Solved How to allow users to issue sudo command and be root and skip asking for password when sudo command is issued.

Do you think this can be accepted ?

Code: 
permit nopass :marietto cmd qemu-system-x86_64-debian_fs args *
 
Houston,I have a problem. This works :

Code: 
permit nopass :marietto cmd qemu-system-x86_64-debian_fs args -machine q35 -cpu kvm64,hv_relaxed,hv_time,hv_synic -m 1G -vga std -drive file=Debian-fs.img,format=raw -drive file=/dev/da0,format=raw -drive file=/dev/da5,format=raw -rtc base=localtime -device usb-ehci,id=usb,bus=pcie.0,addr=0x3 -device usb-tablet -device usb-kbd -smbios type=2 -nodefaults -netdev tap,id=mynet0,ifname=tap19,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 -device ich9-ahci,id=sata -drive if=pflash,format=raw,readonly=on,file=/usr/local/share/edk2-qemu/QEMU_UEFI_CODE-x86_64.fd -drive if=pflash,format=raw,file=/usr/local/share/edk2-qemu/QEMU_UEFI_VARS-x86_64.fd

but I can't use /dev/da0 and /dev/da5 inside doas.conf because they are variables within the script that I'm writing...

PS : this does not work :

Code: 
permit nopass :marietto cmd qemu-system-x86_64-debian_fs
 
I don't like this general solution,but I suspect that it is the easiest and the only solution that I can use :

Code: 
permit :wheel
permit nopass keepenv marietto
 
i thought the variables in the doas.conf might be the issue

the args option in doas.conf needs the exact command you are going to run
you cant use variables

i have run into this issue before

the solution is not to use the args option

Code: 
permit nopass :marietto cmd qemu-system-x86_64-debian_fs
 
my doas.conf

Code: 
# permit user
permit keepenv :djwilcox

# mount drives
permit nopass :djwilcox cmd mount
permit nopass :djwilcox cmd umount

# restart networking
permit nopass :djwilcox cmd service args netif start
permit nopass :djwilcox cmd service args netif stop
permit nopass :djwilcox cmd service args netif restart

# ifconfig wlan0
permit nopass :djwilcox cmd ifconfig args wlan0 up
permit nopass :djwilcox cmd ifconfig args wlan0 down

# ifconfig ue0 - usb ethenet
permit nopass :djwilcox cmd ifconfig args ue0 up
permit nopass :djwilcox cmd ifconfig args ue0 down

# ifconfig scan and wpa_supplicant
permit nopass :djwilcox cmd ifconfig args wlan0 list scan
permit nopass :djwilcox cmd wpa_supplicant args -B -i wlan0 -c /etc/wpa_supplicant.conf

# pkg update
permit nopass :djwilcox cmd pkg args update

# pkg upgrade
permit nopass :djwilcox cmd pkg args upgrade

# dmesg
permit nopass :djwilcox cmd dmesg

# sysctl
permit nopass :djwilcox cmd sysctl

# chroot
permit nopass :djwilcox cmd chroot

# jail
permit nopass :djwilcox cmd jexec
permit nopass :djwilcox cmd service
permit nopass :djwilcox cmd jls

# pacman
permit nopass :djwilcox cmd pacman

# root as root
permit nopass keepenv root as root
 
ziomario said:
I don't like this general solution,but I suspect that it is the easiest and the only solution that I can use :

Code: 
permit :wheel
permit nopass keepenv marietto
Click to expand...
HI Mate

try this in your doas.conf
make sure everything else in the doas.conf is commented out

