Sudo config

TheSaint · 2007-08-19 13:14:13

Hi,

I didn't find answer to my question in order to make a small script that will allows a normal user to write into /proc directory.

I have downloaded Cinelerra and when it boots it will complain regarding a setting in /proc/???? ( I can't remember now)

I did a small script to prepair the right thing for Cinelerra, but must be root to do that

I could understand the needs to make a proper rule for the sudoer, so pls some clue will be greatly appreciated.

F

ralvez · 2007-08-19 14:11:09

It is not too difficult.
Here are the steps:
1. You must edit the sudoers file. ( /etc/sudoers)
2. It is recommended that you use visudo because trailing space characters will render the file unusable but I have on occasion used nano or pico (but make sure no spaces are added at the end of the line. This IS important.)
3. Create the script you need as root.
4. Add a line in the sudoers file like this:

your_user_id ALL=NOPASSWD:/path/to/script/your_script_name,

Hope this helps.

R

Last edited by ralvez (2007-08-19 14:13:15)

1311219 · 2007-08-19 15:53:16

Or you could just set the SUID flag for the script (chmod +s /path/to/script/your_script).

If this is on a system where you don't want everyone to have root privileges (using sudo), you should also make sure normal user can't edit the script.

Finally, you might want to consider to just put a sudo in your script for the command which will need root access (to write to /proc), and edit the sudoers file to just allow that command (with just the needed parameters). That would make the system more secure (in case there's a flaw in the script), and you don't have to worry about the users write access to the script (as I wrote above).

skottish · 2007-08-19 17:43:03

TheSaint wrote:

I have downloaded Cinelerra and when it boots it will complain regarding a setting in /proc/???? ( I can't remember now)

There's something wrong with Cinelerra then. Please post the complaint in order to properly fix this problem.

FeatherMonkey · 2007-08-19 20:38:43

Its an optimization I think, I'd suggest try adding the command to rc.local at least I think it should work. I never undid the echo and was not aware of any knock on effect.

I can't remember exactly(either) what it is but something along the lines of echo "somehex" > /proc/somewhere something to do with kernel,

IMO I'm not so sure its an error more a need for a custom/custominization of a kernel perhaps I thought.

Last edited by FeatherMonkey (2007-08-19 20:47:01)

TheSaint · 2007-08-20 08:48:09

skottish wrote:

TheSaint wrote:
I have downloaded Cinelerra and when it boots it will complain regarding a setting in /proc/???? ( I can't remember now)
There's something wrong with Cinelerra then. Please post the complaint in order to properly fix this problem.

Cinelerra says:

Before running Cinelerra do the following as root:
echo 0xfffffff > /proc/sys/kernel/shmax

F

TheSaint · 2007-08-20 09:12:12

ralvez wrote:

1. You must edit the sudoers file. ( /etc/sudoers)

Just like my idea

2. It is recommended that you use visudo

I'm unaware to use vi(sudo), specially the short cuts. I rather opt to edit a copy and check by the relative program

3. Create the script you need as root.

The script is ready and I knew to use sudo, simply I found hard to interpret the sudo man page and the /etc/sudoers EBNF language grammar.

I wrote the script as follow:

# /usr/sbin/cinelerra2
if [ -x /usr/bin/cinelerra ]; then
    sudo echo 0x7fffffff >/proc/sys/kernel/shmmax
    /usr/bin/cinelerra
fi

I'm in the group of users and /etc/sudoers I put this line

%users  ALL=NOPASSWD:/bin/echo 0x7fffffff >/proc/sys/kernel/shmmax

checked by visudo -c -s passed OK.

I may also try to:

%users  ALL=NOPASSWD:/usr/sbin/cinelerra2

also

sudo echo 0x7fffffff >/proc/sys/kernel/shmmax
bash: /proc/sys/kernel/shmmax: Permission denied

but both solution don't give the wanted result. Sorry to be so ignorant, I still trying to learn a bit more about this

F

Last edited by TheSaint (2007-08-20 10:39:51)

1311219 · 2007-08-20 12:57:39

Nice to see that you are considering to use the sudo-in-script solution.

