Re: [gentoo-user] sudo-1.9.8_p2 produces Segmentation Fault on any use

[Anton]

On 11/9/2021 11:27 PM, Jack wrote:
Works fine for me.  Can you try it with strace to see if you can tell 
where it crashes?  That or emerge with sufficient debug info that you 
can run it under gdb and get a backtrace?



Thanks, I'll try that when I have a suitably large chunk of free time.

Re: [gentoo-user] sudo-1.9.8_p2 produces Segmentation Fault on any use

[Anton]

On 11/9/2021 11:59 PM, Matt Connell (Gmail) wrote:

On Tue, 2021-11-09 at 22:36 +0200, Anton wrote:

Is it just me, or has anybody else seen a similar problem?


Working fine here, with the following USE set:

USE="-gcrypt -ldap nls offensive pam -sasl secure-path (-selinux)
sendmail -skey ssl -sssd" ABI_X86="(64)"

I wonder if your issue isn't related to updated PAM libraries.  The
post emerge messages for PAM suggest either rebooting or restarting
certain services after upgrades.


I thought so too, but neither reboot, nor re-merging the PAM libraries 
made a difference. To be fully honest, for "re-merging the PAM 
libraries" I only looked at the immediate dependencies, so there's some 
room for error there. Still, I think the best next step is to try what 
others suggested: study the strace or the core file to try to understand 
in which library the problem occurres.

Re: [gentoo-user] sudo-1.9.8_p2 produces Segmentation Fault on any use

[Matt Connell (Gmail)]

On Tue, 2021-11-09 at 22:36 +0200, Anton wrote:
> Is it just me, or has anybody else seen a similar problem?

Working fine here, with the following USE set:

USE="-gcrypt -ldap nls offensive pam -sasl secure-path (-selinux)
sendmail -skey ssl -sssd" ABI_X86="(64)"

I wonder if your issue isn't related to updated PAM libraries.  The
post emerge messages for PAM suggest either rebooting or restarting
certain services after upgrades.

Re: [gentoo-user] sudo-1.9.8_p2 produces Segmentation Fault on any use

[Jack]

On 2021.11.09 15:36, Anton wrote:
On a recent update, `sudo` got upgraded from sudo-1.9.6_p1-r2 to  
sudo-1.9.8_p2. Since then, any call to `sudo` other than `sudo  
--help` resulted in a Segmentation Fault. I have tried remerging sudo  
again or remerging the PAM-related dependencies, but it did not help.  
Switching back to 1.9.6, however, resulted in a working sudo.


Is it just me, or has anybody else seen a similar problem?

Best,
Anton

Works fine for me.  Can you try it with strace to see if you can tell  
where it crashes?  That or emerge with sufficient debug info that you  
can run it under gdb and get a backtrace?

Re: [gentoo-user] sudo-1.9.8_p2 produces Segmentation Fault on any use

[tastytea]

On 2021-11-09 22:36+0200 Anton  wrote:

> On a recent update, `sudo` got upgraded from sudo-1.9.6_p1-r2 to 
> sudo-1.9.8_p2. Since then, any call to `sudo` other than `sudo
> --help` resulted in a Segmentation Fault. I have tried remerging sudo
> again or remerging the PAM-related dependencies, but it did not help.
> Switching back to 1.9.6, however, resulted in a working sudo.
> 
> Is it just me, or has anybody else seen a similar problem?

I'm using it for about a week without problems. Compiled with 
USE="nls pam secure-path sendmail ssl -gcrypt -ldap -offensive -sasl
(-selinux) -skey -sssd"

Kind regards, tastytea

-- 
Get my PGP key with `gpg --locate-keys tasty...@tastytea.de` or at
.


pgpilgAHgtvBw.pgp
Description: Digitale Signatur von OpenPGP

Re: [gentoo-user] sudo in kernel config ?

[Gregory Shearman]

In linux.gentoo.user, you wrote:

 Some people, such as myself, use kernel sources outside of portage (I
 follow a git repo) and do so as a non-root user.  In this case the
 kernel tree is not owned by root and the config/compile is easily done
 as a non-root user.

 If you are super-paranoid.  You can make a non-root copy
 of /usr/src/linux and compile it as a non-root user.

 But there really isn't any point in using sudo.  It's effectively doing
 the same thing that you are trying to avoid.

I agree there's no point in using sudo, but what's the problem? You
don't need to edit the kernel sources merely to build a new kernel. You
can build your kernel outside the tree using for example:
make O=/home/user/kernel/tree/ menuconfig
make O=/home/user/kernel/tree/

All files are put into the user's directory.

All that's need is the KBUILD_OUTPUT environment variable set, so that
drivers can find the kernel .config file etc.

I've built my kernels like this for years now. All kernels are built by
a specific user and then installed as root. No problem, no worries about
permissions and no altering the portage installed kernel sources so that
a purge (emerge -P gentoo-sources) will automatically remove the whole
tree.

-- 
Regards,

Gregory.

Re: [gentoo-user] sudo in kernel config ?

[Bill Longman]

 I agree there's no point in using sudo, but what's the problem? You
 don't need to edit the kernel sources merely to build a new kernel. You
 can build your kernel outside the tree using for example:
 make O=/home/user/kernel/tree/ menuconfig
 make O=/home/user/kernel/tree/


This is how I do it, too, when testing the kernel before I do it for real.
This way, the code stays owned by root and I can make to my hearts content,
with different kernels going into different directories that I control.

-- 
Bill Longman

Re: [gentoo-user] sudo in kernel config ?

[Al]

 This was actually a potential risk once upon a time:

 Sorry to drift from the topic, but would somebody please explain to me
 what a potential risk is? How does it differ from a risk?

A risk is always potential. A potential risk is when you are not sure
if it is a risk at all.

Al

Re: [gentoo-user] sudo in kernel config ?

[Albert Hopkins]

On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
 few months ago, I read linux kernel in a nutschell(sic), and the author wrote 
 we 
 shouldn't do kernel operations (config and build) as root.

I call bullsh*t.  I've been compiling kernels for 17 years and for the
most part have done it as root without any problems.

What the author is saying is that, to an extent, in theory no one should
compile anything as root, or really do anything non-system-adminly as
root.  You should only do as root what is critically necessary (e.g.
make install) as root.

In a perfect, tidy world we'd all do that.  This world, however does not
exist.  Even portage, by default does configure and make as root (albeit
in a sandbox so it is safe(r). 

What the author means is theoretically the config/compile phase could
unintentionally cause some kind of harm to your system.  In practice I
have never seen this or heard of it.  The kernel devs are bright enough
to ensure that the compilation does nothing outside the source tree
itself.

It's a good guideline but, like the government's dietary guidelines, not
ones I intend to follow religiously.

 Is sudo (or kdesudo ?) a good replacement to that ?

sudo runs things as root, so effectively you've done nothing but add a
password prompt to the mix.

Gentoo actually makes this a bit more difficult, because usually one
uses portage to install the kernel sources, and they get installed as
root-owned, and only root has write access to the kernel tree.

Some people, such as myself, use kernel sources outside of portage (I
follow a git repo) and do so as a non-root user.  In this case the
kernel tree is not owned by root and the config/compile is easily done
as a non-root user.

If you are super-paranoid.  You can make a non-root copy
of /usr/src/linux and compile it as a non-root user.

But there really isn't any point in using sudo.  It's effectively doing
the same thing that you are trying to avoid.

Re: [gentoo-user] sudo in kernel config ?

[Stéphane Guedon]

Le Saturday 11 September 2010 11:46:59, Albert Hopkins a écrit :
 On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
  few months ago, I read linux kernel in a nutschell(sic), and the author
  wrote we shouldn't do kernel operations (config and build) as root.
 
 I call bullsh*t.  I've been compiling kernels for 17 years and for the
 most part have done it as root without any problems.
 
 What the author is saying is that, to an extent, in theory no one should
 compile anything as root, or really do anything non-system-adminly as
 root.  You should only do as root what is critically necessary (e.g.
 make install) as root.
 
 In a perfect, tidy world we'd all do that.  This world, however does not
 exist.  Even portage, by default does configure and make as root (albeit
 in a sandbox so it is safe(r).
 
 What the author means is theoretically the config/compile phase could
 unintentionally cause some kind of harm to your system.  In practice I
 have never seen this or heard of it.  The kernel devs are bright enough
 to ensure that the compilation does nothing outside the source tree
 itself.
 
 It's a good guideline but, like the government's dietary guidelines, not
 ones I intend to follow religiously.
 
  Is sudo (or kdesudo ?) a good replacement to that ?
 
 sudo runs things as root, so effectively you've done nothing but add a
 password prompt to the mix.
 
 Gentoo actually makes this a bit more difficult, because usually one
 uses portage to install the kernel sources, and they get installed as
 root-owned, and only root has write access to the kernel tree.
 
 Some people, such as myself, use kernel sources outside of portage (I
 follow a git repo) and do so as a non-root user.  In this case the
 kernel tree is not owned by root and the config/compile is easily done
 as a non-root user.
 
 If you are super-paranoid.  You can make a non-root copy
 of /usr/src/linux and compile it as a non-root user.
 
 But there really isn't any point in using sudo.  It's effectively doing
 the same thing that you are trying to avoid.

I am not paranoid anymore, just asking to knowing persons...
Ok ! thanks for your answer !
-- 
Stéphane Guedon
page web : http://www.22decembre.eu/
carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf
clé publique gpg : http://www.22decembre.eu/downloads/Stephane-Guedon.asc


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] sudo in kernel config ?

[Volker Armin Hemmann]

On Saturday 11 September 2010, Stéphane Guedon wrote:
 Le Saturday 11 September 2010 11:46:59, Albert Hopkins a écrit :
  On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
   few months ago, I read linux kernel in a nutschell(sic), and the author
   wrote we shouldn't do kernel operations (config and build) as root.
  
  I call bullsh*t.  I've been compiling kernels for 17 years and for the
  most part have done it as root without any problems.
  
  What the author is saying is that, to an extent, in theory no one should
  compile anything as root, or really do anything non-system-adminly as
  root.  You should only do as root what is critically necessary (e.g.
  make install) as root.
  
  In a perfect, tidy world we'd all do that.  This world, however does not
  exist.  Even portage, by default does configure and make as root (albeit
  in a sandbox so it is safe(r).
  
  What the author means is theoretically the config/compile phase could
  unintentionally cause some kind of harm to your system.  In practice I
  have never seen this or heard of it.  The kernel devs are bright enough
  to ensure that the compilation does nothing outside the source tree
  itself.
  
  It's a good guideline but, like the government's dietary guidelines, not
  ones I intend to follow religiously.
  
   Is sudo (or kdesudo ?) a good replacement to that ?
  
  sudo runs things as root, so effectively you've done nothing but add a
  password prompt to the mix.
  
  Gentoo actually makes this a bit more difficult, because usually one
  uses portage to install the kernel sources, and they get installed as
  root-owned, and only root has write access to the kernel tree.
  
  Some people, such as myself, use kernel sources outside of portage (I
  follow a git repo) and do so as a non-root user.  In this case the
  kernel tree is not owned by root and the config/compile is easily done
  as a non-root user.
  
  If you are super-paranoid.  You can make a non-root copy
  of /usr/src/linux and compile it as a non-root user.
  
  But there really isn't any point in using sudo.  It's effectively doing
  the same thing that you are trying to avoid.
 
 I am not paranoid anymore, just asking to knowing persons...
 Ok ! thanks for your answer !

well, some years ago someone made a mistake causing some people doing make as 
root loosing /dev/null or something like that. But not even everybody was hit.

/me prefers loosing /dev/null over having /home/$USER overwritten.

Re: [gentoo-user] sudo in kernel config ?

[Albert Hopkins]

On Sat, 2010-09-11 at 05:46 -0400, Albert Hopkins wrote:
 In a perfect, tidy world we'd all do that.  This world, however does
 not
 exist.  Even portage, by default does configure and make as root
 (albeit
 in a sandbox so it is safe(r). 

I suppose one could compile the kernel sources as root but inside
sandbox, though I've never tried that.

Re: [gentoo-user] sudo in kernel config ?