Code: 
# permit user
permit keepenv :marietto

# qemu
permit nopass :marietto cmd qemu-system-x86_64-debian_fs

# root as root - make sure this is at the end of the doas.conf
permit nopass keepenv root as root
 
ziomario said:
[…] I would like to allow the user marietto to issue sudo command and be root and skip asking for password when sudo command is issued. […]
Click to expand...
? OMG, FreeBSD needs systemd. (→ Thread 93389) How did this simple question necessitate 35 posts? ?​
NapoleonWils0n said:
much easier with doas […]
Click to expand...
May I suggest as another long‑term alternative using Kerberos’ ~/.k5users, see ksu(1) for a description. Of course kerberos(7) involves a certain overhead, but who doesn’t use Kerberos anyway? ?​
 
permit nopass marietto cmd /usr/local/bin/qemu-system-x86_64-debian_fs
Click to expand...
Should work assuming that there is a /usr/local/bin/qemu-system-x86_64-debian_fs executable file
What kind of file is /usr/local/bin/qemu-system-x86_64-debian_fs ?
 
monwarez said:
Should work assuming that there is a /usr/local/bin/qemu-system-x86_64-debian_fs executable file
What kind of file is /usr/local/bin/qemu-system-x86_64-debian_fs ?
Click to expand...

qemu-system-x86_64-debian_fs is "qemu-system-x86_64",renamed :D

---> permit nopass marietto cmd qemu-system-x86_64-debian_fs does not work because the command that I should issue is incomplete. (I've already tried). It needs these args :

Code: 
-cpu kvm64,hv_relaxed,hv_time,hv_synic -m 1G -vga std -drive file=Debian-fs.img,format=raw -drive file=/dev/$vmdisk2,format=raw -drive file=/dev/$vmdisk5,format=raw -rtc base=localtime -device usb-ehci,id=usb,bus=pcie.0,addr=0x3 -device usb-tablet -device usb-kbd -smbios type=2 -nodefaults -netdev tap,id=mynet0,ifname=tap19,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 -device ich9-ahci,id=sata -drive if=pflash,format=raw,readonly=on,file=/usr/local/share/edk2-qemu/QEMU_UEFI_CODE-x86_64.fd -drive if=pflash,format=raw,file=/usr/local/share/edk2-qemu/QEMU_UEFI_VARS-x86_64.fd -nographic -serial none -monitor none

I tried to add them,like this :

Code: 
permit nopass marietto cmd qemu-system-x86_64-debian_fs args -cpu kvm64,hv_relaxed,hv_time,hv_synic -m 1G -vga std -drive file=Debian-fs.img,format=raw -drive file=/dev/$vmdisk2,format=raw -drive file=/dev/$vmdisk5,format=raw -rtc base=localtime -device usb-ehci,id=usb,bus=pcie.0,addr=0x3 -device usb-tablet -device usb-kbd -smbios type=2 -nodefaults -netdev tap,id=mynet0,ifname=tap19,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 -device ich9-ahci,id=sata -drive if=pflash,format=raw,readonly=on,file=/usr/local/share/edk2-qemu/QEMU_UEFI_CODE-x86_64.fd -drive if=pflash,format=raw,file=/usr/local/share/edk2-qemu/QEMU_UEFI_VARS-x86_64.fd -nographic -serial none -monitor none

can you guess why it does not work ?
 
I don't understand how it is not working, having
Code: 
permit nopass myuser cmd smartctl
Allow me to do: doas smartctl as well as doas smartctl --help
You only need args when you want to restrict to the maximum what can be done.
If the non restricted case does not work, it is most likely an issue with the location of qemu-system-x86_64-debian_fs.
So does it still not work with the correct full path to qemu-system-x86_64-debian_fs ?

If you really want to restrict the args parameter then you will most likely need to write all the possible cases.
 
the problem with putting the full path to the binary in doas.conf
is you then have to type out the full path with doas

eg

Code: 
doas /usr/local/bin/qemu-system-x86_64-debian_fs

what you want to do is add doas completions in your ~/.zshrc

Code: 
# zsh autocompletion for sudo and doas
zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/sbin

and change the doas.conf

Code: 
permit nopass marietto cmd qemu-system-x86_64-debian_fs

then you can just run

Code: 
doas qemu-system-x86_64-debian_fs
 
I have reopened this thread because sometimes it works,sometimes does not work :

