Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
On Wed, 6 Jul 2005, Holly Bostick wrote: Echo is in the sudo-ed group, and echo isn't the problem-- the problem is that permission is refused to write to the file itself (which is an error *from* echo, so it would seem that echo itself is OK as far as sudo goes). Which means that I have to su anyway, to echo to the file, which really isn't the point of the exercise. What is in /etc/sudoers? Either the problem is there or maybe its because in some shells, echo is a built-in command and in others its not (so /bin/echo comes into play). -- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
Le Mercredi, 6 Juillet 2005 15.52, Holly Bostick a ecrit : Hey, ho-- Here's (one of) today's non-critical problems that's getting on my nerves, so hopefully somebody can help. I've finally got around to setting up sudo. It works fine, except for one thing. I don't just give myself blanket permissions to sudo to all commands; I made a Cmd_Alias group which includes a lot of utility apps. And, like many of you, I included emerge in this group. But a lot of the time, when I do an emerge -av, I find that there's a USE flag I want or don't want for the package, or I want an unstable version, or whatever, which means I have to echo to one of the files in /etc/portage. Echo is in the sudo-ed group, and echo isn't the problem-- the problem is that permission is refused to write to the file itself (which is an error *from* echo, so it would seem that echo itself is OK as far as sudo goes). Which means that I have to su anyway, to echo to the file, which really isn't the point of the exercise. As I see it, this error can mean only one of two things: sudo does not give me a login shell (so my UID is 'really' still my UID and not root's, and I don't have permission to write to the file); or there is another, invisible cli utility responsible for actually writing to the file, which is not sudo-ed. Or could it be something else? In any case, does anybody know how I could fix this? It's really screwing up my useability, which was just starting to shape up nicely :-) . Thanks, Holly I think the problem come from the fact that echo is sudo-ed but the shell redirection isn't. Compare this: su -c echo foo /etc/portage/whatever and su -c echo foo /etc/portage/whatever The first one will succeed, but not the second. To solve your problem, I would just do: chgrp -R portage /etc/portage chmod -R g+w /etc/portage -- mat -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
On Wed, 2005-07-06 at 15:52 +0200, Holly Bostick wrote: Echo is in the sudo-ed group, and echo isn't the problem-- the problem is that permission is refused to write to the file itself (which is an error *from* echo, so it would seem that echo itself is OK as far as sudo goes). Which means that I have to su anyway, to echo to the file, which really isn't the point of the exercise. As I see it, this error can mean only one of two things: sudo does not give me a login shell (so my UID is 'really' still my UID and not root's, and I don't have permission to write to the file); or there is another, invisible cli utility responsible for actually writing to the file, which is not sudo-ed. If you're using e.g. sudo echo package /etc/portage/package.unmask then the redirection takes place in your shell, not in sudo. HTH. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
A. Khattri schreef: On Wed, 6 Jul 2005, Holly Bostick wrote: Echo is in the sudo-ed group, and echo isn't the problem-- the problem is that permission is refused to write to the file itself (which is an error *from* echo, so it would seem that echo itself is OK as far as sudo goes). Which means that I have to su anyway, to echo to the file, which really isn't the point of the exercise. What is in /etc/sudoers? Either the problem is there or maybe its because in some shells, echo is a built-in command and in others its not (so /bin/echo comes into play). Well, I'm not going to copy my entire file, but I've got /usr/bin/echo sudoed (because that's what 'which echo' said was the path to echo). But doing a locate echo reveals that there is also a /bin/echo oh, and la /usr/bin/echo reveals it to be a symlink to /bin/echo. Fine. What in the bloody blue blazes does that tell me? Changing visudo to allow /bin/echo rather than /usr/bin/echo didn't do a thing. I'm using bash, like a boring person. Looking (searching, actually) through man bash, I can see that echo is a built-in-- do I have to sudo bash as well? And in any case, echo isn't refusing to run-- if I run secho $JAVA_HOME, I get a return... but it's the return of the *user's* JAVA_HOME, rather than the *system* JAVA_HOME. This supports my theory that this is a regular su shell and not an su - shell, which is not much help to me in this situation (for echo to write to the /etc/files, I need UID 0). So I suppose I could find this in man sudoers, but that's almost as bad as man bash for trying to find something when you're not quite sure what you're looking for. Is there a way to get sudo to behave as a login shell when sudo-ing rather than just a regular su? And is that a scalable or global change (limitable would be nice)? Holly -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