[Alan McKinnon]

Apparently, though unproven, at 11:46 on Saturday 11 September 2010, Albert 
Hopkins did opine thusly:

 On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
  few months ago, I read linux kernel in a nutschell(sic), and the author
  wrote we shouldn't do kernel operations (config and build) as root.
 
 I call bullsh*t.  I've been compiling kernels for 17 years and for the
 most part have done it as root without any problems.

Same here.

The root user (sometimes portage) creates /usr/src/linux-*

Someone tell me again exactly how user alan is supposed to build those 
sources?


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] sudo in kernel config ?

[Dale]

Alan McKinnon wrote:

Apparently, though unproven, at 11:46 on Saturday 11 September 2010, Albert
Hopkins did opine thusly:

   

On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
 

few months ago, I read linux kernel in a nutschell(sic), and the author
wrote we shouldn't do kernel operations (config and build) as root.
   

I call bullsh*t.  I've been compiling kernels for 17 years and for the
most part have done it as root without any problems.
 

Same here.

The root user (sometimes portage) creates /usr/src/linux-*

Someone tell me again exactly how user alan is supposed to build those
sources?

   


If they are accessible by a user, couldn't a user then edit or add 
something that would then cause a security problem?  If they can edit 
them and no one know it, then root comes along and builds a shiney new 
kernel with a really nice security hole.


Glad only root can get to the sources.  ;-)

Dale

:-)  :-)

Re: [gentoo-user] sudo in kernel config ?

[Etaoin Shrdlu]

On Sat, 11 Sep 2010 15:35:58 -0500 Dale rdalek1...@gmail.com wrote:

 If they are accessible by a user, couldn't a user then edit or add 
 something that would then cause a security problem?  If they can edit 
 them and no one know it, then root comes along and builds a shiney new 
 kernel with a really nice security hole.

This was actually a potential risk once upon a time:

http://attrition.org/security/advisory/gobbles/GOBBLES-16.txt

Re: [gentoo-user] sudo in kernel config ?

[Alan McKinnon]

Apparently, though unproven, at 22:28 on Saturday 11 September 2010, Etaoin 
Shrdlu did opine thusly:

 On Sat, 11 Sep 2010 15:35:58 -0500 Dale rdalek1...@gmail.com wrote:
  If they are accessible by a user, couldn't a user then edit or add
  something that would then cause a security problem?  If they can edit
  them and no one know it, then root comes along and builds a shiney new
  kernel with a really nice security hole.
 
 This was actually a potential risk once upon a time:
 
 http://attrition.org/security/advisory/gobbles/GOBBLES-16.txt

More like an actual risk all the time. Which is why:

# ls -al /usr/src/
total 2
drwxr-xr-x  3 root root  136 2010-09-01 11:41 .
drwxr-xr-x 17 root root  480 2010-08-23 01:44 ..
-rw-r--r--  1 root root0 2008-06-17 19:37 .keep
lrwxrwxrwx  1 root root   18 2010-09-01 11:30 linux - linux-2.6.35-ck-r2
drwxr-xr-x 24 root root 1584 2010-09-01 02:12 linux-2.6.35-ck-r2



-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] sudo in kernel config ?

[Peter Humphrey]

On Saturday 11 September 2010 21:28:13 Etaoin Shrdlu wrote:

 This was actually a potential risk once upon a time:

Sorry to drift from the topic, but would somebody please explain to me 
what a potential risk is? How does it differ from a risk?

(Not getting at you, Etaoin; the world is just full of woolly thinking 
that threatens to submerge us all. Or not thinking, in most cases.)

-- 
Rgds
Peter.  Linux Counter 5290, 1994-04-23.

Re: [gentoo-user] sudo in kernel config ?

[Etaoin Shrdlu]

On Sat, 11 Sep 2010 23:05:22 +0100
Peter Humphrey pe...@humphrey.ukfsn.org wrote:

 On Saturday 11 September 2010 21:28:13 Etaoin Shrdlu wrote:
 
  This was actually a potential risk once upon a time:
 
 Sorry to drift from the topic, but would somebody please explain to me 
 what a potential risk is? How does it differ from a risk?
 
 (Not getting at you, Etaoin; the world is just full of woolly thinking 
 that threatens to submerge us all. Or not thinking, in most cases.)

I suppose that a risk is potential because it's possible that it's, um
risky only under certain circumstances.
 
If those circumstances are not true for you, there is no risk; if they are
true, there is a risk.

Once you know that there is a risk (thus it's no longer potential, but
it's actual), it still take somebody or something to exploit it to actually
have a problem.

Makes sense?

Re: [gentoo-user] sudo in kernel config ?

[Peter Humphrey]

On Saturday 11 September 2010 23:03:14 Etaoin Shrdlu wrote:

 Makes sense?

Not convinced. Sorry.

-- 
Rgds
Peter.  Linux Counter 5290, 1994-04-23.

Re: [gentoo-user] sudo-1.7.4_p3-r1

[pk]

On 2010-09-07 21:48, Mick wrote:
 Just updated and noticed that the edict:
 
 #Reset environment by default
 Defaults  env_reset
 
 is no longer in /etc/sudoers.
 
 A load of other (commented out) environment incantations were added.  What is 
 the importance of this?  Do I need env_reset?

From man sudoers:
env_reset

If set, sudo will reset the environment to only contain the
LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_* variables.  Any
variables in the caller's environment that match the env_keep and
env_check lists are then added.  The default contents of the
env_keep and env_check lists are displayed when sudo is run by root
with the -V option.  If the secure_path option is set, its value
will be used for the PATH environment variable.  This flag is on by
default

HTH

Best regards

Peter K

Re: [gentoo-user] Sudo config

[Ward Poelmans]

2008/6/20 Stroller [EMAIL PROTECTED]:

 On my systems I have only seen this *every* time I `sudo` when my clock has
 been broken.

That's because the lecture option has the value of once and when your
time is messed up, it resets.
Try adding:
Defaults !lecture
to your sudoers. No need to emerge ntp for that.

Ward
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Sudo config

[Stroller]

On 21 Jun 2008, at 09:14, Ward Poelmans wrote:

2008/6/20 Stroller [EMAIL PROTECTED]:

On my systems I have only seen this *every* time I `sudo` when my  
clock has

been broken.


That's because the lecture option has the value of once and when your
time is messed up, it resets.


Well, duh!


Try adding:
Defaults !lecture
to your sudoers. No need to emerge ntp for that.


This doesn't fix the problem of the clock being wrong, though, does  
it? Chances are the CMOS battery's flat.


Stroller.
--
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Sudo config

[Anthony Metcalf]

Paul Melvin wrote:


HI,

 


I have been using ubuntu for a while and have come to like sudo.

 

Now I am moving over to gentoo and would like to set this up as for me 
it is far more convenient to just type sudo rather than the su business.


 

However when I emerge sudo, install and run it the following comes up 
with:


 


We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

 


#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

 


Password:

 

Which is all very good but I don’t really want to see it every time, I 
have searched on how to remove it but have found nothing, I did 
download sudo tar and do a grep and found it in one of the c files but 
as I am not a programmer I don’t know if I can simply remove this or not.


 


How can I, when I sudo,:

 


1.get rid of all the text

2.change the password line to something, dare I say it, like ubuntu, 
e.g. [sudo] password for paul, I assume paul is just a $USER


 


Cheers

 


paul


Look at /etc/sudoers It is very well documented.

I have a line like

# Same thing without a password
%wheel  ALL=(ALL)   NOPASSWD: ALL

which mean sthat anyone in the wheel group can use sudo as you want.

Anthony

Re: [gentoo-user] Sudo config

[Ward Poelmans]

2008/6/20 Paul Melvin [EMAIL PROTECTED]:
 1.get rid of all the text

Add:
Defaults !lecture

to you sudoers file

 2.change the password line to something, dare I say it, like ubuntu, e.g.
 [sudo] password for paul, I assume paul is just a $USER

Look at the sudoers man page. It's all there.

Ward
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Sudo config

[Etaoin Shrdlu]

On Friday 20 June 2008, 16:58, Paul Melvin wrote:

 How can I, when I sudo,:



 1.get rid of all the text

The lecture directive in /etc/sudoers seems to control that, although 
it's not terribly clear.

 2.change the password line to something, dare I say it, like ubuntu,
 e.g. [sudo] password for paul, I assume paul is just a $USER

This is controlled by the passprompt directive.

man sudoers has decent explanations of both.
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Sudo config

[Conway S. Smith]

On Fri, 20 Jun 2008 16:11:31 +0100
Anthony Metcalf [EMAIL PROTECTED] wrote:
 Paul Melvin wrote:
 
  HI,
 
   
 
  I have been using ubuntu for a while and have come to like sudo.
 
   
 
  Now I am moving over to gentoo and would like to set this up as
  for me it is far more convenient to just type sudo rather than
  the su business.
 
   
 
  However when I emerge sudo, install and run it the following
  comes up with:
 
   
 
  We trust you have received the usual lecture from the local System
 
  Administrator. It usually boils down to these three things:
 
   
 
  #1) Respect the privacy of others.
 
  #2) Think before you type.
 
  #3) With great power comes great responsibility.
 
   
 
  Password:
 
   
 
  Which is all very good but I don’t really want to see it every
  time, I have searched on how to remove it but have found nothing,
  I did download sudo tar and do a grep and found it in one of the
  c files but as I am not a programmer I don’t know if I can simply
  remove this or not.
 
   
 
  How can I, when I sudo,:
 
   
 
  1.get rid of all the text
 
  2.change the password line to something, dare I say it, like
  ubuntu, e.g. [sudo] password for paul, I assume paul is just a
  $USER
 
 
 Look at /etc/sudoers It is very well documented.
 
 I have a line like
  # Same thing without a password
  %wheel  ALL=(ALL)   NOPASSWD: ALL
 which mean sthat anyone in the wheel group can use sudo as you want.
 
 Anthony
 

Note that the correct way to edit the /etc/sudoers file is w/ the
command visudo as root, rather than editing the file directly in your
favorite editor.  Set the EDITOR environment variable to your
preferred editor  visudo should use it.


Conway S. Smith
--
gentoo-user@lists.gentoo.org mailing list

RE: [gentoo-user] Sudo config

[Paul Melvin]

 -Original Message-
 From: Etaoin Shrdlu [mailto:[EMAIL PROTECTED]
 Sent: 20 June 2008 16:17
 To: gentoo-user@lists.gentoo.org
 Subject: Re: [gentoo-user] Sudo config
 
 On Friday 20 June 2008, 16:58, Paul Melvin wrote:
 
  How can I, when I sudo,:
 
 
 
  1.get rid of all the text
 
 The lecture directive in /etc/sudoers seems to control that, although
 it's not terribly clear.
 
  2.change the password line to something, dare I say it, like ubuntu,
  e.g. [sudo] password for paul, I assume paul is just a $USER
 
 This is controlled by the passprompt directive.
 
 man sudoers has decent explanations of both.
 --
 gentoo-user@lists.gentoo.org mailing list

Thanks Ward and Etaoin, will do
 

__ Information from ESET Smart Security, version of virus signature 
database 3203 (20080620) __

The message was checked by ESET Smart Security.

http://www.eset.com
 

--
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Sudo config

[Stroller]

On 20 Jun 2008, at 15:58, Paul Melvin wrote:

...
However when I emerge sudo, install and run it the following comes  
up with:


We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:

Which is all very good but I don’t really want to see it every  
time,...


On my systems I have only seen this *every* time I `sudo` when my  
clock has been broken.


Suggest you `emerge ntp` and add ntp-client to the default runlevel.

Stroller.

--
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] sudo displays last login time

[Alan McKinnon]

On Monday 17 March 2008, Michael Schmarck wrote:
 Hello.

 Since recently (I think since 2nd half of last week), when I use
 sudo on my ~x86, I get the last login time displayed:

 $ LC_ALL=C sudo ls -1
 Last login: Mon Mar 17 07:12:40 CET 2008 from winnb000488 on pts/6
 10001~
 [...]

 Would anyone have an idea, about why that's happening?

It's a recent pam update. I updated mine on 11 March, and it's these 
lines from files in /etc/pam.d/:

nazgul pam.d # grep pam_lastlog *
login:sessionoptional   pam_lastlog.so
system-login:sessionoptionalpam_lastlog.so


If you want to get rid of the last login notice, just comment out those 
two lines



-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] sudo displays last login time

[Iain Buchanan]

On Mon, 2008-03-17 at 10:49 +0200, Alan McKinnon wrote:
 On Monday 17 March 2008, Michael Schmarck wrote:
  Hello.
 
