You are not logged in.

#1 2020-10-20 17:17:10

indianahorst
Member
Registered: 2008-08-23
Posts: 127

Disable password for trizen

Hello,

how can I disable the password prompt when using "trizen -Syu"?

I have already set

myusername ALL=NOPASSWD:/usr/sbin/trizen -Syu

in my /etc/sudoers, but this doesn't change the behaviour of trizen.

Thanks!

Offline

#2 2020-10-20 17:26:52

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 11,787
Website

Re: Disable password for trizen

Mod note: moving to AUR Issues


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

#3 2020-10-20 22:50:23

Stefan Husmann
Member
From: Germany
Registered: 2007-08-07
Posts: 1,391

Re: Disable password for trizen

Try

myusername ALL=(ALL) NOPASSWD: /usr/bin/trizen -Syu

Offline

#4 2020-10-21 07:28:00

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 21,427

Re: Disable password for trizen

trizen is not and should not be the command invoking the password prompt. You'll have to add pacman.

Last edited by V1del (2020-10-21 07:29:35)

Offline

#5 2020-10-24 09:11:48

indianahorst
Member
Registered: 2008-08-23
Posts: 127

Re: Disable password for trizen

Stefan Husmann wrote:

Try

myusername ALL=(ALL) NOPASSWD: /usr/bin/trizen -Syu

Thanks, but this didn't change the behaviour of trizen. It still wants the password.

Offline

#6 2020-10-24 09:13:29

indianahorst
Member
Registered: 2008-08-23
Posts: 127

Re: Disable password for trizen

V1del wrote:

trizen is not and should not be the command invoking the password prompt. You'll have to add pacman.


I did that:

myusername ALL=(ALL) NOPASSWD:/usr/sbin/pacman -Syu

but it didn't help. Any further suggestions?

Edit: the above helps in a certain sense, because

sudo pacman -Syu

now runs without password.

Last edited by indianahorst (2020-10-24 09:15:27)

Offline

#7 2020-10-24 10:40:49

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 21,427

Re: Disable password for trizen

It won't run -Syu from what I know it will run a combination of -Sy (...show package list), -Su (...actual update) and -U (... what's actually of relevance here for the AUR part)

If you just want to test whether this works just specify pacman. If you really care about disallowing passwordless removal then you can think about the subcommands

Last edited by V1del (2020-10-24 10:43:50)

Offline

#8 2020-10-27 21:48:16

indianahorst
Member
Registered: 2008-08-23
Posts: 127

Re: Disable password for trizen

V1del wrote:

It won't run -Syu from what I know it will run a combination of -Sy (...show package list), -Su (...actual update) and -U (... what's actually of relevance here for the AUR part)

If you just want to test whether this works just specify pacman. If you really care about disallowing passwordless removal then you can think about the subcommands

I have now changed the entries in the sudoers file:

myusername ALL=(ALL) NOPASSWD:/usr/sbin/trizen
myusername ALL=(ALL) NOPASSWD:/usr/sbin/pacman

It didn't change the behaviour of trizen, it still wants the sudo password. Any further suggestions?

Offline

#9 2020-10-28 08:32:44

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 21,427

Re: Disable password for trizen

Is use_sudo configured in trizens config file? is autorepeat configured? it will use https://github.com/trizen/trizen/blob/m … rizen#L759 'sudo -v' during autorepeat so that's what you will want in that case (... which would be a pretty horrifying idea I might add).

Last edited by V1del (2020-10-28 08:33:43)

Offline

#10 2020-10-28 22:55:34

indianahorst
Member
Registered: 2008-08-23
Posts: 127

Re: Disable password for trizen

V1del wrote:

Is use_sudo configured in trizens config file? is autorepeat configured? it will use https://github.com/trizen/trizen/blob/m … rizen#L759 'sudo -v' during autorepeat so that's what you will want in that case (... which would be a pretty horrifying idea I might add).

Yes, both are configured:

Snippet from .config/trizen/trizen.conf

 sudo_autorepeat            => 1,                               # bool -- Automatically repeat `sudo -v` in the background after a `sudo` command was first executed.
  sudo_autorepeat_at_runtime => 1,                               # bool -- Execute `sudo -v` when `trizen` is first executed and apply the behavior of `sudo_autorepeat`.
  sudo_autorepeat_interval   => 36000,                           #  int -- Interval, in seconds, after which `sudo -v` is executed in background (with `sudo_autorepeat`).
  sudo_command               => "/usr/bin/sudo",                 #  str -- Command used when special permissions are required and `use_sudo` is set to 1.
  sudo_remove_timestamp      => 0,                               # bool -- Remove the cached sudo credentials before `makepkg` is executed (`sudo --remove-timestamp`).
  syntax_highlighting        => 0,                               # bool -- Syntax highlighting of the build files, using the `highlight` tool from [community].
  syntax_highlighting_cmd    => "/usr/bin/highlight -O ansi",    #  str -- The `highlight` command used in highlighting the syntax of the build files (with `syntax_highlighting`).
  use_github_api             => 1,                               # bool -- Check GitHub sources for updates using GitHub's API. (during `--devel --needed`)
  use_gitlab_api             => 1,                               # bool -- Check GitLab sources for updates using GitLab's API. (during `--devel --needed`)
  use_sudo                   => 1,                               # bool -- Use the `sudo` command when special permissions are required.

Why do you think it is a horrific idea to  update the system on my private computer without password?

Offline

#11 2020-10-28 23:09:53

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: Disable password for trizen

Notwithstanding any other problems, giving access to pacman without a password is nearly the same as allowing unlimited sudo access, so you should really restrict that -Syu, you especially should not allow -U (it is leaves a door wide open to install anything)

Last edited by progandy (2020-10-28 23:18:40)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#12 2020-10-28 23:48:11

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 21,427

Re: Disable password for trizen

Disable the autorepeat, I'm talking about the sudo -v invocation that you'd configure to be passwordless which you really shouldn't do

Offline

#13 2020-11-11 22:52:27

indianahorst
Member
Registered: 2008-08-23
Posts: 127

Re: Disable password for trizen

Okay, I have set sudo_autorepeat to 0 and in the sudoers config I set

myuser ALL=(ALL) NOPASSWD:/usr/sbin/pacman -Sy -Su -U

But it doesn't work, trizen still wants the sudo password. Any further suggestions?

Offline

#14 2020-11-12 22:47:23

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: Disable password for trizen

Do  you think trizen is actually running the command:

pacman -Sy -Su -U

In sudoers,

myuser ALL=(ALL) NOPASSWD:/usr/sbin/pacman -Sy
myuser ALL=(ALL) NOPASSWD:/usr/sbin/pacman -S *
myuser ALL=(ALL) NOPASSWD:/usr/sbin/pacman -Su *
myuser ALL=(ALL) NOPASSWD:/usr/sbin/pacman -U *

Note that once you allow -U * you allow every form of vulnerable attack by installing random user provided malware packages.

Also, -S * is not remotely safe either. I helped design the CVE report against Manjaro's manjaro-system package for this. Once you allow vulnerable command injection to -S *, you're not limited to the names of packages in the repos, because you can also do:

pacman -S malicious-package --config /tmp/malicious.conf --logfile /dev/null

So really, if you want to allow anything other than -Syu with no other options, you cannot do it securely, at all, period, using sudoers.

You could do it by permitting

NOPASSWD:/usr/bin/pacman-wrapper *

and then implementing your choice of argument sanitization in your security wrapper.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

Board footer

Powered by FluxBB