Edward Catmur schreef: On Wed, 2005-07-06 at 15:52 +0200, Holly Bostick wrote: Echo is in the sudo-ed group, and echo isn't the problem-- the problem is that permission is refused to write to the file itself (which is an error *from* echo, so it would seem that echo itself is OK as far as sudo goes). Which means that I have to su anyway, to echo to the file, which really isn't the point of the exercise. As I see it, this error can mean only one of two things: sudo does not give me a login shell (so my UID is 'really' still my UID and not root's, and I don't have permission to write to the file); or there is another, invisible cli utility responsible for actually writing to the file, which is not sudo-ed. If you're using e.g. sudo echo package /etc/portage/package.unmask then the redirection takes place in your shell, not in sudo. HTH. OK, you all likely realize that I responded before I had got the three more messages telling me what to do. I'm sure it will work (three people telling you the exact same thing is pretty convincing ;-) ), but what I don't understand is why/how, if I want to sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords changing that to sudo echo media-video/xine-ui ~x86 /etc/portage/package.keywords is going to write the line media-video/xine-ui ~x86 to /etc/portage/package.keywords-- i.e., why are the internal quotes no longer necessary? Or should it be sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords or will that *really* screw everything up? (As you see, my understanding of bash is trying to improve, with only very limited success :-) ). Holly -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
On 16:54 Wed 06 Jul , Holly Bostick wrote: OK, you all likely realize that I responded before I had got the three more messages telling me what to do. I'm sure it will work (three people telling you the exact same thing is pretty convincing ;-) ), but what I don't understand is why/how, if I want to sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords changing that to sudo echo media-video/xine-ui ~x86 /etc/portage/package.keywords is going to write the line media-video/xine-ui ~x86 to /etc/portage/package.keywords-- i.e., why are the internal quotes no longer necessary? Or should it be sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords or will that *really* screw everything up? (As you see, my understanding of bash is trying to improve, with only very limited success :-) ). Nope, I don't think you can do it with sudo since bash uses whitespace as a separator, so if you do sudo echo foo bar, it'll look for a single command echo foo bar, which is not what you want - you want a command echo with argument foo, and then redirect the output to bar (the double quotes prevent bash from evaluating the whitespace or the ). afaik you can only do it with su -c echo foo bar, which stops bash from doing anything with the or the whitespace to begin with, but then passes everything inside the double quotes to another shell, which gets started by su -c It's kind of annoying, I know, but I don't think there's a way round it with sudo. Dave -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
[EMAIL PROTECTED] schreef: Le Mercredi, 6 Juillet 2005 15.52, Holly Bostick a ecrit : Hey, ho-- I've finally got around to setting up sudo. It works fine, except for one thing. I made a Cmd_Alias group which includes a lot of utility apps. And, like many of you, I included emerge in this group. But a lot of the time, I have to echo to one of the files in /etc/portage. Echo is in the sudo-ed group, and echo isn't the problem-- the problem is that permission is refused to write to the file itself As I see it, this error can mean only one of two things: sudo does not give me a login shell (so my UID is 'really' still my UID and not root's, and I don't have permission to write to the file); or there is another, invisible cli utility responsible for actually writing to the file, which is not sudo-ed. Or could it be something else? In any case, does anybody know how I could fix this? It's really screwing up my useability, which was just starting to shape up nicely :-) . Thanks, Holly I think the problem come from the fact that echo is sudo-ed but the shell redirection isn't. Compare this: su -c echo foo /etc/portage/whatever and su -c echo foo /etc/portage/whatever The first one will succeed, but not the second. To solve your problem, I