  Since recently (I think since 2nd half of last week), when I use
  sudo on my ~x86, I get the last login time displayed:

[snip]

 It's a recent pam update. I updated mine on 11 March, and it's these 
 lines from files in /etc/pam.d/:
 
 nazgul pam.d # grep pam_lastlog *
 login:sessionoptional   pam_lastlog.so
 system-login:sessionoptionalpam_lastlog.so

 If you want to get rid of the last login notice, just comment out those 
 two lines

however, if you comment them out then you also don't get the lastlog
message when you ssh or console log in.  How do you get the old
behaviour where sudo doesn't show your last login, but other login's do?

thanks,
-- 
Iain Buchanan iaindb at netspace dot net dot au

Waiter: Tea or coffee, gentlemen?
1st customer: I'll have tea.
2nd customer: Me, too -- and be sure the glass is clean!
(Waiter exits, returns)
Waiter: Two teas.  Which one asked for the clean glass?

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] SUDO: running /etc/init.d/cupsd restart

[Neil Bothwick]

On Mon, 4 Dec 2006 13:54:52 +0100, jak gentoo wrote:

 I'm trying to allow users in the wheel group to run /etc/init.d/cupsd
 restart
 I edited /etc/sudoers with visudo to the following but it doesn't work,
 any ideas?
 
 %wheel ALL=(ALL)NOPASSWD: /sbin/runscript.sh
 %wheel ALL=(ALL)NOPASSWD: /etc/init.d/cupsd restart
 
 when I try with my normal acount I get
 [EMAIL PROTECTED] ~ $ /etc/init.d/cupsd restart
  * /sbin/runscript.sh: must be root to run init scripts
 but I'm in the wheel group

The settings in /etc/sudoers only apply when running a command with sudo,
try sudo /etc/init.d/cupsd restart


-- 
Neil Bothwick

Windows 98, the most installed system in the world, I know, I've done it
5 or 6 times myself.


signature.asc
Description: PGP signature

Re: [gentoo-user] SUDO: running /etc/init.d/cupsd restart

[Daniel Waeber]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi

jak gentoo wrote:
 Hi all,
 
 I'm trying to allow users in the wheel group to run /etc/init.d/cupsd
 restart
 I edited /etc/sudoers with visudo to the following but it doesn't work, any
 ideas?
 
 %wheel ALL=(ALL)NOPASSWD: /sbin/runscript.sh
You won't need the line above, it would be a risk if wheel group is
allowed to to run any script wiht runscript.sh as root.

 %wheel ALL=(ALL)NOPASSWD: /etc/init.d/cupsd restart
 
 when I try with my normal acount I get
 [EMAIL PROTECTED] ~ $ /etc/init.d/cupsd restart
 * /sbin/runscript.sh: must be root to run init scripts
But you have to start the cupsd script with sudo:
$ sudo /etc/init.d/cupsd restart

At least this is how I know sudo.
- --
wabu


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5-ecc0.1.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFdCgfBbWbHb9PeLsRAn2eAKCDoJ0WS0Ji29u8bfWMfkXPLBIWVwCeO11w
E9tcCK5q+LcwE4vVX9JteWg=
=K6aG
-END PGP SIGNATURE-
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SUDO: running /etc/init.d/cupsd restart

[jak gentoo]

On 12/4/06, Daniel Waeber [EMAIL PROTECTED] wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi

jak gentoo wrote:
 Hi all,

 I'm trying to allow users in the wheel group to run /etc/init.d/cupsd
 restart
 I edited /etc/sudoers with visudo to the following but it doesn't work,
any
 ideas?

 %wheel ALL=(ALL)NOPASSWD: /sbin/runscript.sh
You won't need the line above, it would be a risk if wheel group is
allowed to to run any script wiht runscript.sh as root.

 %wheel ALL=(ALL)NOPASSWD: /etc/init.d/cupsd restart

 when I try with my normal acount I get
 [EMAIL PROTECTED] ~ $ /etc/init.d/cupsd restart
 * /sbin/runscript.sh: must be root to run init scripts
But you have to start the cupsd script with sudo:
$ sudo /etc/init.d/cupsd restart

At least this is how I know sudo.
- --
wabu


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5-ecc0.1.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFdCgfBbWbHb9PeLsRAn2eAKCDoJ0WS0Ji29u8bfWMfkXPLBIWVwCeO11w
E9tcCK5q+LcwE4vVX9JteWg=
=K6aG
-END PGP SIGNATURE-
--
gentoo-user@gentoo.org mailing list

thanks to both of you, I was to stupid to add sudo in front.

its running now.

jakommo

RE: [gentoo-user] sudo requires password twice

[Daevid Vincent]

Can someone paste/send me their (stock) /etc/pam.d/sudo file?

I don't do anything fancy and haven't purposefully edited this file, so I
just want whatever the standard (current) Gentoo version is. This double
prompting is very frustrating...

DÆVID  

 -Original Message-
 From: Boyd Stephen Smith Jr. [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, October 05, 2006 5:46 PM
 To: gentoo-user@lists.gentoo.org
 Subject: Re: [gentoo-user] sudo requires password twice
 
 On Thursday 05 October 2006 16:36, Daevid Vincent 
 [EMAIL PROTECTED] 
 wrote about 'RE: [gentoo-user] sudo requires password twice':
  I've not figured this out yet, so reposting in case someone has any
  ideas...
 
 Hrm, I either never got the original (not surprising) of I was just 
 skimming my mail to quickly and missed your question (even less 
 surprising).
 
  auth   required /lib/security/pam_stack.so 
 service=system-auth
 
 This line...
 
  authinclude system-auth
 
 and this one are redundant.  They both run through the 
 system-auth chain as 
 part of authentication.  In effect you are telling PAM that any sudo 
 authentication needs to do system authentication twice w/ whatever 
 pam_nologin does in between.
 
 You'll want to remove one or the other, after investigating 
 any subtle 
 differences between the two that I'm unaware of, which may or may not 
 exist.  (I haven't messed with PAM in months.)


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo requires password twice

[Boyd Stephen Smith Jr.]

On Tuesday 07 November 2006 20:39, Daevid Vincent [EMAIL PROTECTED] 
wrote about 'RE: [gentoo-user] sudo requires password twice':
 Can someone paste/send me their (stock) /etc/pam.d/sudo file?

Sent via private mail.

-- 
If there's one thing we've established over the years,
it's that the vast majority of our users don't have the slightest
clue what's best for them in terms of package stability.
-- Gentoo Developer Ciaran McCreesh


pgpHTXUmgkh5q.pgp
Description: PGP signature

RE: [gentoo-user] sudo requires password twice

[Daevid Vincent]

I've not figured this out yet, so reposting in case someone has any ideas...

I did find this link:
http://www.mail-archive.com/openpkg-users@openpkg.org/msg01747.html

But I tried to add this:

authrequiredtry_first_pass

To my /etc/pam.d/sudo file and it didn't work.
Did I do that wrong?

This is my current file (default)

# File autogenerated by pamd_mimic_system in pam eclass
auth   required /lib/security/pam_stack.so service=system-auth
auth   required /lib/security/pam_nologin.so
authinclude system-auth
account include system-auth
passwordinclude system-auth
session include system-auth

And I'm using app-admin/sudo 1.6.8_p9-r2 and sys-libs/pam 0.78-r5

DÆVID  

 -Original Message-
 From: Daevid Vincent [mailto:[EMAIL PROTECTED] 
 Sent: Sunday, June 11, 2006 10:44 PM
 To: gentoo-user@lists.gentoo.org
 Subject: RE: [gentoo-user] sudo requires password twice
 
 Just a little more info on this. I noticed on my server which 
 I've not done
 the pam/shadow update emerge yet, this same anomolie 
 occurs... Any ideas on
 why? 
 
  -Original Message-
  From: Daevid Vincent [mailto:[EMAIL PROTECTED] 
  Sent: Friday, June 09, 2006 2:46 PM
  To: gentoo-user@lists.gentoo.org
  Subject: [gentoo-user] sudo requires password twice
  
  I recently did an update world and had that 'pam'/'shadow' issue. 
  Followed these pages:
  http://planet.gentoo.org/developers/flameeyes/2006/03/19/the_s
  hadow_and_pam_
  login_conflict
  
 http://www.mail-archive.com/gentoo-user@lists.gentoo.org/msg35692.html
  
  Everything seems fine. 
  I've rebooted many times since. 
  I can login from ssh or console. 
  
  One odd behaviour:
  
  [EMAIL PROTECTED] ~ $ sudo ifconfig
  Password:
  Password:
  eth0  Link encap:Ethernet  HWaddr 00:08:74:E0:5C:3B  
inet addr:172.16.35.234  Bcast:172.16.63.255  
  Mask:255.255.224.0
  ...
  
  Whenever I first type 'sudo' I am prompted twice?! Then of 
 course sudo
  remembers me for 5 minutes or whatever the timeout is, so 
  subsequent 'sudo'
  calls are not prompted.
  
  I don't know if this is relevant, but perhaps it has to do 
  with the pam
  thing above?
  
  locutus ~ # cat /etc/pam.d/sudo
  # File autogenerated by pamd_mimic_system in pam eclass
  
  auth   required /lib/security/pam_stack.so 
 service=system-auth
  auth   required /lib/security/pam_nologin.so
  
  authinclude system-auth
  account include system-auth
  passwordinclude system-auth
  session include system-auth
  
  ÐÆ5ÏÐ 
  
  
  -- 
  gentoo-user@gentoo.org mailing list
  
  
 
 
 -- 
 gentoo-user@gentoo.org mailing list
 
 


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo requires password twice

[Boyd Stephen Smith Jr.]

On Thursday 05 October 2006 16:36, Daevid Vincent [EMAIL PROTECTED] 
wrote about 'RE: [gentoo-user] sudo requires password twice':
 I've not figured this out yet, so reposting in case someone has any
 ideas...

Hrm, I either never got the original (not surprising) of I was just 
skimming my mail to quickly and missed your question (even less 
surprising).

 auth   required /lib/security/pam_stack.so service=system-auth

This line...

 authinclude system-auth

and this one are redundant.  They both run through the system-auth chain as 
part of authentication.  In effect you are telling PAM that any sudo 
authentication needs to do system authentication twice w/ whatever 
pam_nologin does in between.

You'll want to remove one or the other, after investigating any subtle 
differences between the two that I'm unaware of, which may or may not 
exist.  (I haven't messed with PAM in months.)

-- 
If there's one thing we've established over the years,
it's that the vast majority of our users don't have the slightest
clue what's best for them in terms of package stability.
-- Gentoo Developer Ciaran McCreesh


pgpgo3GQfuNsH.pgp
Description: PGP signature

RE: [gentoo-user] sudo requires password twice

[Daevid Vincent]

Just a little more info on this. I noticed on my server which I've not done
the pam/shadow update emerge yet, this same anomolie occurs... Any ideas on
why? 

 -Original Message-
 From: Daevid Vincent [mailto:[EMAIL PROTECTED] 
 Sent: Friday, June 09, 2006 2:46 PM
 To: gentoo-user@lists.gentoo.org
 Subject: [gentoo-user] sudo requires password twice
 
 I recently did an update world and had that 'pam'/'shadow' issue. 
 Followed these pages:
 http://planet.gentoo.org/developers/flameeyes/2006/03/19/the_s
 hadow_and_pam_
 login_conflict
 http://www.mail-archive.com/gentoo-user@lists.gentoo.org/msg35692.html
 
 Everything seems fine. 
 I've rebooted many times since. 
 I can login from ssh or console. 
 
 One odd behaviour:
 
 [EMAIL PROTECTED] ~ $ sudo ifconfig
 Password:
 Password:
 eth0  Link encap:Ethernet  HWaddr 00:08:74:E0:5C:3B  
   inet addr:172.16.35.234  Bcast:172.16.63.255  
 Mask:255.255.224.0
   ...
 
 Whenever I first type 'sudo' I am prompted twice?! Then of course sudo
 remembers me for 5 minutes or whatever the timeout is, so 
 subsequent 'sudo'
 calls are not prompted.
 
