Post Reply
swampdog
Posts: 1178
Joined: Fri Dec 04, 2015 11:22 am

sudo

Sat Sep 23, 2023 3:52 pm

Have I missed an important change?

Code: Select all

foo@pi18:~ $ sudo -l
Matching Defaults entries for foo on pi18:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    env_keep+=NO_AT_BRIDGE, !secure_path, env_keep+="http_proxy HTTP_PROXY",
    env_keep+="https_proxy HTTPS_PROXY", env_keep+="ftp_proxy FTP_PROXY",
    env_keep+=RSYNC_PROXY, env_keep+="no_proxy NO_PROXY"

User foo may run the following commands on pi18:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL, !/sbin/shutdown, !/usr/sbin/shutdown, !/sbin/poweroff,
        !/usr/sbin/poweroff, !/usr/bin/poweroff, !/sbin/reboot,
        !/usr/sbin/reboot, !/usr/bin/reboot
    (ALL) NOPASSWD: ALL
    
foo@pi18:~ $ which reboot
/usr/sbin/reboot

foo@pi18:~ $ sudo cat /etc/sudoers.d/000_foo-noreboot 
Cmnd_Alias FOO = /sbin/shutdown, /usr/sbin/shutdown, \
        /sbin/poweroff, /usr/sbin/poweroff, /usr/bin/poweroff, \
        /sbin/reboot, /usr/sbin/reboot, /usr/bin/reboot
        
foo@pi18:~ $ ls -l /etc/sudoers.d/000_foo-noreboot 
-r--r----- 1 root root 176 Sep 23 15:37 /etc/sudoers.d/000_foo-noreboot
Yet "sudo reboot" does reboot.

TIA
User avatar
kerry_s
Posts: 6515
Joined: Thu Jan 30, 2020 7:14 pm

Re: sudo

Sat Sep 23, 2023 4:00 pm

whats the question ?
swampdog
Posts: 1178
Joined: Fri Dec 04, 2015 11:22 am

Re: sudo

Sat Sep 23, 2023 4:22 pm

Ah. Sorry for not being clearer. "sudo reboot" should not work as it's in the list of commands which are refused. I just noticed with my two new rpi installation the boxes will reboot/poweroff.

This is what should happen..

Code: Select all

foo@pi20:~ $ sudo reboot
Sorry, user foo is not allowed to execute '/usr/sbin/reboot' as root on pi20.

foo@pi20:~ $ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
User avatar
kerry_s
Posts: 6515
Joined: Thu Jan 30, 2020 7:14 pm

Re: sudo

Sat Sep 23, 2023 4:58 pm

User foo may run the following commands on pi18:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL, !/sbin/shutdown, !/usr/sbin/shutdown, !/sbin/poweroff,
!/usr/sbin/poweroff, !/usr/bin/poweroff, !/sbin/reboot,
!/usr/sbin/reboot, !/usr/bin/reboot
(ALL) NOPASSWD: ALL
the last line rules them all, you need to move:

Code: Select all

(ALL) NOPASSWD: ALL, !/sbin/shutdown, !/usr/sbin/shutdown, !/sbin/poweroff,
        !/usr/sbin/poweroff, !/usr/bin/poweroff, !/sbin/reboot,
        !/usr/sbin/reboot, !/usr/bin/reboot
to be last.
klricks
Posts: 8860
Joined: Sat Jan 12, 2013 3:01 am
Location: Grants Pass, OR, USA

Re: sudo

Sat Sep 23, 2023 9:57 pm

kerry_s wrote:
Sat Sep 23, 2023 4:58 pm
User foo may run the following commands on pi18:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL, !/sbin/shutdown, !/usr/sbin/shutdown, !/sbin/poweroff,
!/usr/sbin/poweroff, !/usr/bin/poweroff, !/sbin/reboot,
!/usr/sbin/reboot, !/usr/bin/reboot
(ALL) NOPASSWD: ALL
the last line rules them all, you need to move:

Code: Select all

(ALL) NOPASSWD: ALL, !/sbin/shutdown, !/usr/sbin/shutdown, !/sbin/poweroff,
        !/usr/sbin/poweroff, !/usr/bin/poweroff, !/sbin/reboot,
        !/usr/sbin/reboot, !/usr/bin/reboot
to be last.
Does this setting also prevent a user from doing the reboot/shutdown commands without sudo?
(sudo is not required for reboot/shutdown in RPi OS desktop)

Edit: clarification
Last edited by klricks on Sat Sep 23, 2023 11:44 pm, edited 1 time in total.
3B+ & 4B4G Running RPi OS Bookworm w/ Desktop
cleverca22
Posts: 8165
Joined: Sat Aug 18, 2012 2:33 pm