would just do: chgrp -R portage /etc/portage chmod -R g+w /etc/portage Well, it didn't work (this to all the respondents). I did change the group and mod of /etc/portage, but even before I did: sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords -bash: sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords: Onbekend bestand of map (unknown file or folder, which is at least different, but not really much of an improvement, and no, before someone asks, putting a space before /etc doesn't help) and even after chowning and chmodding: sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords -bash: /etc/portage/package.keywords: Toegang geweigerd (permission refused) with the quotes, it's unknown file or folder. la /etc/portage totaal 51 drwxrwxr-x 5 root portage 384 jun 13 00:40 . drwxr-xr-x 88 root root7312 jul 6 16:15 .. -rw-rw-r-- 1 root portage 9757 jul 6 17:09 package.keywords -rw-rw-r-- 1 root portage 6164 mei 26 11:47 package.keywords~ -rw-rw-r-- 1 root portage 64 jun 15 05:27 package.mask -rw-rw-r-- 1 root portage 100 mei 16 14:57 package.mask~ -rw-rw-r-- 1 root portage 105 jun 15 05:27 package.unmask -rw-rw-r-- 1 root portage 103 mei 15 21:09 package.unmask~ -rw-rw-r-- 1 root portage 2252 jun 30 12:32 package.use -rw-rw-r-- 1 root portage 1616 mei 12 15:46 package.use~ drwxrwxr-x 2 root portage 80 nov 26 2004 profile drwxrwxr-x 2 root portage 72 jun 2 13:10 profiles drwxrwsr-x 2 root portage 48 okt 27 2004 sets Not really sure what good the portage group was supposed to do anyway, since root is a member of that group, but then again root owns the whole shebang anyway. The user is not a member of the portage group. Should I chown the folder -R to users? (seems again quite not the point)? It still seems that what I really want is a login shell that I'm not getting. I'm really lost. Where am I going wrong? Oh, btw, just remembered-- this is bash 3. Does that make a difference? Holly -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
On Wed, 6 Jul 2005 16:12:18 +0100, David Morgan wrote: Nope, I don't think you can do it with sudo since bash uses whitespace as a separator, so if you do sudo echo foo bar, it'll look for a single command echo foo bar, which is not what you want - you want a command echo with argument foo, and then redirect the output to bar (the double quotes prevent bash from evaluating the whitespace or the ). You could do it with a shell script #!/bin/sh #Call this /usr/local/bin/suecho echo $1 $2 Add /usr/local/bin/suecho to /etc/sudoers and you can do sudo suecho media-video/xine-ui ~x86 /etc/portage/package.keywords -- Neil Bothwick Software: (n.) That which hardware manufacturers can blame for physical failures. pgpraOGY8P0SK.pgp Description: PGP signature
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
David Morgan wrote:
afaik you can only do it with su -c echo foo bar, which stops bash
from doing anything with the or the whitespace to begin with, but
then passes everything inside the double quotes to another shell, which
gets started by su -c
It's kind of annoying, I know, but I don't think there's a way round it
with sudo.
Yes it is possible. But you need the shell (which handles the redirect)
to run as root.
$ sudo echo package ~x86 /etc/portage/package.keywords
will run the redirection as user, where:
$ sudo bash -c echo package ~x86 /etc/portage/package.keywords
will run the redirection as root.
For stuff like this, I'd recommend you to write simple shell functions:
addkeyword(){
sudo bash -c echo $* /etc/portage/package.keywords
}
Write them in your .bashrc and their avaible when you need it.
Use it like this:
$ addkeyword package ~x86
Christoph
--
echo mailto: NOSPAM !#$.'*'|sed 's. ..'|tr * !#:2 [EMAIL PROTECTED]
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
Holly Bostick wrote: I'm really lost. Where am I going wrong? check my other post. Oh, btw, just remembered-- this is bash 3. Does that make a difference? No. Christoph -- echo mailto: NOSPAM !#$.'*'|sed 's. ..'|tr * !#:2 [EMAIL PROTECTED] -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
On Wednesday 06 July 2005 17.21, Holly Bostick wrote: To solve your problem, I would just do: chgrp -R portage /etc/portage chmod -R g+w /etc/portage Well, it didn't work (this to all the respondents). Are you in the portage group? sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords no need to sudo the echo if you're in the right group. -- mat -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
Christoph Gysin schreef:
David Morgan wrote:
afaik you can only do it with su -c echo foo bar, which stops bash
from doing anything with the or the whitespace to begin with, but
then passes everything inside the double quotes to another shell, which
gets started by su -c
It's kind of annoying, I know, but I don't think there's a way round it
with sudo.