 I don't know if this is relevant, but perhaps it has to do 
 with the pam
 thing above?
 
 locutus ~ # cat /etc/pam.d/sudo
 # File autogenerated by pamd_mimic_system in pam eclass
 
 auth   required /lib/security/pam_stack.so service=system-auth
 auth   required /lib/security/pam_nologin.so
 
 authinclude system-auth
 account include system-auth
 passwordinclude system-auth
 session include system-auth
 
 ÐÆ5ÏÐ 
 
 
 -- 
 gentoo-user@gentoo.org mailing list
 
 


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo difficulties

[JimD]

On Wed, April 5, 2006 7:45 pm, Grant wrote:
 I've added the following to the bottom of my sudo file using 'visudo'
 and there are no complaints of bad syntax, but grant still can't shut down 
 the system:

 grant system4 = /sbin/shutdown -h now

 What am I missing?


 - Grant

First try to edit one of the examples and see if that works.  For example try 
this one:

%users  localhost=/sbin/shutdown -h now

Replace %users with the group for grant.

Jim
-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
I'm a geek, but I don't get it. 36-24-36 = -24. What's the significance?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Florida, USA, Earth, Solar System, Milky Way

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo difficulties

[Grant]

  I've added the following to the bottom of my sudo file using 'visudo'
  and there are no complaints of bad syntax, but grant still can't shut down 
  the system:
 
  grant system4 = /sbin/shutdown -h now
 
  What am I missing?
 
 
  - Grant

 First try to edit one of the examples and see if that works.  For example try 
 this one:

 %users  localhost=/sbin/shutdown -h now

 Replace %users with the group for grant.

 Jim

I actually tried that first and when that failed I tried something
like that specified here:

www.gentoo.org/doc/en/sudo-guide.xml

Either way I get:

[EMAIL PROTECTED] ~ $ /sbin/shutdown -h now
shutdown: you must be root to do that!

- Grant

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo difficulties

[Manuel McLure]

Grant wrote:

I actually tried that first and when that failed I tried something
like that specified here:

www.gentoo.org/doc/en/sudo-guide.xml

Either way I get:

[EMAIL PROTECTED] ~ $ /sbin/shutdown -h now
shutdown: you must be root to do that!


Try

sudo /sbin/shutdown -h now

instead.

--
Manuel A. McLure KE6TAW [EMAIL PROTECTED] http://www.mclure.org
...for in Ulthar, according to an ancient and significant law,
no man may kill a cat.   -- H.P. Lovecraft
--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo difficulties

[JimD]

On Wed, April 5, 2006 8:06 pm, Grant wrote:

 I actually tried that first and when that failed I tried something
 like that specified here:

 www.gentoo.org/doc/en/sudo-guide.xml

 Either way I get:

 [EMAIL PROTECTED] ~ $ /sbin/shutdown -h now shutdown: you must be root to do 
 that!

 - Grant

For sudo to work you need to run the command with sudo.

Try:

[EMAIL PROTECTED] ~ $ sudo /sbin/shutdown -h now shutdown

Jim
-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
I'm a geek, but I don't get it. 36-24-36 = -24. What's the significance?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Florida, USA, Earth, Solar System, Milky Way

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo

[Alexander Skwar]

Daniel da Veiga wrote:

 what I didn't notice was an alias for sudo as sudo su -c...

Why are you doing that? What's the purpose of using su
instead of sh here? Or put differently: Why use su to
run sh when you could run sh directly?

Could somebody please explain?

Alexander Skwar
-- 
Yeah, but they are good at making toys. I mean look at Windows...

   -- From a Slashdot.org post about Microsoft's X-Box console
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo

[Alexander Skwar]

Neil Bothwick wrote:
 On Fri, 24 Mar 2006 00:58:09 +0100, Renat Golubchyk wrote:
 
 Alright, then run
   sudo bash -c 'echo some_string  some_file'
 No problem here :)
 
 Except this means you have to give the user permission to run bash, and
 subsequently any command as root.

True. But with sudo su -c, you've got to have the same
sort of trust, don't you?

 You may as well give them the root
 password and let them use su.

Or don't give the root password and use sudo for everything,
which is what Ubuntu is doing. Using sudo instead of su
is better in so far, as you're not so likely to run everything
in a root shell (yes, I know that sudo bash is possible).

Alexander Skwar
-- 
It is generally agreed that Hello is an appropriate greeting because
if you entered a room and said Goodbye, it could confuse a lot of people.
-- Dolph Sharp, I'm O.K., You're Not So Hot
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo

[Neil Bothwick]

On Sat, 25 Mar 2006 13:43:04 +0100, Alexander Skwar wrote:

  Except this means you have to give the user permission to run bash,
  and subsequently any command as root.
 
 True. But with sudo su -c, you've got to have the same
 sort of trust, don't you?

Yes, they are both equally bad ideas.
 
  You may as well give them the root
  password and let them use su.
 
 Or don't give the root password and use sudo for everything,
 which is what Ubuntu is doing. Using sudo instead of su
 is better in so far, as you're not so likely to run everything
 in a root shell (yes, I know that sudo bash is possible).

That's not such a risk, most people only do rm -fr / once :)


-- 
Neil Bothwick

(A)bort (R)etry (T)ake an axe to it?


signature.asc
Description: PGP signature

Re: [gentoo-user] sudo echo

[Neil Bothwick]

On Fri, 24 Mar 2006 00:58:09 +0100, Renat Golubchyk wrote:

 Alright, then run
   sudo bash -c 'echo some_string  some_file'
 No problem here :)

Except this means you have to give the user permission to run bash, and
subsequently any command as root. You may as well give them the root
password and let them use su.


-- 
Neil Bothwick

Zmodem has bigger bits, softer blocks, and tighter ASCII


signature.asc
Description: PGP signature

Re: [gentoo-user] sudo echo

[Holly Bostick]

JimD schreef:
 I have been using Linux for a number of years and the one trick I 
 have never read how to do is something like:
 
 sudo echo app-portage/porthole ~*  /etc/portage/package.keywords

Well this one I do with a set of revised command nicked from the list,
entered into ~/.bashrc, and requiring that

1) su is one of the commands that you are allowed to execute via sudo

2) you are exempted from needing to enter a password for 'sudo su':

addkey(){
   sudo su -c echo $*  /etc/portage/package.keywords
 }

adduse(){
   sudo su -c echo $*  /etc/portage/package.use
 }

addmask(){
   sudo su -c echo $*  /etc/portage/package.mask
 }

addunmask(){
   sudo su -c echo $*  /etc/portage/package.unmask
 }

The general idea being that a) sudo seems to be a bit weird; even though
it allows you to perform operations as if you are root, it doesn't do so
by pretending that you _are_ root, so you still couldn't write to the
/etc/portage/package.* files; b) su does pretend you are root, but su
alone only just re-logs you in, rather than actually allowing you to
execute a command-- unless you use the -c switch. su -c then says,
whatever follows this switch is a command that you should execute as
root. But of course, since echo $* (where $* stands for what I typed
after addkey)  /etc/portage/package.* is a complex command,
containing spaces, the syntax of the command following sudo su -c needs
to be quoted.


 
 Another one I always wanted to know if it is possible is:
 
 sudo  /var/log/foo.log

I'm sure it is, with a bit of creativity, though I honestly don't know
what your intention is in any case, since this looks to me like you're
logging the output of the sudo command to foo.log (but since there is no
output really to typing 'sudo', I have no idea what result you might
expect).

Anyway, hope this is to some degree helpful; what you most likely want
to do is read up on bash scripting to understand how to chain the
commands that do what you want to get done with sudo. Depending on your
goals, you might also consider aliasing (alias etc-update=sudo
etc-update), and fine-tuning your visudo to allow you to run specific
apps with sudo, preferably without a password, since if you have to type
the password everytime you want to do sudo emerge, you might as well
just su, imo.

Good luck,
Holly
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo

[Daniel da Veiga]

On 3/23/06, JimD [EMAIL PROTECTED] wrote:
 I have been using Linux for a number of years and the one trick I
 have never read how to do is something like:

 sudo echo app-portage/porthole ~*  /etc/portage/package.keywords

if you do this, you'll execute sudo echo and try to redirect the
output as the normal user, because the shell doesn't know you're
sudoying ;)

Sudo takes a command as parameter, enclose the whole command in quotes
and try again, like this:

sudo echo app-portage/porthole ~*  /etc/portage/package.keywords


 Another one I always wanted to know if it is possible is:

 sudo  /var/log/foo.log

Same as above...


 Both give me error message.  Are either of these command possible?

 I used to always just use su, though now I like sudo better.  I just
 can't for the life of me get sudo echo or sudo  to work.  I can
 sudo su and then do the commands, however I am lazy and want to save
 having to exit out from su.

 Jim
 --
 gentoo-user@gentoo.org mailing list




--
Daniel da Veiga
Computer Operator - RS - Brazil
-BEGIN GEEK CODE BLOCK-
Version: 3.1
GCM/IT/P/O d-? s:- a? C++$ UBLA++ P+ L++ E--- W+++$ N o+ K- w O M- V-
PS PE Y PGP- t+ 5 X+++ R+* tv b+ DI+++ D+ G+ e h+ r+ y++
--END GEEK CODE BLOCK--

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo

[Hans-Werner Hilse]

Hi,

On Thu, 23 Mar 2006 16:03:08 -0500
JimD [EMAIL PROTECTED] wrote:

 I have been using Linux for a number of years and the one trick I
 have never read how to do is something like:
 
 sudo echo app-portage/porthole ~*  /etc/portage/package.keywords

That's because your _current_ shell interprets the . What you want
can be done with

sudo sh -c 'echo app-portage/porthole ~*  /etc/portage/package.keywords'

 Another one I always wanted to know if it is possible is:
 
 sudo  /var/log/foo.log

I guess you want to use

... | sudo sh -c 'cat  /var/log/foo.log'

You can create a short script that does both (nice idea, I currently wrote
them for me, too...):

---:suappend:---
#!/bin/sh
exec sudo sh -c cat  \$1\
---snip---

and you can do:

echo blah | suappend /var/log/blah.log

etc.pp.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo

[Alexander Skwar]

JimD wrote:
 I have been using Linux for a number of years and the one trick I
 have never read how to do is something like:
 
 sudo echo app-portage/porthole ~*  /etc/portage/package.keywords

echo whatnot | sudo sh -c  foo

If you don't wish to append, the following can be used
as well:

echo whatever | sudo dd of=some-file

 Another one I always wanted to know if it is possible is:
 
 sudo  /var/log/foo.log

What's that supposed to do? Truncate the file?

sudo sh -c  foo.log

 Both give me error message.  Are either of these command possible?

See above.

Alexander Skwar
-- 
It is easier to fight for principles than to live up to them.
-- Alfred Adler
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo

[Nick Rout]

On Thu, 23 Mar 2006 16:03:08 -0500
JimD wrote:

 I have been using Linux for a number of years and the one trick I
 have never read how to do is something like:
 
 sudo echo app-portage/porthole ~*  /etc/portage/package.keywords
 
 Another one I always wanted to know if it is possible is:
 
 sudo  /var/log/foo.log
 
 Both give me error message.  Are either of these command possible?
 
 I used to always just use su, though now I like sudo better.  I just
 can't for the life of me get sudo echo or sudo  to work.  I can
 sudo su and then do the commands, however I am lazy and want to save
 having to exit out from su.
 
 Jim

man i have been wanting to know the answer to that for ages, but have
lived with it. 

the elevation of privilege does not seem to survive the redirection. I
suspect you need to know more than I do about the way redirection is
handled by the shell to explain it.

 -- 
 gentoo-user@gentoo.org mailing list

-- 
Nick Rout [EMAIL PROTECTED]

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo

[Alexander Skwar]

Holly Bostick wrote:
 JimD schreef:
 I have been using Linux for a number of years and the one trick I 
 have never read how to do is something like:
 
 sudo echo app-portage/porthole ~*  /etc/portage/package.keywords
 
 Well this one I do with a set of revised command nicked from the list,
 entered into ~/.bashrc, and requiring that
 
 1) su is one of the commands that you are allowed to execute via sudo
 
 2) you are exempted from needing to enter a password for 'sudo su':
 
 addkey(){
sudo su -c echo $*  /etc/portage/package.keywords
  }

What's the use of su here? I don't understand.

