You are not logged in.

#1 2019-02-12 01:44:01

Gotit
Member
From: New England, USA
Registered: 2017-04-27
Posts: 70

[Solved]Help with sudoers.d

Hi - I need help getting a file in etc/sudoers.d to execute a script to mount a network drive without having to enter the sudo password. 
I've created the file using visudo -f and saved it as

01-network_drive

that contains

 myusername ALL=(ALL) NOPASSWD: /path/to/script/mount_script.sh

I've chowned it to root:root
I've chmod to 0440
But it won't execute the script to mount a network drive.

When I execute the script via terminal as my user I get

mount: only root can use "--options" option

If I execute the script via terminal with sudo the drive mounts as expected. So, I know the script is good.

What am I missing??

Last edited by Gotit (2019-02-15 22:59:53)

Offline

#2 2019-02-12 08:01:20

seth
Member
Registered: 2012-09-03
Posts: 49,959

Re: [Solved]Help with sudoers.d

When I execute the script via terminal as my user I get

mount: only root can use "--options" option
If I execute the script via terminal with sudo the drive mounts as expected

Yeah, because that's how sudo works.
You can use the sudoers to spare the authentication (password) but you still will have to "sudo /path/to/script/script_name.sh", "/path/to/script/script_name.sh" will still run the script as your UID, no matter what you add to the sudoers.

Online

#3 2019-02-12 09:28:12

Mr.Elendig
#archlinux@freenode channel op
From: The intertubes
Registered: 2004-11-07
Posts: 4,092

Re: [Solved]Help with sudoers.d

Edit the script so that it calls sudo as needed instead.


Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest

Offline

#4 2019-02-12 09:37:51

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 11,783
Website

Re: [Solved]Help with sudoers.d

If you edit the script to use sudo, you will need to rewrite your sudoers.d rule to cover the commands that are actually called by sudo.


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

#5 2019-02-12 13:52:03

Gotit
Member
From: New England, USA
Registered: 2017-04-27
Posts: 70

Re: [Solved]Help with sudoers.d

@Seth
I get that's how sudo works for a standard script. However,  I understand that adding the file in souders.d gives my user privilege to run the script as sudo w/o password. Right?

Or, do I still need to add sudo within the script?

Last edited by Gotit (2019-02-12 13:55:20)

Offline

#6 2019-02-12 13:56:45

seth
Member
Registered: 2012-09-03
Posts: 49,959

Re: [Solved]Help with sudoers.d

foo.sh
foo must be run as root

w/o sudoers

sudo foo.sh
[sudo] password for user: ***********
foo is bar. bar is foo. fubar.

w/ sudoers

sudo foo.sh
foo is bar. bar is foo. fubar.

Edit: you do not need sudo in the script, but you have to sudo the script.
PPS: also post the script, it's possible that it drops privs before calling mount

Last edited by seth (2019-02-12 13:58:24)

Online

#7 2019-02-12 14:09:45

Gotit
Member
From: New England, USA
Registered: 2017-04-27
Posts: 70

Re: [Solved]Help with sudoers.d

Will do later today when I'm back at the machine.

Here's the script:

#!/bin/sh

# Check to ensure connected to the home network and if so,
# then mount the network drives
SSID=$(iwgetid -r)

if [[ $SSID = My_Network ]]
 then
	mount -t cifs -o guest,vers=1.0,iocharset=utf8,sec=ntlm //192.168.1.1/netdrive/Media /mnt/Netdrive-Media
	mount -t cifs -o guest,vers=1.0,iocharset=utf8,sec=ntlm //192.168.1.1/netdrive/Files /mnt/Netdrive-Files
fi

I tried adding sudo in front of the mount commands and

./mount_script.sh

and

sudo ./mount_script.sh

but neither work.  Both commands asked me for the sudo password.

Seems like sudoers is reading souders.d just fine, so I should have permissions

$ sudo -l
User gotit may run the following commands:
    (ALL) NOPASSWD: /home/gotit/Scripts/mount_script.sh
    (ALL) ALL

Figured it out... had to

chown root:root mount_script.sh

now if I execute it as my_user with

./mount_script.sh

it works.
Thanks for the assist!

Last edited by Gotit (2019-02-12 20:35:39)

Offline

#8 2019-02-12 20:28:38

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: [Solved]Help with sudoers.d

#!/bin/bash

if (( EUID != 0 )); then
    exec sudo -- "${BASH_SOURCE[0]}" "$@"
fi

If the script is run without root privileges, it will re-execute itself using sudo.

Gotit wrote:

I tried adding sudo in front of the mount commands and

./mount_script.sh

and

sudo ./mount_script.sh

but neither work.  Both commands asked me for the sudo password.

Seems like sudoers is reading souders.d just fine, so I should have permissions

$ sudo -l
User gotit may run the following commands:
    (ALL) NOPASSWD: /home/gotit/Scripts/mount_script.sh
    (ALL) ALL

You're trying to run "./mount_script.sh" but sudo does not allow you to run scripts in the $PWD using relative paths without a password, it only allows you to execute it specifically using the path /home/gotit/Scripts/mount_script.sh Apparently not, unless you use fast_glob.

Regardless, this sudo rule means anyone who has write permissions for the script can edit it, run it as root, and do whatever they want. So it is effectively the same as just allowing all programs to run with NOPASSWD.

If you want to use NOPASSWD scripts, please only do it for scripts which are stored in /usr/local/bin, owned by root.