Yes it is possible. But you need the shell (which handles the redirect)
to run as root.
Ah-HAH! (at least I figured that much out, thanks for confirming)
$ sudo echo package ~x86 /etc/portage/package.keywords
will run the redirection as user, where:
$ sudo bash -c echo package ~x86 /etc/portage/package.keywords
will run the redirection as root.
For stuff like this, I'd recommend you to write simple shell functions:
addkeyword(){
sudo bash -c echo $* /etc/portage/package.keywords
}
Write them in your .bashrc and their avaible when you need it.
Use it like this:
$ addkeyword package ~x86
Christoph
Thank you, Christoph
You have not only saved my sanity, but you've given me a solution to two
problems you didn't even know I had (it was the next question)! i.e.,
how to essentially export self-created variables or something similar
(you don't know how many times I've put a comma between package and
keywords/use/unmask, and I really needed some way to not have to be
typing it all the time until I get more time in with GTypist); and also
how to easily use some of the aliases I've got in root's .bashrc (or at
least their functionality). Now, with some minor adjustments of this
template, not only can I add keywords (or useflags or mask and unmask)
easily, I can also open the package.* file in nano and edit it easily if
I screw up, or want to check something.
Last question on this subject-- is this all just bash scripting (so I
can learn about it if I sit and study the abs-guide) or is there
someplace else I should check out if I want to learn how to write this
stuff myself?
Thanks again,
Holly
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
Holly Bostick wrote: Thank you, Christoph Your welcome. Last question on this subject-- is this all just bash scripting (so I can learn about it if I sit and study the abs-guide) or is there someplace else I should check out if I want to learn how to write this stuff myself? Yes, this is pure bash scripting. The related parts are redirection [1] and shell functions [2]. [1] http://www.tldp.org/LDP/abs/html/io-redirection.html [2] http://www.tldp.org/LDP/abs/html/functions.html Christoph -- echo mailto: NOSPAM !#$.'*'|sed 's. ..'|tr * !#:2 [EMAIL PROTECTED] -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
Holly Bostick wrote:
I don't just give myself blanket permissions to sudo to all commands; I
made a Cmd_Alias group which includes a lot of utility apps. And, like
many of you, I included emerge in this group.
Christoph Gysin schreef:
$ sudo bash -c echo package ~x86 /etc/portage/package.keywords
will run the redirection as root.
For stuff like this, I'd recommend you to write simple shell functions:
addkeyword(){
sudo bash -c echo $* /etc/portage/package.keywords
}
Write them in your .bashrc and their avaible when you need it.
Use it like this:
$ addkeyword package ~x86
Christoph
Thank you, Christoph
You have not only saved my sanity, but you've given me a solution to two
problems you didn't even know I had (it was the next question)! i.e.,
BTW Holly,
You should recognize that from a security standpoint allowing yourself
to execute bash is really giving yourself blanket permissions to sudo
to all commands. You might as well make life easier on yourself and
just make your sudo settings ALL=(ALL) NOPASSWD: ALL.
My $.02.