What's happening is, that a root process executes

su -c echo $*  /etc/portage/package.keywords

But why switch user from root to root to execute

echo $*  /etc/portage/package.keywords

I don't understand that. Please explain.

 The general idea being that a) sudo seems to be a bit weird; even though
 it allows you to perform operations as if you are root, it doesn't do so
 by pretending that you _are_ root,

Uh? What are you talking about? The command is run with root
rights. If you use sudo -H, even $HOME is set to ~root.

 so you still couldn't write to the
 /etc/portage/package.* files;

Yes, you can. The error is, that with

sudo echo blah  file

Here the NORMAL USER does  file, *NOT* the root
echo process!

Have a read in your shell manpage.

 b) su does pretend you are root,

What do you mean with that?


 Another one I always wanted to know if it is possible is:
 
 sudo  /var/log/foo.log
 
 I'm sure it is, with a bit of creativity, though I honestly don't know
 what your intention is in any case, since this looks to me like you're
 logging the output of the sudo command to foo.log (but since there is no
 output really to typing 'sudo', I have no idea what result you might
 expect).

A truncated file is to be expected, as that's what's happening
when you do

 filename

 Anyway, hope this is to some degree helpful; what you most likely want
 to do is read up on bash scripting to understand how to chain the
 commands that do what you want to get done with sudo.

Yep.

Alexander Skwar
-- 
Keep brain from freezing.

-- Homer Simpson
   Simpson and Delilah
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo

[Daniel da Veiga]

On 3/23/06, Holly Bostick [EMAIL PROTECTED] wrote:
 JimD schreef:
  I have been using Linux for a number of years and the one trick I
  have never read how to do is something like:
 
  sudo echo app-portage/porthole ~*  /etc/portage/package.keywords

 Well this one I do with a set of revised command nicked from the list,
 entered into ~/.bashrc, and requiring that

 1) su is one of the commands that you are allowed to execute via sudo

 2) you are exempted from needing to enter a password for 'sudo su':

 addkey(){
sudo su -c echo $*  /etc/portage/package.keywords
  }

 adduse(){
sudo su -c echo $*  /etc/portage/package.use
  }

 addmask(){
sudo su -c echo $*  /etc/portage/package.mask
  }

 addunmask(){
sudo su -c echo $*  /etc/portage/package.unmask
  }

 The general idea being that a) sudo seems to be a bit weird; even though
 it allows you to perform operations as if you are root, it doesn't do so
 by pretending that you _are_ root, so you still couldn't write to the
 /etc/portage/package.* files; b) su does pretend you are root, but su
 alone only just re-logs you in, rather than actually allowing you to
 execute a command-- unless you use the -c switch. su -c then says,
 whatever follows this switch is a command that you should execute as
 root. But of course, since echo $* (where $* stands for what I typed
 after addkey)  /etc/portage/package.* is a complex command,
 containing spaces, the syntax of the command following sudo su -c needs
 to be quoted.


 
  Another one I always wanted to know if it is possible is:
 
  sudo  /var/log/foo.log

 I'm sure it is, with a bit of creativity, though I honestly don't know
 what your intention is in any case, since this looks to me like you're
 logging the output of the sudo command to foo.log (but since there is no
 output really to typing 'sudo', I have no idea what result you might
 expect).

 Anyway, hope this is to some degree helpful; what you most likely want
 to do is read up on bash scripting to understand how to chain the
 commands that do what you want to get done with sudo. Depending on your
 goals, you might also consider aliasing (alias etc-update=sudo
 etc-update), and fine-tuning your visudo to allow you to run specific
 apps with sudo, preferably without a password, since if you have to type
 the password everytime you want to do sudo emerge, you might as well
 just su, imo.

 Good luck,
 Holly
 --
 gentoo-user@gentoo.org mailing list



Holly is right, I had some scripts running the commands I said, heh,
what I didn't notice was an alias for sudo as sudo su -c... Sorry for
my fast and wrong response... :)

--
Daniel da Veiga
Computer Operator - RS - Brazil
-BEGIN GEEK CODE BLOCK-
Version: 3.1
GCM/IT/P/O d-? s:- a? C++$ UBLA++ P+ L++ E--- W+++$ N o+ K- w O M- V-
PS PE Y PGP- t+ 5 X+++ R+* tv b+ DI+++ D+ G+ e h+ r+ y++
--END GEEK CODE BLOCK--

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo

[Renat Golubchyk]

On Thu, 23 Mar 2006 18:27:46 -0300 Daniel da Veiga
[EMAIL PROTECTED] wrote:
 Sudo takes a command as parameter, enclose the whole command in quotes
 and try again, like this:
 
 sudo echo app-portage/porthole ~*  /etc/portage/package.keywords
   ^ ^   ^ ^

Careful with those quotation marks - you might want to escape them ;-)
I would use single quotes on the outside to avoid the confusion:

sudo 'echo app-portage/porthole ~*  /etc/portage/package.keywords'


Cheers,
Renat

-- 
Probleme kann man niemals mit derselben Denkweise loesen,
durch die sie entstanden sind.
  (Einstein)


signature.asc
Description: PGP signature

Re: [gentoo-user] sudo echo

[Neil Bothwick]

On Fri, 24 Mar 2006 09:45:16 +1200, Nick Rout wrote:

 the elevation of privilege does not seem to survive the redirection. I
 suspect you need to know more than I do about the way redirection is
 handled by the shell to explain it.

Redirection is applied before the command is executed, so you are
redirecting the output of sudo. It's the same as if you'd typed

sudo /some/file somecommand


-- 
Neil Bothwick

If you only have a hammer, you tend to see every problem as a nail. *
Maslow


signature.asc
Description: PGP signature

Re: [gentoo-user] sudo echo

[Bo Andresen]

On Thursday 23 March 2006 23:38, Renat Golubchyk wrote:
 On Thu, 23 Mar 2006 18:27:46 -0300 Daniel da Veiga

 [EMAIL PROTECTED] wrote:
  Sudo takes a command as parameter, enclose the whole command in quotes
  and try again, like this:
 
  sudo echo app-portage/porthole ~*  /etc/portage/package.keywords

^ ^   ^ ^

 Careful with those quotation marks - you might want to escape them ;-)
 I would use single quotes on the outside to avoid the confusion:

 sudo 'echo app-portage/porthole ~*  /etc/portage/package.keywords'

Yeah, and the neat thing ... it still doesn't work... ;) As Daniel admitted in 
reply to Hollys mail in this thread he had an alias for sudo.

-- 
Bo Andresen
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo

[Boyd Stephen Smith Jr.]

On Thursday 23 March 2006 16:33, JimD [EMAIL PROTECTED] wrote 
about 'Re: [gentoo-user] sudo echo':
 If you type something like the following:

  /tmp/myfile.foo

 It will truncate the file.  I use it when I want to clear out logs real
 quick.  I can sudo su and then just type (without the quotes):

  /var/log/mail/current

 and have a clean log.  However to do that I need to be root and the
 only thing I found is to sudo su and then type the command and then
 exit from root.

Try:
sudo /bin/bash -c ' /var/log/mail/current'
or, if that doesn't work:
sudo /bin/bash -c ':  /var/log/mail/current'

Shells handle redirection and pipes, sudo does not, AFAIK.

-- 
If there's one thing we've established over the years,
it's that the vast majority of our users don't have the slightest
clue what's best for them in terms of package stability.
-- Gentoo Developer Ciaran McCreesh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo

[David Morgan]

On 23:38 Thu 23 Mar , Renat Golubchyk wrote:
 Careful with those quotation marks - you might want to escape them ;-)
 I would use single quotes on the outside to avoid the confusion:
 
 sudo 'echo app-portage/porthole ~*  /etc/portage/package.keywords'
 


Do that and it'll say

sudo: echo app-portage/porthole ~*  /etc/portage/package.keywords: command 
not found

This has been discussed on here before.

The problem is that if you do `sudo echo foo  bar`, the echo is being
run as root, but the writing to bar isn't.

In this case, you might like to look at app-portage/flagedit (it's less
typing for a start).

-- 
djm
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo

[Renat Golubchyk]

On Thu, 23 Mar 2006 23:12:38 + David Morgan
[EMAIL PROTECTED] wrote:
 On 23:38 Thu 23 Mar , Renat Golubchyk wrote:
  Careful with those quotation marks - you might want to escape
  them ;-) I would use single quotes on the outside to avoid the
  confusion:
  
  sudo 'echo app-portage/porthole ~*
   /etc/portage/package.keywords'
  
 
 
 Do that and it'll say
 
 sudo: echo app-portage/porthole ~*
  /etc/portage/package.keywords: command not found
 
 This has been discussed on here before.
 
 The problem is that if you do `sudo echo foo  bar`, the echo is being
 run as root, but the writing to bar isn't.

Alright, then run
  sudo bash -c 'echo some_string  some_file'
No problem here :)


Cheers,
Renat

-- 
Probleme kann man niemals mit derselben Denkweise loesen,
durch die sie entstanden sind.
  (Einstein)


signature.asc
Description: PGP signature

Re: [gentoo-user] sudo echo

[Bo Andresen]

On Thursday 23 March 2006 23:48, JimD wrote:
 addkey()
 {
 sudo sh -c echo $*  /etc/portage/package.keywords
 }

For keywording I prefer to use this script:
http://users.cybercity.dk/~dsl89966/keix

It allows me to do:

 $ eix porth
* app-portage/porthole 
 Available versions:  ~0.4.1 [M]0.5.0
 Installed:   none
 Homepage:http://porthole.sourceforge.net
 Description: A GTK+-based frontend to Portage


Found 1 matches
$ sudo keix porth
Do you wish to add '=app-portage/porthole-0.4* ~x86' to package.keywords? 
(Yes/no)

Adding '=app-portage/porthole-0.4* ~x86' to package.keywords

$

Of course it requires that app-portage/eix is installed and updated.

-- 
Bo Andresen
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] 'sudo java -version' is wrong

[Petteri Räty]

Stefan Krüger wrote:

 (/etc/env.d/java/20blackdown-jdk-1.4.2.02)
 
 So far so good, but sudo-ing as user gets me the wrong (Blackdown) JRE:
 
  [EMAIL PROTECTED] ~ $ sudo java -version
   java version 1.4.2-02
   Java(TM) 2 Runtime Environment, Standard Edition (build
 Blackdown-1.4.2-02)
   Java HotSpot(TM) Client VM (build Blackdown-1.4.2-02, mixed mode)
 
 Any ideas?
 

Using sudo you will not change the environment and our vm switching is
currently done via environment variables like PATH and JAVA_HOME which
means that sudo will give you the same vm as you have as a user.

java-config-2.0 does works differently and does not rely on environment
variables any more. In the future you might be better server by the
gentoo-java mailing list when you have java specific questions.

Regards,
Petteri



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] sudo

[Antoine]

You also need to install vim because you have to edit the /etc/sudoers
file in order to add a user name. If you display the sudoers file ('cat
sudoers') it will tell you that the file *must* be edited by the visudo
command as root.


exaggeration... that is certainly the safe way to do it, but unless I'm 
mistaken, only really dangerous if you have lots of people logging 
in/you can't tell the other people not to do so while you are editing 
it. vipw stopped working for some strange reason and I have never looked 
back :-).

Certainly BETTER to do it that way, no denying that!
Cheers
Antoine
--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Jonathan Wright]

John Dangler wrote:
 The connecting page is a Solaris page that doesn’t exist.  I’m trying to
 find out exactly what this means, since it’s a recommended piece from
 the Gentoo security handbook.

There's a page at the gentoo wiki with some information about how to set
it all up:

S/keys are one time use passwords. You can use them if you need to
provide passwords where someone may be monitoring your keystrokes.
S/keys are generated randomly, usually around 100 are generated at one
time, with a passphrase as a key. (This passphrase is independent of
your main system password.)

--
 Jonathan Wright   ~ mail at djnauk.co.uk
   ~ www.djnauk.co.uk
--
 2.6.12-gentoo-r6-djnauk-b7 Intel(R) Pentium(R) 4 Mobile CPU 1.80GHz
 up 11:09,  2 users,  load average: 1.50, 2.22, 1.99
--
 Governor Schwarzenegger has come out against gay  marriage  and
 then he went back to slathering body oil all over his muscles in
 front of other guys.

