Re: [OLPC devel] su/sudo or not to sudo/su (was PATCH: add --loginpause to mingetty)
ffm wrote: On Jan 10, 2008 11:37 PM, Iain (OLPC) Davidson [EMAIL PROTECTED] wrote: I typically like the solution of $ sudo bash Just a comment on that: Since most of our users will not know much about computers, having them exit will just add another step which they will forget to do, and the one time they are logged in as root will be the one time they rm -rf / sudo in front of every as-root command is not too hard, right? Especialy once we get paste working. -ffm Another part to make the sudo command enjoyable is auto completion. When invoking a sudo command you can not auto-complete for example: sudo sugar-cont[tab] does not auto-complete. The bash-completion (141K) package solves this, which I tried on my F8 machine. Maybe worth an inclusion since the completion works as well for other cases like: yum in[tab] (even so in the case of 'yum install b[tab]' it takes a while to list the packages). Best, Simon ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [OLPC devel] su/sudo or not to sudo/su (was PATCH: add --loginpause to mingetty)
Simon Schampijer wrote: does not auto-complete. The bash-completion (141K) package solves this, which I tried on my F8 machine. Maybe worth an inclusion since the completion works as well for other cases like: yum in[tab] (even so in the case of 'yum install b[tab]' it takes a while to list the packages). I love bash-completion and I use it everywhere, but I'd not support adding it to the base OS for the same reason we do not install vim-enhanced, links, lftp and all the other nice console tools. The default console environment should be just good enough to perform system recovery, and special administrative tasks which have no UI yet. Our OS images have grown over 300MB! I think we could get them back to 200MB or so just by dropping useless dependencies and splitting a few packages. -- \___/ |___| Bernardo Innocenti - http://www.codewiz.org/ \___\ One Laptop Per Child - http://www.laptop.org/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: PATCH: add --loginpause to mingetty
Lubomir Kundrak ([EMAIL PROTECTED]) said: I'm committing these changes to the OLPC-2 branch of mingetty in Fedora CVS. Please, let me know you'd like to merge them or something similar. Such things are definitely better upstreamed if possible. Have you tried contacting upstream? Florian is upstream, IIRC. Bill ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
[OLPC devel] su/sudo or not to sudo/su (was PATCH: add --loginpause to mingetty)
Bernardo, FYI, I just recently updated from build 650 (G1G1 factory build) to Update.1675. Noticed a different behavior for accessing *root account* and functions. I used to be able to open Terminal (or Ctrl-Alt-Neighborhood) and the following at the unix/bash prompt. $ su - or $ su -l But now, after the update, those don't seem to work. But I did discover the alternative method.. $ sudo command I typically like the solution of $ sudo bash for several root level commands. QUESTION: Which direction is OLPC/XO Laptop headed for doing updates and installation of software ? One could also, limit the programs which can be run under 'sudo', as another solution. Issue is definitely complex and no easy solution apparent ! -Iain On Jan 9, 2008 4:20 PM, Bernardo Innocenti [EMAIL PROTECTED] wrote: Hello Florian, the attached patches add an option to pause login until the user hits a key. We need something like it on OLPC because: - we don't want to set an empty password for either user root or olpc - at the same time, we want to allow users to login as root at the console - finally, we do not wish to waste memory on shells the user hasn't yet used The security model we are implementing is very different from UNIX: we ultimately trust the user at the console, but we don't trust applications and we don't want them to gain root privileges using su or sudo with no password. I'm committing these changes to the OLPC-2 branch of mingetty in Fedora CVS. Please, let me know you'd like to merge them or something similar. -- \___/ |___| Bernardo Innocenti - http://www.codewiz.org/ \___\ One Laptop Per Child - http://www.laptop.org/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [OLPC devel] su/sudo or not to sudo/su (was PATCH: add --loginpause to mingetty)
On Jan 10, 2008 11:37 PM, Iain (OLPC) Davidson [EMAIL PROTECTED] wrote: I typically like the solution of $ sudo bash Just a comment on that: Since most of our users will not know much about computers, having them exit will just add another step which they will forget to do, and the one time they are logged in as root will be the one time they rm -rf / sudo in front of every as-root command is not too hard, right? Especialy once we get paste working. -ffm ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
