Web lists-archives.com

Re: Running GParted and Synaptic without entering password




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, May 13, 2018 at 08:18:26AM -0500, Richard Owlett wrote:
> The underlying problem is not understanding what I read concerning
> sudo &/or /etc/sudoers (*INCLUDING* man pages).
> 
> Only *ONE* individual has physical access to my _personal_ machine.
> Therefore, any distinction between 'richard' and 'root' is
> inherently artificial.

Not so fast. A small flaw in your browser might allow it to run as
you and try some shenanigan as root: you'd notice it by "something"
asking for your credentials unexpectedly...

> The result I wish to achieve is to click on the icon for either
> GParted or Synaptic *WITHOUT* being asked for a password (either
> root's or user's).
> 
> I've found vague hints that adding a line to my local /etc/sudoers file
> such as
>   richard     ALL = /usr/sbin/gparted , /usr/sbin/synaptic
> would accomplish my goal.
> Is that correct?
> 
> Also my reading suggested that adding myself to sudoers group would
> be required.
> 
> This has an undesired side effect. I'm asked for my user password
> instead of my root password. I currently have four different
> installs of Debian each having an intentionally identical sets of
> UID, GID, and passwords. No matter which install is active, if asked
> for an admin
> password I want it to be the 'root password'

Assuming your desktop environment plays well along with sudo (I
think the Gnome derivatives do, but I'll leave that answer to
someone more versed in that) see the manpage for sudoers:


   User Authentication
     The sudoers security policy requires that most users
     authenticate themselves before they can use sudo.  A password
     is not required if the invoking user is root, if the target
     user is the same as the invoking user, or if the policy has
     disabled authentication for the user or command.  Unlike
     su(1), when sudoers requires authentication, it validates
     the invoking user's credentials, not the target user's (or
     root's) credentials.  This can be changed via the rootpw,
     targetpw and runaspw flags, described later.

So setting up a default line like so:

  Defaults rootpw

would ask by default for the root password or (more specifically)

  Defaults:richard rootpw

would limit that default to richard. For no password:

  Defaults:richard !authenticate

For single commands there is the equivalent NOPASSWD tag. Your line
above would read

  richard  NOPASSWD: ALL = /usr/sbin/gparted , /usr/sbin/synaptic

(which perhaps wouldn't do what you want: that would allow you to
run "sudo synaptic" as root without being asked for a password, but
you'd (a) not want to run synaptic as root and (b) possibly run
into the next problem that perhaps root doesn't find the X server...)

- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlr4RysACgkQBcgs9XrR2kZuqQCfWsWrvqshup8ihXTx5H1wU0O8
YwYAn1m778zx/DyTTAbypgA02ORLxGVF
=ZVYn
-----END PGP SIGNATURE-----