Re: sudo

Sat Sep 23, 2023 10:01 pm

klricks wrote:
Sat Sep 23, 2023 9:57 pm
 Does this setting also prevent a user from doing the reboot/shutdown commands without sudo?
thats due to polkit, if you have logged in from a physical terminal (text console, X), then you get special perms and can reboot without sudo

but if you login remotely (ssh), you dont get those perms

this has bitten me a few times, when i typed "reboot" into the wrong terminal, and linux just goes "ok" and there goes all my state
ive created an "r" alias on the machines i reboot often, so i can reboot with just "r" and if i hit the wrong window, i just get command not found
BigRedMailbox
Posts: 406
Joined: Sat Aug 20, 2022 10:37 pm

Re: sudo

Sat Sep 23, 2023 10:31 pm

(sudo is not required in RPi OS desktop)
That's certainly not true, in the general sense.

It is true that there are certain, very restrictive situations where you can, indeed, get away without typing "sudo", but (IME), those situations are rare - and I don't concern myself with them.

As another poster noted, this is actually a mis-feature anyway, since you don't want to be rebooting willy-nilly.

(It is kind of like those stupid fancy keyboards where there's a key in the upper left corner (very easy to hit accidentally) that will shutdown and power off the machine. Apparently, this is the sort of thing that Windoze users use a lot and really like, but for me, it is death)
(On this forum) The answer to any question is either "Use Raspberry Pi Imager" or "Buy an Official Power Supply", regardless of the text of the original question.
User avatar
kerry_s
Posts: 6515
Joined: Thu Jan 30, 2020 7:14 pm

Re: sudo

Sat Sep 23, 2023 10:40 pm

i don't know, i would have just made them non-executable as i don't even use them.
i use systemctl reboot and systemctl poweroff so no big loss for me.

i'm sure he's got his reasons for trying to lock things down.
swampdog
Posts: 1178
Joined: Fri Dec 04, 2015 11:22 am

Re: sudo

Sun Sep 24, 2023 9:32 am

I've always found "man sudoers" to be a headache and if the info is in there regarding the change, I still can't see it.

I currently have..

Code: Select all

foo@pi20:~/usr/src $ sudo cat /etc/sudoers.d/010_foo-nopasswd 
foo	ALL=(ALL)	NOPASSWD:ALL,!FOO
..which no longer works. This is required..

Code: Select all

foo@pi18:~ $ sudo cat /etc/sudoers.d/010_foo-nopasswd 
foo	ALL=(ALL)	NOPASSWD:ALL
foo	ALL=(ALL)	NOPASSWD:!FOO
There's obviously been a change as the (now working) output differs..

Code: Select all

foo@pi20:~/usr/src $ sudo -l
Matching Defaults entries for foo on pi20:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    env_keep+=NO_AT_BRIDGE, !secure_path, env_keep+="http_proxy HTTP_PROXY",
    env_keep+="https_proxy HTTPS_PROXY", env_keep+="ftp_proxy FTP_PROXY",
    env_keep+=RSYNC_PROXY, env_keep+="no_proxy NO_PROXY"

User foo may run the following commands on pi20:
    (ALL) NOPASSWD: ALL, !/sbin/shutdown, !/sbin/poweroff, !/usr/bin/poweroff,
        !/sbin/reboot, !/usr/bin/reboot

Code: Select all

foo@pi18:~ $ sudo -l
Matching Defaults entries for foo on pi18:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    env_keep+=NO_AT_BRIDGE, !secure_path, env_keep+="http_proxy HTTP_PROXY",
    env_keep+="https_proxy HTTPS_PROXY", env_keep+="ftp_proxy FTP_PROXY",
    env_keep+=RSYNC_PROXY, env_keep+="no_proxy NO_PROXY"

User foo may run the following commands on pi18:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: !/sbin/shutdown, !/usr/sbin/shutdown, !/sbin/poweroff,
        !/usr/sbin/poweroff, !/usr/bin/poweroff, !/sbin/reboot,
        !/usr/sbin/reboot, !/usr/bin/reboot
@kerry_s
As for the reason I desire this behaviour: stops me accidentally tearing down important machines! "sudo reboot/poweroff" is my default for those two actions. Now I have to "sudo su -" then "reboot/poweroff".

Almost forgot. Had to..

Code: Select all

root@pi18:/etc/sudoers.d# mv 010_pi-nopasswd 010_pi-nopasswd.DISABLED
..as well. Not sure what impact that is going to have moving forward.
Post Reply

Return to “Raspberry Pi OS”