PATCH: add --loginpause to mingetty
Hello Florian, the attached patches add an option to pause login until the user hits a key. We need something like it on OLPC because: - we don't want to set an empty password for either user root or olpc - at the same time, we want to allow users to login as root at the console - finally, we do not wish to waste memory on shells the user hasn't yet used The security model we are implementing is very different from UNIX: we ultimately trust the user at the console, but we don't trust applications and we don't want them to gain root privileges using su or sudo with no password. I'm committing these changes to the OLPC-2 branch of mingetty in Fedora CVS. Please, let me know you'd like to merge them or something similar. -- \___/ |___| Bernardo Innocenti - http://www.codewiz.org/ \___\ One Laptop Per Child - http://www.laptop.org/ diff -rup mingetty-1.07.orig/mingetty.8 mingetty-1.07/mingetty.8 --- mingetty-1.07.orig/mingetty.8 2003-05-14 04:55:43.0 -0400 +++ mingetty-1.07/mingetty.8 2008-01-09 18:17:06.0 -0500 @@ -6,6 +6,7 @@ mingetty \- minimal getty for consoles [\-\-noclear] [\-\-nonewline] [\-\-noissue] [\-\-nohangup] [\-\-nohostname] [\-\-long\-hostname] [\-\-loginprog=/bin/login] [\-\-nice=10] [\-\-delay=5] [\-\-chdir=/home] [\-\-chroot=/chroot] [\-\-autologin username] +[\-\-loginpause] .I tty .PP .SH DESCRIPTION @@ -62,6 +63,11 @@ Log the specified user automatically in a login name and password. Check the \-f option from .B /bin/login for this. +.TP +.B \-\-loginpause +Wait for any key before dropping to the login prompt. +Can be combined with \fB\-\-autologin\fR to save memory by lazily spawning +shells. .PP .SH ISSUE ESCAPES .B mingetty diff -rup mingetty-1.07.orig/mingetty.c mingetty-1.07/mingetty.c --- mingetty-1.07.orig/mingetty.c 2004-01-03 08:15:56.0 -0500 +++ mingetty-1.07/mingetty.c 2008-01-09 18:10:15.0 -0500 @@ -74,6 +74,8 @@ static char *ch_dir = NULL; static int priority = 0; /* automatic login with this user */ static char *autologin = NULL; +/* try to read a char before dropping to login prompt */ +static int loginpause = 0; /* error() - output error messages */ static void error (const char *fmt, ...) @@ -283,6 +285,10 @@ static void do_prompt (int showlogin) } fclose (fd); } +if (loginpause) { + puts([press ENTER to login]); + getc(stdin); + } if (nohostname == 0) printf (%s , hn); if (showlogin) @@ -327,11 +333,13 @@ static void usage (void) [--nohangup] [--nohostname] [--long-hostname] [--loginprog=/bin/login] [--nice=10] [--delay=10] [--chdir=/home] [--chroot=/chroot] [--autologin=user] + [--loginpause] tty' with e.g. tty=tty1, progname); } static struct option const long_options[] = { { autologin, required_argument, NULL, 'a' }, + { loginpause, no_argument, loginpause, 'p' }, { chdir, required_argument, NULL, 'w' }, { chroot, required_argument, NULL, 'r' }, { delay, required_argument, NULL, 'd' }, @@ -366,7 +374,7 @@ int main (int argc, char **argv) putenv (TERM=linux); #endif - while ((c = getopt_long (argc, argv, a:d:l:n:w:r:, long_options, + while ((c = getopt_long (argc, argv, a:p:d:l:n:w:r:, long_options, (int *) 0)) != EOF) { switch (c) { case 0: diff -u -p -r1.2 mingetty-1.00-opt.patch --- mingetty-1.00-opt.patch 9 Sep 2004 08:31:33 - 1.2 +++ mingetty-1.00-opt.patch 10 Jan 2008 00:15:11 - @@ -1,10 +1,11 @@ --- mingetty-1.00/Makefile.rpm Mon Mar 4 15:27:11 2002 +++ mingetty-1.00/Makefile Mon Mar 4 15:27:34 2002 -@@ -1,6 +1,6 @@ +@@ -1,6 +1,7 @@ DESTDIR= CC=gcc -CFLAGS=-O2 -Wall -W -pipe -D_GNU_SOURCE +CFLAGS=$(RPM_OPTS) -Wall -D_GNU_SOURCE ++LDFLAGS=$(RPM_OPTS) MANDIR=/usr/share/man/man8 SBINDIR=/sbin Index: mingetty.spec === RCS file: /cvs/pkgs/rpms/mingetty/devel/mingetty.spec,v retrieving revision 1.19 diff -u -p -r1.19 mingetty.spec --- mingetty.spec 8 Jan 2008 09:39:25 - 1.19 +++ mingetty.spec 10 Jan 2008 00:15:11 - @@ -2,11 +2,12 @@ Summary: A compact getty program for vir Name: mingetty Version: 1.07 License: GPLv2+ -Release: 8%{?dist} +Release: 9%{?dist} Group: System Environment/Base URL: http://sourceforge.net/projects/mingetty/ Source: mingetty-%{version}.tar.gz -Patch: mingetty-1.00-opt.patch +Patch0: mingetty-1.00-opt.patch +Patch1: mingetty-1.07-loginpause.patch BuildRoot: %{_tmppath}/%{name}-root %description @@ -15,8 +16,10 @@ use only on virtual consoles. Mingetty lines (you should use the mgetty program in that case). %prep +rm -rf $RPM_BUILD_ROOT %setup -q -%patch -p1 +%patch0 -p1 +%patch1 -p1 %build make RPM_OPTS=$RPM_OPT_FLAGS @@ -38,6 +41,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/mingetty.* %changelog +* Wed Jan 09 2008 Bernardo Innocenti [EMAIL PROTECTED] - 1.07-9 +- add mingetty-1.07-loginpause.patch +- improve mingetty-1.00-opt.patch to enable cross building on a 64bit host + * Tue