When you are getting the following error:

sudo echo 0x7fffffff >/proc/sys/kernel/shmmax
bash: /proc/sys/kernel/shmmax: Permission denied

What happens is that whiles the echo command is run as root (because of the sudo command), it's output (0) is directed/written to the file (/proc/sys/kernel/shmmax) as the user running the script.

What might be consider a bit crazy, but still a quick and simple solution to your problem, would be to execute that whole line using it as a argument to another script interpreter, and run that with sudo:

sudo sh -c "echo 0x7fffffff >/proc/sys/kernel/shmmax"

Just put it inside the script instead
(remember to add sh -c "echo 0x7fffffff >/proc/sys/kernel/shmmax" to the sudoers file instead of just echo 0x7fffffff >/proc/sys/kernel/shmmax)

Hope it helps

Last edited by 1311219 (2007-08-20 13:01:30)

TheSaint · 2007-08-27 13:40:03

Sorry I still don't have the expected result ;(

1311219 · 2007-08-27 14:59:30

What happens when you run the following (remember to keep the " in the command)?

sudo sh -c "echo 0x7fffffff >/proc/sys/kernel/shmmax"

TheSaint · 2007-08-28 13:42:24

sudo sh -c "echo 0x7fffffff >/proc/sys/kernel/shmmax"
Password:
Sorry, user myself is not allowed to execute '/bin/sh -c echo 0x7fffffff >/proc/sys/kernel/shmmax' as root on laptop.

1311219 · 2007-08-28 18:13:04

I think the command is correct, but you will have to configure your sudoers file:

1: run visudo (as root)
2: go into insert mode on a new line where you think it's appropriate/looks good (just press o to create the line, and get into insert)
3: write something like: myself ALL=NOPASSWD:sh -c "echo 0x7fffffff >/proc/sys/kernel/shmmax"
4: save the file (press escape to leave insert mode, then press ZZ to save and close

That should be all that's necessary (if you have already written something similar (that didn't work) in that file, and want to replace it, try go to that line, and press 0d$ ,instead of what I wrote in 4)

TheSaint · 2007-08-29 09:25:32

%users is my group

sudo -l
User myself may run the following commands on this host:
    (root) /sbin/mount /cdrom
    (root) /sbin/umount /cdrom
    (root) NOPASSWD: /bin/sh -c "echo 0x7fffffff >/proc/sys/kernel/shmmax"
    (root) NOPASSWD: /opt/kde/bin/smb4k_kill
    (root) NOPASSWD: /opt/kde/bin/smb4k_umount
    (root) NOPASSWD: /opt/kde/bin/smb4k_mount

If I leave %users or putting myself to that operation still have the same result. Even strange that still ask for the password.

smoon · 2007-08-29 09:53:27

Pro-Tipp: Put the following in your /etc/sysctl.conf and forget about the sudo stuff:

kernel.shmmax = 0x7fffffff

1311219 · 2007-08-29 11:19:58

That seems like the best solution... I still got a lot to learn...

(just out of curiosity, TheSaint, can you run the smb4k commands without entering a password?)

KimTjik · 2007-08-29 11:27:06

Thanks a lot smoon! That was a neat and practical solution.

TheSaint · 2007-08-29 15:09:20

to 1311219:

I can't test it now, I'm in a hotel and I could browse some other guest laptop without having to deal with password .

Arch Linux

#1 2007-08-19 13:14:13

Sudo config

#2 2007-08-19 14:11:09

Re: Sudo config

#3 2007-08-19 15:53:16

Re: Sudo config

#4 2007-08-19 17:43:03

Re: Sudo config

#5 2007-08-19 20:38:43

Re: Sudo config

#6 2007-08-20 08:48:09

Re: Sudo config

#7 2007-08-20 09:12:12

Re: Sudo config

#8 2007-08-20 12:57:39

Re: Sudo config

#9 2007-08-27 13:40:03

Re: Sudo config

#10 2007-08-27 14:59:30

Re: Sudo config

#11 2007-08-28 13:42:24

Re: Sudo config

#12 2007-08-28 18:13:04

Re: Sudo config

#13 2007-08-29 09:25:32

Re: Sudo config

#14 2007-08-29 09:53:27

Re: Sudo config

#15 2007-08-29 11:19:58

Re: Sudo config

#16 2007-08-29 11:27:06

Re: Sudo config

#17 2007-08-29 15:09:20

Re: Sudo config

Board footer