[SOLVED] Need help with sudoers

nLEyETn · 2008-10-03 21:20:33

I'm running the x86_64 version of Arch, and am using an i686 chroot to use Firefox. I've gotten that to work but now I'm trying to setup a launcher to automatically open up firefox inside a chroot. The command I use is:

$ sudo chroot /usr/local/arch32 su user -c /usr/bin/firefox

This works good except if my sudo has timed out, then a password is required when it runs . So I want to enable it to run without a password. I tried editing sudoers but it still doesn't work. Here's what I have so far:

root    ALL=(ALL) ALL
user    ALL=(ALL) NOPASSWD: /usr/sbin/chroot

%wheel  ALL=(ALL) ALL

I thought this would work, but I think the arguments that I pass to chroot cause it to fail, so I tried:

root    ALL=(ALL) ALL
user    ALL=(ALL) NOPASSWD: /usr/sbin/chroot *

%wheel  ALL=(ALL) ALL

That still didn't work, so I tried:

root    ALL=(ALL) ALL
user    ALL=(ALL) NOPASSWD: /usr/sbin/chroot /usr/local/arch32

%wheel  ALL=(ALL) ALL

Which I tried running with:

$ sudo chroot /usr/local/arch32

But that still didn't work. Can anybody please help me get it to work right.

Last edited by nLEyETn (2008-10-04 17:22:22)

BlackIkeEagle · 2008-10-03 23:18:22

just add

user    ALL=(ALL) NOPASSWD: /usr/sbin/chroot

this should just work fine

nLEyETn · 2008-10-03 23:31:59

That was the first one I tried, but it still asked for a password.

tonyisnt · 2008-10-04 01:41:41

Are you adding the actual word user, or your username? Do you perhaps mean %users, as in the group?

nLEyETn · 2008-10-04 05:35:11

No, I'm sorry for not specifying earlier but I am using my real login name in the sudoers file.

Profjim · 2008-10-04 06:19:24

I read up on this once but have forgotten most of it. Does it work if you issue the chroot command as /usr/sbin/chroot, instead of just chroot? That is, specify the whole command path both in the sudoers file and on the command line?

nLEyETn · 2008-10-04 16:40:05

Profjim wrote:

I read up on this once but have forgotten most of it. Does it work if you issue the chroot command as /usr/sbin/chroot, instead of just chroot? That is, specify the whole command path both in the sudoers file and on the command line?

No, it doesn't work that way either.

ralvez · 2008-10-04 16:58:15

This is the way I do it and it works fine, try it:

ralvez ALL=NOPASSWD:/usr/bin/pacman,/sbin/shutdown

You get the idea from the above code.

R.

nLEyETn · 2008-10-04 17:21:26

I seemed to have figured it out. It appears that if there is a conflict with permissions in sudoers, then it will apply the permissions which were defined lastly in the file. In this case I had:

root    ALL=(ALL) ALL
user    ALL=(ALL) NOPASSWD: /usr/sbin/chroot

%wheel  ALL=(ALL) ALL

This was first giving my user permission to execute chroot without a password, but then my user is also a member of the wheel group so it would continue on and give him access to launch any program, but while requiring a password. So It looks like the later permissions overwrite the earlier permissions. The way around it is to apply the most open ended permissions first, then follow them with the more direct ones. My new file works with this method:

%wheel  ALL=(ALL) ALL

root    ALL=(ALL) ALL
user    ALL=(ALL) NOPASSWD: /usr/sbin/chroot

Having group permissions override a user's seems counterintuitive to me, so I'd suggest to always define groups above users.

Arch Linux

#1 2008-10-03 21:20:33

[SOLVED] Need help with sudoers

#2 2008-10-03 23:18:22

Re: [SOLVED] Need help with sudoers

#3 2008-10-03 23:31:59

Re: [SOLVED] Need help with sudoers

#4 2008-10-04 01:41:41

Re: [SOLVED] Need help with sudoers

#5 2008-10-04 05:35:11

Re: [SOLVED] Need help with sudoers

#6 2008-10-04 06:19:24

Re: [SOLVED] Need help with sudoers

#7 2008-10-04 16:40:05

Re: [SOLVED] Need help with sudoers

#8 2008-10-04 16:58:15

Re: [SOLVED] Need help with sudoers

#9 2008-10-04 17:21:26

Re: [SOLVED] Need help with sudoers

Board footer