On Mon 04 Feb 2019 at 10:34:22 (-0600), Richard Owlett wrote: > I'm creating a Tcl script [to be run as user] which calls dumpe2fs , > requiring root privileges. On comp.lang.tcl I was pointed to > [https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/] > which pointed out that a user could be authorized to run specific > executables. > > Although I'm the only person with any access to my machine, I have > avoided using sudo in the past. That article dampened my qualms.
I just drop a file called sudoers-david into /etc/sudoers.d/ > Back in 2015, when wanting to modify users, I was pointed to > "mate-system-tools". According to > [https://tracker.debian.org/pkg/mate-system-tools] it has been removed > from the repository. > > Is there a user friendly alternative? > > Following a series of links suggests using visudo. It doesn't look > friendly. I've never used it. As I'm in total control of my PCs, I can be certain when I edit sudoers-david that there's no chance of contention, so I just use nano. > I'm not sure yet if it can create new users from scratch. > There are references to adduser (and relatives) but > [https://packages.debian.org/stretch/adduser] gives its home page as > [http://alioth.debian.org/projects/adduser/] which seems to be > defunct. There's a reference to adduser in man sudoers where it's showing how a group of secretaries might be allowed to add/ remove users and administrate printers. (They'd be called Computing Service staff in my old university.) Personally I add a few users when I first set up a Debian system and that's it. Here's a subset of my sudoers-david. I've left mainly the lines for a user called unlock who had a userid used for nothing other that unlocking /home (typically via ssh). User_Alias ME = david User_Alias LOCKER = unlock Host_Alias MYHOSTS = mars, venus, etc Cmnd_Alias UNLOCKING = /usr/bin/udisksctl unlock --block-device /dev/disk/*/* Cmnd_Alias LOCKING = /usr/bin/udisksctl lock --block-device /dev/disk/*/* Defaults:ME !authenticate Defaults:LOCKER !authenticate ## who where = (as_whom) what LOCKER MYHOSTS = UNLOCKING LOCKER MYHOSTS = LOCKING … so that user on those hosts can run those two commands as if root. They (me, of course) login via ssh, their .bash_profile contains sudo udisksctl unlock --block-device /dev/disk/by-id/ata-XXXXXXXXXXXXXX-part3 mount /home echo Home is now mounted as appropriate for each host's excrypted disks, and so they get a prompt for the passphrase. Once typed, they logout. The only other type of line I (think I) use in sudoers is Runas_Alias EMAIL = Debian-exim for commands like Cmnd_Alias EMAILQUEUED = /bin/ls -lR /var/spool/exim4/ which can then do things with lines like: ME MYHOSTS = (EMAIL) EMAILQUEUED I have set this earlier for that user but I can't remember why: Defaults!EMAILQUEUE noexec Anyway, that little lot lets me run this function without bothering with a password: my-q () { [ "$1" = "-?" ] && echo "Usage: $FUNCNAME checks the outbound mail queue." 1>&2 && return 1; ps -p $(pgrep exim4); sudo -u Debian-exim ls -lR /var/spool/exim4/ } Perhaps that not quite random assortment of lines will be enough to help you decode the man page or just copy by (bad?) example. Cheers, David.