  ~ Craig Kilborn


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Willie Wong]

On Thu, Aug 25, 2005 at 02:40:59PM -0400, John Dangler wrote:
 skey says it's a Linux Port of OpenBSD Single-key Password System  That's
 all the info I've been able to find out so far.
 
http://gentoo-wiki.com/HOWTO_Skeys

w

-- 
Pages one and two [of Zaphod's presidential speech] had 
been salvaged by a Damogran Frond Crested Eagle and had 
already become incorporated into an extraordinary new form 
of nest which the eagle had invented. It was constructed 
largely of papier mache and it was virtually impossible for 
a newly hatched baby eagle to break out of it. The Damogran 
Frond Crested Eagle had heard of the notion of survival of 
the species but wanted no truck with it. 

- An example of Damogran wildlife. 
Sortir en Pantoufles: up 13 days, 22:22
-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] sudo

[John Dangler]

so, the best place to start would be to emerge sudo (and it's dependencies),
and then try and configure it from there... (?) I'm guessing that, with the
use flags set, it would also grab skey...

John D


-Original Message-
From: Jonathan Wright [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 25, 2005 3:11 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] sudo

John Dangler wrote:
 The connecting page is a Solaris page that doesn't exist.  I'm trying to
 find out exactly what this means, since it's a recommended piece from
 the Gentoo security handbook.

There's a page at the gentoo wiki with some information about how to set
it all up:

S/keys are one time use passwords. You can use them if you need to
provide passwords where someone may be monitoring your keystrokes.
S/keys are generated randomly, usually around 100 are generated at one
time, with a passphrase as a key. (This passphrase is independent of
your main system password.)

--
 Jonathan Wright   ~ mail at djnauk.co.uk
   ~ www.djnauk.co.uk
--
 2.6.12-gentoo-r6-djnauk-b7 Intel(R) Pentium(R) 4 Mobile CPU 1.80GHz
 up 11:09,  2 users,  load average: 1.50, 2.22, 1.99
--
 Governor Schwarzenegger has come out against gay  marriage  and
 then he went back to slathering body oil all over his muscles in
 front of other guys.

  ~ Craig Kilborn


-- 
gentoo-user@gentoo.org mailing list




-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Jonathan Wright]

John Dangler wrote:
 so, the best place to start would be to emerge sudo (and it's dependencies),
 and then try and configure it from there... (?) I'm guessing that, with the
 use flags set, it would also grab skey...

Something like that. But, at the end of the day, it depends whether you
want the feature of having single-use keys available on the
computer/server. If that's of no use to you, there's no point in setting
the skey flag and just leaving it alone.

-- 
 Jonathan Wright   ~ mail at djnauk.co.uk
   ~ www.djnauk.co.uk
--
 2.6.12-gentoo-r6-djnauk-b7 Intel(R) Pentium(R) 4 Mobile CPU 1.80GHz
 up 13:29,  2 users,  load average: 0.12, 0.25, 0.33
--
 You know what they  say:  You  can't  teach  a  gay  dog  straight
 tricks.

  ~ Trey Parker  Matt Stone, South Park
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Holly Bostick]

C.Beamer schreef:
 John Dangler wrote:
 
 
I’m looking into setting up sudo on my latest test box
(stage3/genkernel 2.6.12—r9)

In portage, sudo says “Allows users or groups to run commands as other
users”. The latest stable shows *1.6.8_p9 (although the one before is
it unstable, and the one before that is stable) hmm…*

Anyway, the use flags show “pam skey offensive ldap”

Pam, I get… offensive and ldap – probably won’t use these. But skey…

skey says it’s a “Linux Port of OpenBSD Single-key Password System”
That’s all the info I’ve been able to find out so far…

 
 I'm fairly new to Gentoo, so am hardly an authority. However, I do have
 sudo working. This is how I did it.
 
 First, I did emerge --search sudo. Of course this returns the packages
 that have sudo in them. A friend told me to do 'emerge -av package
 name' This lists the available use flags for whatever package you
 name, for instance 'emerge -av sudo', which will list the available use
 flags for sudo.
 
 You also need to install vim because you have to edit the /etc/sudoers
 file in order to add a user name. If you display the sudoers file ('cat
 sudoers') it will tell you that the file *must* be edited by the visudo
 command as root.

You're not quite correct on this; the command that must be used is
indeed visudo, but that does not mean you need to use vi(m) to edit the
file. I do it with nano, myself.

But I think that's because my default editor (in /etc/rc.conf) is nano,
not vi.

 
 In the sudoers file, below the line that reads:
 root ALL=(ALL) ALL
 
 you enter the information for the user.
 
 I have 'colleen' set up as a user on my system, so it inserted the line:
 
 colleen ALL=(ALL) ALL
 
 Someone might be able to give you better instructions related to
 security, but my system is stand alone and ergo colleen and root have
 the same privileges.

The more traditional way to do this is to uncomment the line already
present in the file

# Uncomment to allow people in group wheel to run all commands
# %wheelALL=(ALL)   ALL

Remove the # mark to uncomment the command, and if you are a member of
the wheel group, which you should be, if you want to run su in the first
place (which of course you do, if you want to use sudo), then you're done.

The cool thing about this all is that it allows you to set up aliases in
your .bashrc that make specific commands you might want to run as root
go much faster.

If you also set up a subset of root-only commands (such as emerge,
glsa-check, etc-update, nano /etc/portage/package.keywords) to be
allowed to run without a password, it goes faster still with the use of
aliases, because then you can alias things like

alias emerge='sudo emerge_with_indexing_for_cfg-update'

and then you can just type 'emerge -blah whatever' in a regular old
console and get on with your life. It's not like emerging things doesn't
take long enough without having to type in a password (and since I'm
used to su-ing rather than sudo-ing, I always type the wrong one and get
kicked out anyway ;) so it takes even longer since I have to start all
over again).

There is no real way to make allowing anyone to sudo really secure
(because it's inherently insecure to punch holes in your 'who's allowed
to do what' scheme), other than making sure that you trust those who you
do allow (in this case, since it's yourself, that's not an issue), and
making sure that no one has access to your machine that could use your
trust of yourself against you (i.e., if someone had physical access to
your login, or gained such access through hacking, they would have all
the access of colleen, who has all the access of root, rather than
having to try and brute-force the root password out of you/your system).

But that's what firewalls and encryption (and turning off/logging out of
your PC when irresponsible or untrustowrthy people are around) are for.

Holly
-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] sudo

[John Dangler]

Jonathan, Colleen, Holly~
Thanks for the additional comments.  Am I to understand, then, that I can
emerge sudo without the use of skey?  Since I'm still not entirely sure what
its function is, I'd feel better leaving it alone.  If so, then I'll get it
emerged and follow the posts to get it setup...

Thanks for the reply.

John D


-Original Message-
From: Holly Bostick [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 25, 2005 6:14 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] sudo

C.Beamer schreef:
 John Dangler wrote:
 
 
I'm looking into setting up sudo on my latest test box
(stage3/genkernel 2.6.12-r9)

In portage, sudo says Allows users or groups to run commands as other
users. The latest stable shows *1.6.8_p9 (although the one before is
it unstable, and the one before that is stable) hmm.*

Anyway, the use flags show pam skey offensive ldap

Pam, I get. offensive and ldap - probably won't use these. But skey.

skey says it's a Linux Port of OpenBSD Single-key Password System
That's all the info I've been able to find out so far.

 
 I'm fairly new to Gentoo, so am hardly an authority. However, I do have
 sudo working. This is how I did it.
 
 First, I did emerge --search sudo. Of course this returns the packages
 that have sudo in them. A friend told me to do 'emerge -av package
 name' This lists the available use flags for whatever package you
 name, for instance 'emerge -av sudo', which will list the available use
 flags for sudo.
 
 You also need to install vim because you have to edit the /etc/sudoers
 file in order to add a user name. If you display the sudoers file ('cat
 sudoers') it will tell you that the file *must* be edited by the visudo
 command as root.

You're not quite correct on this; the command that must be used is
indeed visudo, but that does not mean you need to use vi(m) to edit the
file. I do it with nano, myself.

But I think that's because my default editor (in /etc/rc.conf) is nano,
not vi.

 
 In the sudoers file, below the line that reads:
 root ALL=(ALL) ALL
 
 you enter the information for the user.
 
 I have 'colleen' set up as a user on my system, so it inserted the line:
 
 colleen ALL=(ALL) ALL
 
 Someone might be able to give you better instructions related to
 security, but my system is stand alone and ergo colleen and root have
 the same privileges.

The more traditional way to do this is to uncomment the line already
present in the file

# Uncomment to allow people in group wheel to run all commands
# %wheelALL=(ALL)   ALL

Remove the # mark to uncomment the command, and if you are a member of
the wheel group, which you should be, if you want to run su in the first
place (which of course you do, if you want to use sudo), then you're done.

The cool thing about this all is that it allows you to set up aliases in
your .bashrc that make specific commands you might want to run as root
go much faster.

If you also set up a subset of root-only commands (such as emerge,
glsa-check, etc-update, nano /etc/portage/package.keywords) to be
allowed to run without a password, it goes faster still with the use of
aliases, because then you can alias things like

alias emerge='sudo emerge_with_indexing_for_cfg-update'

and then you can just type 'emerge -blah whatever' in a regular old
console and get on with your life. It's not like emerging things doesn't
take long enough without having to type in a password (and since I'm
used to su-ing rather than sudo-ing, I always type the wrong one and get
kicked out anyway ;) so it takes even longer since I have to start all
over again).

There is no real way to make allowing anyone to sudo really secure
(because it's inherently insecure to punch holes in your 'who's allowed
to do what' scheme), other than making sure that you trust those who you
do allow (in this case, since it's yourself, that's not an issue), and
making sure that no one has access to your machine that could use your
trust of yourself against you (i.e., if someone had physical access to
your login, or gained such access through hacking, they would have all
the access of colleen, who has all the access of root, rather than
having to try and brute-force the root password out of you/your system).

But that's what firewalls and encryption (and turning off/logging out of
your PC when irresponsible or untrustowrthy people are around) are for.

Holly
-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Kurt Lieber]

On 8/25/05, John Dangler [EMAIL PROTECTED] wrote:
 I'm trying to find out exactly what this means, since it's a recommended 
 piece from the
 Gentoo security handbook. 

It compiles sudo with support for One Time (or single key) passwords.
 OpenSSH also supports skey.

--kurt

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Jonathan Wright]

John Dangler wrote:
 Jonathan, Colleen, Holly~
 Thanks for the additional comments.  Am I to understand, then, that I can
 emerge sudo without the use of skey?  Since I'm still not entirely sure what
 its function is, I'd feel better leaving it alone.  If so, then I'll get it
 emerged and follow the posts to get it setup...

That's probably best. As with most ebuilds, it's an optional extra, not
a requirement to the installation. If you're simply looking to use sudo
to run commands, the default settings are fine. They work for me just
fine :)

Then again, if you decide at a later date you want to add that feature,
there's nothing stopping you adding the flag and re-compiling the code
with skey support.

-- 
 Jonathan Wright   ~ mail at djnauk.co.uk
   ~ www.djnauk.co.uk
--
 2.6.12-gentoo-r6-djnauk-b7 Intel(R) Pentium(R) 4 Mobile CPU 1.80GHz
 up 15:39,  4 users,  load average: 0.42, 0.27, 0.24
--
 About a year ago I was a guest on a network news show in New York.
 They were showing film clips from a gay  pride  parade  down  Fifth
 Avenue, but they only decided to show the part with men in  dresses
 and heels. I had seen the parade, and there were  men  in  business
 suits as well. After showing the film,  the  newsperson  made  some
 comments, and I found the comments extremely offensive.

 This is what's wrong with the media, I said. You show  a  fringe
 position. You show one point of view. You're closing the  minds  of
 the people by not showing them what the reality is. I got  up  and
 walked out, and I've never been asked back again.

~ Kathleen Nolan
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Anthony E. Caudel]

C.Beamer wrote:
 
snip
 You also need to install vim because you have to edit the /etc/sudoers
 file in order to add a user name. If you display the sudoers file ('cat
 sudoers') it will tell you that the file *must* be edited by the visudo
 command as root.
 
You do not need to install vim.  sudo installs visudo but, at least in
my case, visudo uses nano which is my default editor.

Tony
-- 
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
   -- Benjamin Franklin
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo

[Nick Rout]

On Thu, 25 Aug 2005 19:47:47 -0400
John Dangler wrote:

  It compiles sudo with support for One Time (or single key) passwords.
  OpenSSH also supports skey.
 
 It? Do you mean the latest kernel? or a stage3 build with genkernel? (I know
 that skey isn't in the default list of use flags)...

IT means the skey USE flag, just like it did in your post, to which
he was replying.

It seems perhaps that you don't quite get USE flags (and thats no
criticism, they take a while to get your head around) but i am not going
to explain again what is in plenty of very good existing documentation.


 
 John D
 
 -Original Message-
 From: Kurt Lieber [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, August 25, 2005 7:26 PM
 To: gentoo-user@lists.gentoo.org
 Subject: Re: [gentoo-user] sudo
 
 On 8/25/05, John Dangler [EMAIL PROTECTED] wrote:
  I'm trying to find out exactly what this means, since it's a recommended
 piece from the
  Gentoo security handbook. 
 
 It compiles sudo with support for One Time (or single key) passwords.
  OpenSSH also supports skey.
 
 --kurt
 
 -- 
 gentoo-user@gentoo.org mailing list
 
 
 
 
 
 -- 
 gentoo-user@gentoo.org mailing list

-- 
Nick Rout [EMAIL PROTECTED]

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[A. Khattri]

On Wed, 6 Jul 2005, Holly Bostick wrote:

 Echo is in the sudo-ed group, and echo isn't the problem-- the problem
 is that permission is refused to write to the file itself (which is an
 error *from* echo, so it would seem that echo itself is OK as far as
 sudo goes). Which means that I have to su anyway, to echo to the file,
 which really isn't the point of the exercise.

What is in /etc/sudoers?

Either the problem is there or maybe its because in some shells, echo is a
built-in command and in others its not (so /bin/echo comes into play).


-- 

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[gentoo]

Le Mercredi, 6 Juillet 2005 15.52, Holly Bostick a ecrit :
 Hey, ho--

 Here's (one of) today's non-critical problems that's getting on my
 nerves, so hopefully somebody can help.

 I've finally got around to setting up sudo. It works fine, except for
 one thing.

 I don't just give myself blanket permissions to sudo to all commands; I
 made a Cmd_Alias group which includes a lot of utility apps. And, like
 many of you, I included emerge in this group.

 But a lot of the time, when I do an emerge -av, I find that there's a
 USE flag I want or don't want for the package, or I want an unstable
 version, or whatever, which means I have to echo to one of the files in
 /etc/portage.

 Echo is in the sudo-ed group, and echo isn't the problem-- the problem
 is that permission is refused to write to the file itself (which is an
 error *from* echo, so it would seem that echo itself is OK as far as
 sudo goes). Which means that I have to su anyway, to echo to the file,
 which really isn't the point of the exercise.

 As I see it, this error can mean only one of two things:

 sudo does not give me a login shell (so my UID is 'really' still my UID
 and not root's, and I don't have permission to write to the file); or

 there is another, invisible cli utility responsible for actually
 writing to the file, which is not sudo-ed.

 Or could it be something else?

 In any case, does anybody know how I could fix this? It's really
 screwing up my useability, which was just starting to shape up nicely :-) .

 Thanks,
 Holly

I think the problem come from the fact that echo is sudo-ed but the shell 
redirection isn't.

Compare this:
su -c echo foo  /etc/portage/whatever
and 
su -c echo foo  /etc/portage/whatever

The first one will succeed, but not the second.

To solve your problem, I would just do:
chgrp -R portage /etc/portage
chmod -R g+w /etc/portage

-- 
mat
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Edward Catmur]

On Wed, 2005-07-06 at 15:52 +0200, Holly Bostick wrote:
 Echo is in the sudo-ed group, and echo isn't the problem-- the problem
 is that permission is refused to write to the file itself (which is an
 error *from* echo, so it would seem that echo itself is OK as far as
 sudo goes). Which means that I have to su anyway, to echo to the file,
 which really isn't the point of the exercise.
 
 As I see it, this error can mean only one of two things:
 
 sudo does not give me a login shell (so my UID is 'really' still my UID
 and not root's, and I don't have permission to write to the file); or
 
 there is another, invisible cli utility responsible for actually
 writing to the file, which is not sudo-ed.

If you're using e.g. sudo echo package  /etc/portage/package.unmask
then the redirection takes place in your shell, not in sudo.

HTH.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Holly Bostick]

A. Khattri schreef:
 On Wed, 6 Jul 2005, Holly Bostick wrote:
 
 
Echo is in the sudo-ed group, and echo isn't the problem-- the problem
is that permission is refused to write to the file itself (which is an
error *from* echo, so it would seem that echo itself is OK as far as
sudo goes). Which means that I have to su anyway, to echo to the file,
which really isn't the point of the exercise.
 
 
 What is in /etc/sudoers?
 
 Either the problem is there or maybe its because in some shells, echo is a
 built-in command and in others its not (so /bin/echo comes into play).
 
 

Well, I'm not going to copy my entire file, but I've got /usr/bin/echo
sudoed (because that's what 'which echo' said was the path to echo).

But doing a locate echo reveals that there is also a /bin/echo oh,
and la /usr/bin/echo reveals it to be a symlink to /bin/echo. Fine. What
 in the bloody blue blazes does that tell me? Changing visudo to allow
/bin/echo rather than /usr/bin/echo didn't do a thing.

I'm using bash, like a boring person. Looking (searching, actually)
through man bash, I can see that echo is a built-in-- do I have to sudo
bash as well? And in any case, echo isn't refusing to run-- if I run

secho $JAVA_HOME, I get a return... but it's the return of the *user's*
JAVA_HOME, rather than the *system* JAVA_HOME.

This supports my theory that this is a regular su shell and not an su -
shell, which is not much help to me in this situation (for echo to write
to the /etc/files, I need UID 0).

So I suppose I could find this in man sudoers, but that's almost as bad
as man bash for trying to find something when you're not quite sure what
you're looking for.

Is there a way to get sudo to behave as a login shell when sudo-ing
rather than just a regular su? And is that a scalable or global change
(limitable would be nice)?

Holly
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Holly Bostick]

Edward Catmur schreef:
 On Wed, 2005-07-06 at 15:52 +0200, Holly Bostick wrote:
 
Echo is in the sudo-ed group, and echo isn't the problem-- the problem
is that permission is refused to write to the file itself (which is an
error *from* echo, so it would seem that echo itself is OK as far as
sudo goes). Which means that I have to su anyway, to echo to the file,
which really isn't the point of the exercise.

As I see it, this error can mean only one of two things:

sudo does not give me a login shell (so my UID is 'really' still my UID
and not root's, and I don't have permission to write to the file); or

there is another, invisible cli utility responsible for actually
writing to the file, which is not sudo-ed.
 
 
 If you're using e.g. sudo echo package  /etc/portage/package.unmask
 then the redirection takes place in your shell, not in sudo.
 
 HTH.
 

OK, you all likely realize that I responded before I had got the three
more messages telling me what to do.

I'm sure it will work (three people telling you the exact same thing is
pretty convincing ;-) ), but what I don't understand is why/how, if I
want to

sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords

changing that to

sudo echo media-video/xine-ui ~x86 /etc/portage/package.keywords

is going to write the line

media-video/xine-ui ~x86

to /etc/portage/package.keywords-- i.e., why are the internal quotes no
longer necessary?

Or should it be

sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords

or will that *really* screw everything up?

(As you see, my understanding of bash is trying to improve, with only
very limited success :-) ).

Holly
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[David Morgan]

On 16:54 Wed 06 Jul , Holly Bostick wrote:
 OK, you all likely realize that I responded before I had got the three
 more messages telling me what to do.
 
 I'm sure it will work (three people telling you the exact same thing is
 pretty convincing ;-) ), but what I don't understand is why/how, if I
 want to
 
 sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords
 
 changing that to
 
 sudo echo media-video/xine-ui ~x86 /etc/portage/package.keywords
 
 is going to write the line
 
 media-video/xine-ui ~x86
 
 to /etc/portage/package.keywords-- i.e., why are the internal quotes no
 longer necessary?
 
 Or should it be
 
 sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords
 
 or will that *really* screw everything up?
 
 (As you see, my understanding of bash is trying to improve, with only
 very limited success :-) ).
 

Nope, I don't think you can do it with sudo since bash uses whitespace
as a separator, so if you do sudo echo foo  bar, it'll look for a
single command echo foo  bar, which is not what you want - you want
a command echo with argument foo, and then redirect the output to bar
(the double quotes prevent bash from evaluating the whitespace or the
 ).

afaik you can only do it with su -c echo foo  bar, which stops bash
from doing anything with the  or the whitespace to begin with, but
then passes everything inside the double quotes to another shell, which
gets started by su -c

It's kind of annoying, I know, but I don't think there's a way round it
with sudo.

Dave

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Holly Bostick]

[EMAIL PROTECTED] schreef:
 Le Mercredi, 6 Juillet 2005 15.52, Holly Bostick a ecrit :
 
Hey, ho--

I've finally got around to setting up sudo. It works fine, except for
one thing.

I made a Cmd_Alias group which includes a lot of utility apps. And, like
many of you, I included emerge in this group.

But a lot of the time, I have to echo to one of the files in
/etc/portage.

Echo is in the sudo-ed group, and echo isn't the problem-- the problem
is that permission is refused to write to the file itself

As I see it, this error can mean only one of two things:

sudo does not give me a login shell (so my UID is 'really' still my UID
and not root's, and I don't have permission to write to the file); or

there is another, invisible cli utility responsible for actually
writing to the file, which is not sudo-ed.

Or could it be something else?

In any case, does anybody know how I could fix this? It's really
screwing up my useability, which was just starting to shape up nicely :-) .

Thanks,
Holly
 
 
 I think the problem come from the fact that echo is sudo-ed but the shell 
 redirection isn't.
 
 Compare this:
 su -c echo foo  /etc/portage/whatever
 and 
 su -c echo foo  /etc/portage/whatever
 
 The first one will succeed, but not the second.
 
 To solve your problem, I would just do:
 chgrp -R portage /etc/portage
 chmod -R g+w /etc/portage
 

Well, it didn't work (this to all the respondents).

I did change the group and mod of /etc/portage, but even before I did:

sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords
-bash: sudo echo 'media-video/xine-ui ~x86'
/etc/portage/package.keywords: Onbekend bestand of map

(unknown file or folder, which is at least different, but not really
much of an improvement, and no, before someone asks, putting a space
before /etc doesn't help)

and even after chowning and chmodding:

 sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords
-bash: /etc/portage/package.keywords: Toegang geweigerd

(permission refused)

with the quotes, it's unknown file or folder.

la /etc/portage
totaal 51
drwxrwxr-x   5 root portage  384 jun 13 00:40 .
drwxr-xr-x  88 root root7312 jul  6 16:15 ..
-rw-rw-r--   1 root portage 9757 jul  6 17:09 package.keywords
-rw-rw-r--   1 root portage 6164 mei 26 11:47 package.keywords~
-rw-rw-r--   1 root portage   64 jun 15 05:27 package.mask
-rw-rw-r--   1 root portage  100 mei 16 14:57 package.mask~
-rw-rw-r--   1 root portage  105 jun 15 05:27 package.unmask
-rw-rw-r--   1 root portage  103 mei 15 21:09 package.unmask~
-rw-rw-r--   1 root portage 2252 jun 30 12:32 package.use
-rw-rw-r--   1 root portage 1616 mei 12 15:46 package.use~
drwxrwxr-x   2 root portage   80 nov 26  2004 profile
drwxrwxr-x   2 root portage   72 jun  2 13:10 profiles
drwxrwsr-x   2 root portage   48 okt 27  2004 sets


Not really sure what good the portage group was supposed to do anyway,
since root is a member of that group, but then again root owns the whole
shebang anyway. The user is not a member of the portage group.