Last edited by eschwartz (2019-02-12 22:37:57)


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#9 2019-02-12 21:06:32

Gotit
Member
From: New England, USA
Registered: 2017-04-27
Posts: 70

Re: [Solved]Help with sudoers.d

@eschwartz
Seems I spoke too soon.  It only worked because my sudo permission hadn't timed out from a previous command.

I understand your concern.  Last time I did this (3+yrs ago) I created a directory inside my Scripts directory and that was owned by root and could only be viewed by root. I'm trying to get this script working before locking it down.  I like to keep it in my home directory so I don't lose it if I need to re-install.

Since my ultimate goal is to call the script via "startup programs" at log-in and auto-mount some network directories, perhaps I should test it by logging out/in so the actual path is followed as you noted below.

I'll update on how it goes.

Well I still can't get the directories to auto-mount sad

Last edited by Gotit (2019-02-12 21:10:44)

Offline

#10 2019-02-12 22:08:40

seth
Member
Registered: 2012-09-03
Posts: 49,959

Re: [Solved]Help with sudoers.d

a) add the mounts to fstab, use the "noauto,x-systemd.automount" options. You'll get them mounted when you try  to access the path.
b) several things seem to have changed?

Please post your entire sudoers (some of eschwartz's assertions are not necessarily correct, but otoh, you can also configure sudo *much* stricter), "stat /home/gotit/Scripts/mount_script.sh" and the behavior for "sudo /home/gotit/Scripts/mount_script.sh".

Online

#11 2019-02-12 23:25:11

Gotit
Member
From: New England, USA
Registered: 2017-04-27
Posts: 70

Re: [Solved]Help with sudoers.d

Thanks again for the continued assist. 
Frustrating thing is, I've done this before (with struggles then too) and once it works it's a "ta-da" moment.  Maybe more of a "duh" moment wink

Anyway here's sudo

## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##

##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias	WEBSERVERS = www1, www2, www3

##
## User alias specification
##

## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias	ADMINS = millert, dowdy, mikef

##
## Cmnd alias specification
##
## Groups of commands.  Often used to group related commands together.
# Cmnd_Alias	PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# 			    /usr/bin/pkill, /usr/bin/top
# Cmnd_Alias	REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff

##
## Defaults specification
##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
## Locale settings
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
##
## Run X applications through sudo; HOME is used to find the
## .Xauthority file.  Note that other programs use HOME to find   
## configuration files and this may lead to privilege escalation!
# Defaults env_keep += "HOME"
##
## X11 resource path settings
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
##
## Desktop path settings
# Defaults env_keep += "QTDIR KDEDIR"
##
## Allow sudo-run commands to inherit the callers' ConsoleKit session
# Defaults env_keep += "XDG_SESSION_COOKIE"
##
## Uncomment to enable special input methods.  Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
## Uncomment to use a hard-coded PATH instead of the user's to find commands
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
##
## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output

##
## Runas alias specification
##

##
## User privilege specification
##
root ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
# %sudo	ALL=(ALL) ALL



## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw  # Ask for the password of the target user
# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'

## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d

And the outcome of these 3 commands

$ sudo -l
User gotit may run the following commands:
    (ALL) NOPASSWD: /home/gotit/Scripts/mount_network_drive.sh
    (ALL) ALL

$  /home/gotit/Scripts/mount_network_drive.sh
[sudo] password for gotit:

$ sudo /home/gotit/Scripts/mount_network_drive.sh
[sudo] password for gotit: 

Perhaps your recommendation of placing it in fstab is better.  I have it in fstab working, commented out, but thought it "better" to check at log-on, and if in my home network, then mount the folders. 

sudoers.d is supposed to make life easier and less error prone than editing sudoers directly.  So I'm following the "easy path".

I thought I just needed to drop a file in sudoer.d with the "gotit ALL ALL" settings and path and when called by my user (gotit), it should execute without asking for a password.  I certainly lost the recipe somewhere...

Last edited by Gotit (2019-02-12 23:58:30)

Offline

#12 2019-02-13 08:33:34

seth
Member
Registered: 2012-09-03
Posts: 49,959

Re: [Solved]Help with sudoers.d

$  /home/gotit/Scripts/mount_network_drive.sh
[sudo] password for gotit:

cannot be caused by the script in post #7
According to post #8, something seems to change forth and back w/ that script and we don't know the actual parameters to the sudo call asking for the password.
Please post /home/gotit/Scripts/mount_network_drive.sh as is, resp. was at the time this happened.

Online

#13 2019-02-13 13:49:04

Gotit
Member
From: New England, USA
Registered: 2017-04-27
Posts: 70

Re: [Solved]Help with sudoers.d

Will post later today when I'm at that machine.
However, I did a test with much simpler scripts and found (with vague memories) that it basically works by indirectly calling the script noted in sudoers.d, i.e. with another script.
Will post more when I re-test later today.

-----------------------------
OK, figured it out. I cannot call the script directly to execute its sudo command as noted above.  Here's how it works for me:

Create a script containing a sudo command

foo1.sh
sudo bar

Add a file to sudoers.d with permissions and path to foo1.sh

fooing
user_name ALL=(ALL) NOPASSWD:/path/to/foo1.sh

Create a "calling" script to have sudo execute foo1.sh

foo2.sh
sudo ./path/to/foo1.sh

foo1 executes "bar" without requesting user_name's sudo password

I assume it works this way for security reasons.  So, place foo1.sh in a location owned and viewable only by root.  That way, no one other than root can see what the script does, or modify it to do anything other than "bar".

Last edited by Gotit (2019-02-14 00:28:43)

Offline

Board footer

Powered by FluxBB