-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, May 13, 2018 at 08:18:26AM -0500, Richard Owlett wrote:
> The underlying problem is not understanding what I read concerning
> sudo &/or /etc/sudoers (*INCLUDING* man pages).
>
> Only *ONE* individual has physical access to my _personal_ machine.
> Therefore, any distinction between 'richard' and 'root' is
> inherently artificial.
Not so fast. A small flaw in your browser might allow it to run as
you and try some shenanigan as root: you'd notice it by "something"
asking for your credentials unexpectedly...
> The result I wish to achieve is to click on the icon for either
> GParted or Synaptic *WITHOUT* being asked for a password (either
> root's or user's).
>
> I've found vague hints that adding a line to my local /etc/sudoers file
> such as
> richard ALL = /usr/sbin/gparted , /usr/sbin/synaptic
> would accomplish my goal.
> Is that correct?
>
> Also my reading suggested that adding myself to sudoers group would
> be required.
>
> This has an undesired side effect. I'm asked for my user password
> instead of my root password. I currently have four different
> installs of Debian each having an intentionally identical sets of
> UID, GID, and passwords. No matter which install is active, if asked
> for an admin
> password I want it to be the 'root password'
Assuming your desktop environment plays well along with sudo (I
think the Gnome derivatives do, but I'll leave that answer to
someone more versed in that) see the manpage for sudoers:
User Authentication
The sudoers security policy requires that most users
authenticate themselves before they can use sudo. A password
is not required if the invoking user is root, if the target
user is the same as the invoking user, or if the policy has
disabled authentication for the user or command. Unlike
su(1), when sudoers requires authentication, it validates
the invoking user's credentials, not the target user's (or
root's) credentials. This can be changed via the rootpw,
targetpw and runaspw flags, described later.
So setting up a default line like so:
Defaults rootpw
would ask by default for the root password or (more specifically)
Defaults:richard rootpw
would limit that default to richard. For no password:
Defaults:richard !authenticate
For single commands there is the equivalent NOPASSWD tag. Your line
above would read
richard NOPASSWD: ALL = /usr/sbin/gparted , /usr/sbin/synaptic
(which perhaps wouldn't do what you want: that would allow you to
run "sudo synaptic" as root without being asked for a password, but
you'd (a) not want to run synaptic as root and (b) possibly run
into the next problem that perhaps root doesn't find the X server...)
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlr4RysACgkQBcgs9XrR2kZuqQCfWsWrvqshup8ihXTx5H1wU0O8
YwYAn1m778zx/DyTTAbypgA02ORLxGVF
=ZVYn
-----END PGP SIGNATURE-----