Should I chown the folder -R to users? (seems again quite not the
point)? It still seems that what I really want is a login shell that I'm
not getting.

I'm really lost. Where am I going wrong?

Oh, btw, just remembered-- this is bash 3. Does that make a difference?

Holly


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Neil Bothwick]

On Wed, 6 Jul 2005 16:12:18 +0100, David Morgan wrote:

 Nope, I don't think you can do it with sudo since bash uses whitespace
 as a separator, so if you do sudo echo foo  bar, it'll look for a
 single command echo foo  bar, which is not what you want - you want
 a command echo with argument foo, and then redirect the output to bar
 (the double quotes prevent bash from evaluating the whitespace or the
  ).

You could do it with a shell script

#!/bin/sh
#Call this /usr/local/bin/suecho
echo $1 $2

Add /usr/local/bin/suecho to /etc/sudoers and you can do

sudo suecho media-video/xine-ui ~x86 /etc/portage/package.keywords


-- 
Neil Bothwick

Software: (n.) That which hardware manufacturers can blame for physical
failures.


pgpraOGY8P0SK.pgp
Description: PGP signature

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Christoph Gysin]

David Morgan wrote:
 afaik you can only do it with su -c echo foo  bar, which stops bash
 from doing anything with the  or the whitespace to begin with, but
 then passes everything inside the double quotes to another shell, which
 gets started by su -c
 
 It's kind of annoying, I know, but I don't think there's a way round it
 with sudo.

Yes it is possible. But you need the shell (which handles the redirect)
to run as root.

$ sudo echo package ~x86  /etc/portage/package.keywords

will run the redirection as user, where:

$ sudo bash -c echo package ~x86  /etc/portage/package.keywords

will run the redirection as root.

For stuff like this, I'd recommend you to write simple shell functions:

addkeyword(){
  sudo bash -c echo $*  /etc/portage/package.keywords
}

Write them in your .bashrc and their avaible when you need it.

Use it like this:

$ addkeyword package ~x86

Christoph
-- 
echo mailto: NOSPAM !#$.'*'|sed 's. ..'|tr * !#:2 [EMAIL PROTECTED]
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Christoph Gysin]

Holly Bostick wrote:
 I'm really lost. Where am I going wrong?

check my other post.

 Oh, btw, just remembered-- this is bash 3. Does that make a difference?

No.

Christoph
-- 
echo mailto: NOSPAM !#$.'*'|sed 's. ..'|tr * !#:2 [EMAIL PROTECTED]
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[gentoo]

On Wednesday 06 July 2005 17.21, Holly Bostick wrote:
  To solve your problem, I would just do:
  chgrp -R portage /etc/portage
  chmod -R g+w /etc/portage

 Well, it didn't work (this to all the respondents).

Are you in the portage group?

 sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords

no need to sudo the echo if you're in the right group.

-- 
mat
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Holly Bostick]

Christoph Gysin schreef:
 David Morgan wrote:
 
afaik you can only do it with su -c echo foo  bar, which stops bash
from doing anything with the  or the whitespace to begin with, but
then passes everything inside the double quotes to another shell, which
gets started by su -c

It's kind of annoying, I know, but I don't think there's a way round it
with sudo.
 
 
 Yes it is possible. But you need the shell (which handles the redirect)
 to run as root.

Ah-HAH! (at least I figured that much out, thanks for confirming)

 
 $ sudo echo package ~x86  /etc/portage/package.keywords
 
 will run the redirection as user, where:
 
 $ sudo bash -c echo package ~x86  /etc/portage/package.keywords
 
 will run the redirection as root.
 
 For stuff like this, I'd recommend you to write simple shell functions:
 
 addkeyword(){
   sudo bash -c echo $*  /etc/portage/package.keywords
 }
 
 Write them in your .bashrc and their avaible when you need it.
 
 Use it like this:
 
 $ addkeyword package ~x86
 
 Christoph

Thank you, Christoph

You have not only saved my sanity, but you've given me a solution to two
problems you didn't even know I had (it was the next question)! i.e.,
how to essentially export self-created variables or something similar
(you don't know how many times I've put a comma between package and
keywords/use/unmask, and I really needed some way to not have to be
typing it all the time until I get more time in with GTypist); and also
how to easily use some of the aliases I've got in root's .bashrc (or at
least their functionality). Now, with some minor adjustments of this
template, not only can I add keywords (or useflags or mask and unmask)
easily, I can also open the package.* file in nano and edit it easily if
I screw up, or want to check something.

Last question on this subject-- is this all just bash scripting (so I
can learn about it if I sit and study the abs-guide) or is there
someplace else I should check out if I want to learn how to write this
stuff myself?

Thanks again,
Holly



-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Christoph Gysin]

Holly Bostick wrote:
 Thank you, Christoph

Your welcome.

 Last question on this subject-- is this all just bash scripting (so I
 can learn about it if I sit and study the abs-guide) or is there
 someplace else I should check out if I want to learn how to write this
 stuff myself?

Yes, this is pure bash scripting. The related parts are redirection [1]
and shell functions [2].

[1] http://www.tldp.org/LDP/abs/html/io-redirection.html
[2] http://www.tldp.org/LDP/abs/html/functions.html

Christoph
-- 
echo mailto: NOSPAM !#$.'*'|sed 's. ..'|tr * !#:2 [EMAIL PROTECTED]
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Richard Fish]

Holly Bostick wrote:

I don't just give myself blanket permissions to sudo to all commands; I
made a Cmd_Alias group which includes a lot of utility apps. And, like
many of you, I included emerge in this group.




Christoph Gysin schreef:
  


$ sudo bash -c echo package ~x86  /etc/portage/package.keywords

will run the redirection as root.

For stuff like this, I'd recommend you to write simple shell functions:

addkeyword(){
  sudo bash -c echo $*  /etc/portage/package.keywords
}

Write them in your .bashrc and their avaible when you need it.

Use it like this:

$ addkeyword package ~x86

Christoph



Thank you, Christoph

You have not only saved my sanity, but you've given me a solution to two
problems you didn't even know I had (it was the next question)! i.e.,
  


BTW Holly,

You should recognize that from a security standpoint allowing yourself
to execute bash is really giving yourself blanket permissions to sudo
to all commands.  You might as well make life easier on yourself and
just make your sudo settings ALL=(ALL) NOPASSWD: ALL.

My $.02.

-Richard

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Holly Bostick]

Richard Fish schreef:
 BTW Holly,
 
 You should recognize that from a security standpoint allowing yourself
 to execute bash is really giving yourself blanket permissions to sudo
 to all commands.  You might as well make life easier on yourself and
 just make your sudo settings ALL=(ALL) NOPASSWD: ALL.
 
 My $.02.
 
 -Richard
 

Thank you for the heads-up, Richard, but it would seem that that isn't
quite true-- I did a test:


 sudo bash -c /etc/init.d/samba restart

Gentoo Linux RC-Scripts; http://www.gentoo.org/
 Copyright 1999-2004 Gentoo Foundation; Distributed under the GPL

Usage: samba  flags  [ options ]

Options:

In other words, I couldn't restart the Samba daemon, whereas when root I
can:

 su
Wachtwoord:

wo 07/06/05 20:31
~
root - /etc/init.d/samba restart
 * samba - stop: smbd ...

 [ ok ] * samba - stop: nmbd ...

[ ok ] *
samba - start: smbd ...

  [ ok ] * samba - start: nmbd ...

 [ ok ]

So I think I'll pass on the ALL/ALL -- I know that this is not the most
secure setup possible (though as soon as I set up a personal firewall
behind the router's firewall and set up chrootkit, I'll feel yet
better), but still, I'd like to keep what minimal limits still exist,
despite having punched holes in them my own self.

Or is this not a valid proof that there are some limits left?

Holly
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Richard Fish]

Holly Bostick wrote:

Richard Fish schreef:
  

BTW Holly,

You should recognize that from a security standpoint allowing yourself
to execute bash is really giving yourself blanket permissions to sudo
to all commands.  You might as well make life easier on yourself and
just make your sudo settings ALL=(ALL) NOPASSWD: ALL.

My $.02.

-Richard




Thank you for the heads-up, Richard, but it would seem that that isn't
quite true-- I did a test:


 sudo bash -c /etc/init.d/samba restart

  


Remember that the -c option for bash is a single argument, not the rest
of the line.  The 'restart' is being seen as a separate argument to
bash, not as part of the command for bash to execute, if that makes any
sense!  It will work if you do:

sudo bash -c /etc/init.d/samba restart

-Richard

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Christoph Gysin]

Holly Bostick wrote:
 Or is this not a valid proof that there are some limits left?

Not, it's not. A simple sudo bash will give you a root shell.
The problem in your example was the missing quotes:

$ sudo bash -c /etc/init.d/samba restart

Christoph
-- 
echo mailto: NOSPAM !#$.'*'|sed 's. ..'|tr * !#:2 [EMAIL PROTECTED]
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Holly Bostick]

Richard Fish schreef:
 Holly Bostick wrote:
 
 
Richard Fish schreef:
 


BTW Holly,

You should recognize that from a security standpoint allowing yourself
to execute bash is really giving yourself blanket permissions to sudo
to all commands.  You might as well make life easier on yourself and
just make your sudo settings ALL=(ALL) NOPASSWD: ALL.

My $.02.

-Richard

   


Thank you for the heads-up, Richard, but it would seem that that isn't
quite true-- I did a test:


sudo bash -c /etc/init.d/samba restart

 

 
 
 Remember that the -c option for bash is a single argument, not the rest
 of the line.  The 'restart' is being seen as a separate argument to
 bash, not as part of the command for bash to execute, if that makes any
 sense!  It will work if you do:
 
 sudo bash -c /etc/init.d/samba restart
 
 -Richard
 

So it will. Shoot. Oh, well. Maybe I'll rework this, or I should then
ask for:

1) firewall recommendations (personal, as the router has one too; atm
I'm liking firestarter)

2) anti-hacking monitors (other than chrootkit and rkhunter, if needed--
guess I'm thinking about keyloggers)

?

Holly
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Manuel McLure]

Holly Bostick wrote:

So it will. Shoot. Oh, well. Maybe I'll rework this, or I should then
ask for:

1) firewall recommendations (personal, as the router has one too; atm
I'm liking firestarter)


I've been very pleased with Shorewall as a firewall.

--
Manuel A. McLure KE6TAW [EMAIL PROTECTED] http://www.mclure.org
...for in Ulthar, according to an ancient and significant law,
no man may kill a cat.   -- H.P. Lovecraft
--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] sudo echo cannot write to /etc/ files ?

[Boyd Stephen Smith Jr.]

Holly Bostick wrote:

[EMAIL PROTECTED] schreef:
I think the problem come from the fact that echo is sudo-ed but the shell 
redirection isn't.


Compare this:
su -c echo foo  /etc/portage/whatever
and 
su -c echo foo  /etc/portage/whatever


The first one will succeed, but not the second.


Well, it didn't work (this to all the respondents).

sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords


This groups *everything* as one shell parameter, so it attempts to 
execute a file named sudo echo 'media-video/xine-ui ~x86' 
/etc/portage/package.keywords in your path.



/etc/portage/package.keywords: Onbekend bestand of map

(unknown file or folder)


Of course, since it's extremely unlikely a file with that name exists.


 sudo echo 'media-video/xine-ui ~x86' /etc/portage/package.keywords


Now, you've completely left out the quotes, so the redirection is done 
in the user shell, not the sudo shell.  Of course, your user can't write 
to that file so you get:



-bash: /etc/portage/package.keywords: Toegang geweigerd
(permission refused)


You want:
sudo echo 'media-video/xine-ui ~x86'  /etc/portage/package.keywords

This cause the command
echo 'media-video/xine-ui ~x86'  /etc/portage/package.keywords
to be passed to the sudo shell which causes the bash built-in:
echo
to be called with the single parameter
media-video/xine-ui ~x86
and have it's output appended to the file
/etc/portage/package.keywords



I'm really lost. Where am I going wrong?


You simply aren't being careful enough with you quotes and 
misunderstanding the intricacies of shell expansion and nesting.



Oh, btw, just remembered-- this is bash 3. Does that make a difference?


No.

--
Boyd Stephen Smith Jr.
[EMAIL PROTECTED]

--
gentoo-user@gentoo.org mailing list