_sudo => 1, # bool -- Use the `sudo` command when special permissions are required.
Why do you think it is a horrific idea to update the system on my private computer without password?
Offline
Notwithstanding any other problems, giving access to pacman without a password is nearly the same as allowing unlimited sudo access, so you should really restrict that -Syu, you especially should not allow -U (it is leaves a door wide open to install anything)
Last edited by progandy (2020-10-28 23:18:40)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
Disable the autorepeat, I'm talking about the sudo -v invocation that you'd configure to be passwordless which you really shouldn't do
Offline
Okay, I have set sudo_autorepeat to 0 and in the sudoers config I set
myuser ALL=(ALL) NOPASSWD:/usr/sbin/pacman -Sy -Su -U
But it doesn't work, trizen still wants the sudo password. Any further suggestions?
Offline
Do you think trizen is actually running the command:
pacman -Sy -Su -U
In sudoers,
myuser ALL=(ALL) NOPASSWD:/usr/sbin/pacman -Sy
myuser ALL=(ALL) NOPASSWD:/usr/sbin/pacman -S *
myuser ALL=(ALL) NOPASSWD:/usr/sbin/pacman -Su *
myuser ALL=(ALL) NOPASSWD:/usr/sbin/pacman -U *
Note that once you allow -U * you allow every form of vulnerable attack by installing random user provided malware packages.
Also, -S * is not remotely safe either. I helped design the CVE report against Manjaro's manjaro-system package for this. Once you allow vulnerable command injection to -S *, you're not limited to the names of packages in the repos, because you can also do:
pacman -S malicious-package --config /tmp/malicious.conf --logfile /dev/null
So really, if you want to allow anything other than -Syu with no other options, you cannot do it securely, at all, period, using sudoers.
You could do it by permitting
NOPASSWD:/usr/bin/pacman-wrapper *
and then implementing your choice of argument sanitization in your security wrapper.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline