Make sudo work like UAC in Vista? :P

warnec · 2009-10-09 20:46:38

So what annoys me in Linux is the fact that typing a command with sudo requires me to type in the password, and then pressing Enter.

I don't want to disable it - I know you guys keep saying about the perils it brings (I don't buy that "security" stuff, since there are a few to none viruses on Linux - I am more convinced by the fact that I could execute something like 'sudo rm -rf' by accident.)

What I'd like to do, is to make it work like UAC in Vista (yeah, I know, crazy!) so that I get asked a question like "This command is going to be executed with administrator priviliges, are you sure you want to run it?" And "Y/n" prompt.

Y would result in running (without asking for passoword), and n would obviously result into not-executing

What do you think? Is it possible to achieve?

warnec · 2009-10-09 20:48:52

One thing bugs me, though - many scripts (I think some in AUR, too!) are written in such a way that they echo a sentence prompting the user for a password and then sending the user's input into the process run by the script (If you know what I mean).

Would such scripts still work?

quarkup · 2009-10-09 20:57:21

well u can use kdesu or gksu or gksudo or something like that (qt has one password dialog also)..

yes it would be cool. the nearest thing I have here is the "kwallet" which is the password manager.

anyway is insecure:

- if UAC asks you for no password it's because you are an administrator, and if you want a secure system, you should be not the "root" user, this way you need of a password

but hey, i believe u can do it simply..
use visudo to allow a program (which asks for permissions) to use sudo without password.

then just set up the system (aliases/symlinks/settings and everything) to use that program.
btw: the program should be run with "sudo <program>"

this way you don't need the pass because the program has passwordless access to super user permissions.

btw: nice idea. I would use that (but with password)..

if u find a program over the web post it here. so someone get a PKGBUILD or something

Last edited by quarkup (2009-10-09 20:59:48)

warnec · 2009-10-09 21:11:46

The thing is, it would be best to se it globally I don't want to think what command will I use in sudo. It is easy to make every sudo command work w/o pass in /etc/sudoers, but the thing I want is the prompt

BTW.: I know it's kinda radical, so I don't know if I'll ever use something like this. I just thought about it today. I've got another post here:

http://forum.kde.org/viewtopic.php?f=22&t=82791

Because the trick we're discussing here would only work in console, and disabling kdesu password prompt would require a different approach, I think.

Last edited by warnec (2009-10-09 21:12:01)

Ranguvar · 2009-10-09 21:17:05

This should be fairly trivial, but would require source code editing.

Seriously though, Microsoft fails here. If UAC is giving you messages with no password request, as quarkup said, you're running as Admin, which is unsecure for many reasons. The reason sudo asks you for the password is because on GNU/Linux, you don't run as the equivalent of a Windows admin, root, all the time. Instead, you use sudo to gain those privileges temporarily, and the reason why is apparent.ks you for the password is because on GNU/Linux, you don't run as the equivalent of a Windows admin, root, all the time. Instead, you use sudo to gain those privileges temporarily, and the reason why is apparent. Windows, rather, is letting you run as admin and then warning you when you do potentially dangerous things... suppose someone hacks your user account on Windows, aka your admin account, they then have full control. On GNU/Linux, they then must get your password to get to root-level access.

The best solution would be to increase the sudo timeout time, and possibly use a wallet system.

Last edited by Ranguvar (2009-10-09 21:17:27)

AngryKoala · 2009-10-09 21:38:34

Isn't any timelimit on sudo a vulnerability? Couldn't there just be a script that polls for a sudo usage and then rattle off a bunch of admin privileged commands? My timeout is 0, which means I have to type my password a lot, but I'm fast at it now =/

quarkup · 2009-10-09 22:49:15

well u don't really need to use "sudo <command>" (then a visudo configured user's password, you or another non-root user)

u can use "su -c <command>" (then the root's password)

basically that would be almost the same thing

xd-0 · 2009-10-10 06:22:24

* Edit the sudoers file so you can run all commands without being prompted for password.
* Then make a bash script that uses gmessage to ask if you want to run the action. no -> abort yes -> run the command.
* Overide the ordinary sudo command in your .bashrc so it points to the script. Should be something like this:

sudo() {
builtin sudo "$@"
}

Since it's a rather stupid thing to do, the rest is up to you.

fumbles · 2009-10-10 06:34:41

If you have used Vista, why don't you stick with it? I mean it's not that bad. Now before you grab your torches and pitchforks first let me unpack that. Linux aint Windows and Windows is not Linux. There are not designed for the same purpose, trying to make one like the other is just plain silly. If Windows suites your needs better then you should stick to it.

Otherwise:

#run (as root)  visudo 
#uncomment the line below
 %wheel ALL=(ALL) NOPASSWD: ALL

Then in .bashrc (or whatever)

sudo ()
{ 
      zenity --question
      if [ $? -eq 0 ] ; then
            sudo "$@"
     fi
}

Last edited by fumbles (2009-10-10 06:43:16)

eDio · 2009-10-10 07:57:20

Let me to ask question near the subject here.
Just wondering, how sudo w/o password can protect against viruses (intruders etc.)?
I don't understand, what prevents virus (intruder) from running "sudo <command>" with user's permissions and without password.
Can someone provide me a link or explain it in some words?

ngoonee · 2009-10-10 09:00:13

eDio wrote:

Let me to ask question near the subject here.
Just wondering, how sudo w/o password can protect against viruses (intruders etc.)?
I don't understand, what prevents virus (intruder) from running "sudo <command>" with user's permissions and without password.
Can someone provide me a link or explain it in some words?

It doesn't. Though a virus/malware/intruder would need to try sudo and see if it works, first. Most intruders would go directly for the root account, really, because it MUST exist, as opposed to sudo which doesn't have to exist on all systems.

warnec · 2009-10-10 13:01:11

As I said, making sudo without a password is not something I approve.

Well, but the idea to get a "Y/n" prompt is something new, so none of the existing malware files would be smart enough to try sudo and then know they have to give the "Y" answer

The idea here:

fumbles wrote:

#run (as root)  visudo 
#uncomment the line below
 %wheel ALL=(ALL) NOPASSWD: ALL

Then in .bashrc (or whatever)

sudo ()
{ 
      zenity --question
      if [ $? -eq 0 ] ; then
            sudo "$@"
     fi
}

Is nice, but it displays a GUI window. So It's a good idea when I want to make kdesu display dialog window for Yes/No,
but when I launch a program in Konsole I don't want to make it open up a GUI window. I'd prefer the prompt to be echoed in the CLI itself. Can it be done?

BTW.: zenity is GTK, right? Are there any KDE alternatives? I remember there was something like knotify in my opensuse 11.1 days. I can't find any package of that name in pacman, though...

andre.ramaciotti · 2009-10-10 13:50:03

Other alternative is run gksu (or kdesu) and check the box with 'Remember password'.

skottish · 2009-10-10 15:47:53

You can always change your root password to Y.

warnec · 2009-10-10 17:58:44

@up

rofl.

ezzetabi · 2009-10-10 18:17:26

alias sudo=' zenity --question --text "Are you sure you want to execute this program as root?" && sudo '

some-guy94 · 2009-10-10 18:28:27

warnec wrote:

BTW.: zenity is GTK, right? Are there any KDE alternatives? I remember there was something like knotify in my opensuse 11.1 days. I can't find any package of that name in pacman, though...

There is kdialog (and dialog for cli)

warnec · 2009-10-10 22:50:45

Right, so assuming I've got it set that way that kdesu uses su and sudo in CLI uses sudo, it would seem like possible to make correct entried in .bashrc to make sudo open the dialog cli prompt, and su kdialog gui prompt, right?

PS.: Dialog opens notifications in CLI, but these are big ugly boxes. I prefer plain text. I'd give a shot to what some other people suggest here and post some examples (scripts)

PPS.: How can I make bashrc differentiate between kdesu and sudo? If I set kdesu to use su, that's easy. But that way it won't follow /etc/sudoers file, so will still ask for password. And making it run sudo would make it impossible for the system to tell if it's a sudo command invoked by GUI or CLI right?

PPPS.: And please remember, if you want to help me, don't post the commands (like the zenity one I just tried) which will open a GUI window when I operate in CLI ok? Thanks!

Last edited by warnec (2009-10-10 23:02:26)

loafer · 2009-10-11 19:14:24

You could also consider using something other than sudo. I recommend super, which is available in the AUR. You can configure super to run scripts and applications as root (or another UID/GID) with or without a password. You can then set your scripts to prompt y/n before executing them.

warnec · 2009-10-11 20:09:16

Seems like something I could use, but I've honestly no idea how could I construct the rule in .bashrc to display y/n prompt for sudo command.... It's a newbie corner after all, I'm not a uber-hax0r yet

PS.: And how to construct a rule to display a GUI box when running kdesu. I can use something like "alias su='kdialog --prompt y/n'" but I don't know how the command kdesu uses works:

[warnec@chakra ~]$ LANG=C su kate
su: user kate does not exist
[warnec@chakra ~]$

Last edited by warnec (2009-10-11 20:09:46)

loafer · 2009-10-11 20:23:40

You said above that you did not want non cli commands and super does not use sudo at all. I have no idea how kate or any kde apps work. If you would like to try super install it from aur and send me an email if you get stuck.

Last edited by loafer (2009-10-11 20:29:10)

warnec · 2009-10-11 21:07:48

Maybe I didn't make it clear, or I made a mistake somewhere - what I want, is:

1) Launching 'sudo command' in CLI or Konsole or Yakuake or whatever brings up a small text asking "Are you sure to ivoke this command in administrator mode? [Y/n]"

2) Launching 'kdesu kate' or 'kdesu whatever' brings up a Kdialog GUI window asking "Are you sure to run this program in administrator mode?" And two buttons: Yes/No.

Y results in running in admin mode without asking for password, n results in (1)coming back to the command prompt (2)closing window.

Last edited by warnec (2009-10-11 21:09:25)

TheSaint · 2009-10-12 00:00:29

warnec wrote:

but when I launch a program in Konsole I don't want to make it open up a GUI window.

by dialog would be achievable.

warnec wrote:

I'd prefer the prompt to be echoed in the CLI itself. Can it be done?

In linux nothing is impossible, just to know a bit of bash scripting or higher level programming scripts.

warnec wrote:

BTW.: zenity is GTK, right? Are there any KDE alternatives? I remember there was something like knotify in my opensuse 11.1 days. I can't find any package of that name in pacman, though...

In KDE we have kdialog included hidenly . Just to try kdialog --help or look at this page. Also zenity<>kdialog conversion available on demand

warnec wrote:

Y results in running in admin mode without asking for password, n results in (1)coming back to the command prompt (2)closing window

The environment variable TERM is the answer. If you try kdialog --msgbox "This is $TERM" either in console or ALT+F2 and input the command there, you'll get the answer

F

Last edited by TheSaint (2009-10-12 00:26:23)

some-guy94 · 2009-10-12 00:38:51

warnec wrote:

Maybe I didn't make it clear, or I made a mistake somewhere - what I want, is:
1) Launching 'sudo command' in CLI or Konsole or Yakuake or whatever brings up a small text asking "Are you sure to ivoke this command in administrator mode? [Y/n]"

Add this to ~/.bashrc (or some file in /etc/profile.d)

uac_sudo()
{
local answer
read -p "Are you sure to invoke this command in administrator mode? [Y/n] " answer
case $(echo $answer | tr [:upper:] [:lower:]) in
    n|no)
        return
        ;;
    *)
        /usr/bin/sudo $@
        ;;
esac
}

alias sudo="uac_sudo"

warnec wrote:

2) Launching 'kdesu kate' or 'kdesu whatever' brings up a Kdialog GUI window asking "Are you sure to run this program in administrator mode?" And two buttons: Yes/No.
Y results in running in admin mode without asking for password, n results in (1)coming back to the command prompt (2)closing window.

Do something similar to above using kdialog and give it a different name

Last edited by some-guy94 (2009-10-12 00:39:33)

warnec · 2009-10-12 05:43:19

@ up

great thanks, but in this case you were able to give the command an alias:

alias sudo="uac_sudo"

And I don't know how the command for kdesu should work. Maybe

alias kdesu="uac_kdesu"

xD?
So something like this?:

uac_kdesu()
{
kdialog --yesno "Are you sure to run this program in administrator mode?"

What's next? You are able to read an answer from user's console input, and how is kdialog supposed to work to do that? I can't script man Help me, please

Arch Linux

#1 2009-10-09 20:46:38

Make sudo work like UAC in Vista? :P

#2 2009-10-09 20:48:52

Re: Make sudo work like UAC in Vista? :P

#3 2009-10-09 20:57:21

Re: Make sudo work like UAC in Vista? :P

#4 2009-10-09 21:11:46

Re: Make sudo work like UAC in Vista? :P

#5 2009-10-09 21:17:05

Re: Make sudo work like UAC in Vista? :P

#6 2009-10-09 21:38:34

Re: Make sudo work like UAC in Vista? :P

#7 2009-10-09 22:49:15

Re: Make sudo work like UAC in Vista? :P

#8 2009-10-10 06:22:24

Re: Make sudo work like UAC in Vista? :P

#9 2009-10-10 06:34:41

Re: Make sudo work like UAC in Vista? :P

#10 2009-10-10 07:57:20

Re: Make sudo work like UAC in Vista? :P

#11 2009-10-10 09:00:13

Re: Make sudo work like UAC in Vista? :P

#12 2009-10-10 13:01:11

Re: Make sudo work like UAC in Vista? :P

#13 2009-10-10 13:50:03

Re: Make sudo work like UAC in Vista? :P

#14 2009-10-10 15:47:53

Re: Make sudo work like UAC in Vista? :P

#15 2009-10-10 17:58:44

Re: Make sudo work like UAC in Vista? :P

#16 2009-10-10 18:17:26

Re: Make sudo work like UAC in Vista? :P

#17 2009-10-10 18:28:27

Re: Make sudo work like UAC in Vista? :P

#18 2009-10-10 22:50:45

Re: Make sudo work like UAC in Vista? :P

#19 2009-10-11 19:14:24

Re: Make sudo work like UAC in Vista? :P

#20 2009-10-11 20:09:16

Re: Make sudo work like UAC in Vista? :P

#21 2009-10-11 20:23:40

Re: Make sudo work like UAC in Vista? :P

#22 2009-10-11 21:07:48

Re: Make sudo work like UAC in Vista? :P

#23 2009-10-12 00:00:29

Re: Make sudo work like UAC in Vista? :P

#24 2009-10-12 00:38:51

Re: Make sudo work like UAC in Vista? :P

#25 2009-10-12 05:43:19

Re: Make sudo work like UAC in Vista? :P

Board footer