-Richard
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
Richard Fish schreef: BTW Holly, You should recognize that from a security standpoint allowing yourself to execute bash is really giving yourself blanket permissions to sudo to all commands. You might as well make life easier on yourself and just make your sudo settings ALL=(ALL) NOPASSWD: ALL. My $.02. -Richard Thank you for the heads-up, Richard, but it would seem that that isn't quite true-- I did a test: sudo bash -c /etc/init.d/samba restart Gentoo Linux RC-Scripts; http://www.gentoo.org/ Copyright 1999-2004 Gentoo Foundation; Distributed under the GPL Usage: samba flags [ options ] Options: In other words, I couldn't restart the Samba daemon, whereas when root I can: su Wachtwoord: wo 07/06/05 20:31 ~ root - /etc/init.d/samba restart * samba - stop: smbd ... [ ok ] * samba - stop: nmbd ... [ ok ] * samba - start: smbd ... [ ok ] * samba - start: nmbd ... [ ok ] So I think I'll pass on the ALL/ALL -- I know that this is not the most secure setup possible (though as soon as I set up a personal firewall behind the router's firewall and set up chrootkit, I'll feel yet better), but still, I'd like to keep what minimal limits still exist, despite having punched holes in them my own self. Or is this not a valid proof that there are some limits left? Holly -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
Holly Bostick wrote: Richard Fish schreef: BTW Holly, You should recognize that from a security standpoint allowing yourself to execute bash is really giving yourself blanket permissions to sudo to all commands. You might as well make life easier on yourself and just make your sudo settings ALL=(ALL) NOPASSWD: ALL. My $.02. -Richard Thank you for the heads-up, Richard, but it would seem that that isn't quite true-- I did a test: sudo bash -c /etc/init.d/samba restart Remember that the -c option for bash is a single argument, not the rest of the line. The 'restart' is being seen as a separate argument to bash, not as part of the command for bash to execute, if that makes any sense! It will work if you do: sudo bash -c /etc/init.d/samba restart -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
Holly Bostick wrote: Or is this not a valid proof that there are some limits left? Not, it's not. A simple sudo bash will give you a root shell. The problem in your example was the missing quotes: $ sudo bash -c /etc/init.d/samba restart Christoph -- echo mailto: NOSPAM !#$.'*'|sed 's. ..'|tr * !#:2 [EMAIL PROTECTED] -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
Richard Fish schreef: Holly Bostick wrote: Richard Fish schreef: BTW Holly, You should recognize that from a security standpoint allowing yourself to execute bash is really giving yourself blanket permissions to sudo to all commands. You might as well make life easier on yourself and just make your sudo settings ALL=(ALL) NOPASSWD: ALL. My $.02. -Richard Thank you for the heads-up, Richard, but it would seem that that isn't quite true-- I did a test: sudo bash -c /etc/init.d/samba restart Remember that the -c option for bash is a single argument, not the rest of the line. The 'restart' is being seen as a separate argument to bash, not as part of the command for bash to execute, if that makes any sense! It will work if you do: sudo bash -c /etc/init.d/samba restart -Richard So it will. Shoot. Oh, well. Maybe I'll rework this, or I should then ask for: 1) firewall recommendations (personal, as the router has one too; atm I'm liking firestarter) 2) anti-hacking monitors (other than chrootkit and rkhunter, if needed-- guess I'm thinking about keyloggers) ? Holly -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
Holly Bostick wrote: So it will. Shoot. Oh, well. Maybe I'll rework this, or I should then ask for: 1) firewall recommendations (personal, as the router has one too; atm I'm liking firestarter) I've been very pleased with Shorewall as a firewall. -- Manuel A. McLure KE6TAW [EMAIL PROTECTED] http://www.mclure.org ...for in Ulthar, according to an ancient and significant law, no man may kill a cat. -- H.P. Lovecraft -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] sudo echo cannot write to /etc/ files ?
Holly Bostick wrote: [EMAIL PROTECTED] schreef: I think the problem come from the fact that echo is sudo-ed but the shell redirection isn't. Compare this: su -c echo foo /etc/portage/whatever and su -c echo foo /etc/portage/whatever The first one will succeed, but not the second. Well, it didn't work (this to all the respondents). sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords This groups *everything* as one shell parameter, so it attempts to execute a file named sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords in your path. /etc/portage/package.keywords: Onbekend bestand of map (unknown file or folder) Of course, since it's extremely unlikely a file with that name exists. sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords Now, you've completely left out the quotes, so the redirection is done in the user shell, not the sudo shell. Of course, your user can't write to that file so you get: -bash: /etc/portage/package.keywords: Toegang geweigerd (permission refused) You want: sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords This cause the command echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords to be passed to the sudo shell which causes the bash built-in: echo to be called with the single parameter media-video/xine-ui ~x86 and have it's output appended to the file /etc/portage/package.keywords I'm really lost. Where am I going wrong? You simply aren't being careful enough with you quotes and misunderstanding the intricacies of shell expansion and nesting. Oh, btw, just remembered-- this is bash 3. Does that make a difference? No. -- Boyd Stephen Smith Jr. [EMAIL PROTECTED] -- gentoo-user@gentoo.org mailing list