Code: 
[marietto@marietto ~/Desktop/Files/Qemu]==> sudo mousepad /usr/local/etc/doas.conf

permit nopass :marietto cmd zpool args import -f -R /mnt/zroot2 zroot2
permit nopass :marietto cmd zpool args import -f -R /mnt/zroot-133 zroot-133
permit nopass :marietto cmd zpool args export -f zroot2
permit nopass :marietto cmd zpool args export -f zroot-133
permit nopass :marietto cmd /usr/local/bin/qemu-system-x86_64-debian_fs

===>

Code: 
[marietto@marietto ~/Desktop/Files/Qemu]==> doas /usr/local/bin/qemu-system-x86_64-debian_fs -machine q35 -cpu kvm64,hv_relaxed,hv_time,hv_synic -m 1G -vga std -drive file=Debian-fs.img,format=raw -drive file=/dev/$vmdisk1,format=raw -drive file=/dev/$vmdisk6,format=raw -rtc base=localtime -device usb-ehci,id=usb,bus=pcie.0,addr=0x3 -device usb-tablet -device usb-kbd -smbios type=2 -nodefaults -netdev tap,id=mynet0,ifname=tap19,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 -device ich9-ahci,id=sata -drive if=pflash,format=raw,readonly=on,file=/usr/local/share/edk2-qemu/QEMU_UEFI_CODE-x86_64.fd -drive if=pflash,format=raw,file=/usr/local/share/edk2-qemu/QEMU_UEFI_VARS-x86_64.fd -nographic -serial none -monitor none &

qemu-system-x86_64-debian_fs: Could not open '/dev/da3': Operation not permitted
 
This is the whole script :

Code: 
#!/usr/local/bin/bash

vmdisk1=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (NM13N4CZ)/ && d{print d}'`
echo "Seagate M3 Portable 1.8 TB UFS ; $vmdisk1"

vmdisk2=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (2015020204055E)/ && d{print d}'`
echo "TOSHIBA External USB 3.0 1.8 TB ZFS ; $vmdisk2"

vmdisk3=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (20130506005976F)/ && d{print d}'`
echo "TOSHIBA External USB 3.0 932G ZFS ; $vmdisk3"

vmdisk4=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (BE0191500218)/ && d{print d}'`
echo "G-DRIVE USB UFS ; $vmdisk4"

vmdisk5=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (38434B4237354B45)/ && d{print d}'`
echo "Elements NTFS ; $vmdisk5"

vmdisk6=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (57442D575845323039544433303334)/ && d{print d}'`
echo "WD-3200BMV UFS ; $vmdisk6"

PS3='Please enter your choice. Options : 

1. From TOSHIBA External USB 3.0 1.8 TB ZFS to Elements NTFS and viceversa 
2. From TOSHIBA External USB 3.0 932G ZFS to Elements NTFS and viceversa 
3. From G-DRIVE USB UFS to Elements NTFS and viceversa 
4. From Seagate M3 Portable 1.8 TB UFS to Elements NTFS and viceversa
5. From WD 3200BMV External UFS to TOSHIBA External USB 3.0 1.8 TB ZFS 
6. ssh debian_fs / Copy Files
7. Check qemu vms 
8. Kill debian_fs 
9. Quit
Your choice is : ' 

options=("1. From TOSHIBA External USB 3.0 1.8 TB ZFS to Elements NTFS and viceversa" "2. From TOSHIBA External USB 3.0 932G ZFS to Elements NTFS and viceversa" "3. From G-DRIVE USB UFS to Elements NTFS and viceversa" "4. From Seagate M3 Portable 1.8 TB UFS to Elements NTFS and viceversa" "5. From WD 3200BMV External UFS to TOSHIBA External USB 3.0 1.8 TB ZFS" "6. ssh debian_fs / Copy Files" "7. Check qemu vms" "8. Kill debian_fs" "9. Quit")

select opt in "${options[@]}"
do
    case $opt in
        "1. From TOSHIBA External USB 3.0 1.8 TB ZFS to Elements NTFS and viceversa")
            doas zpool export -f zroot-133 && umount /dev/$vmdisk5'p1'
            doas /usr/local/bin/qemu-system-x86_64-debian_fs -machine q35 -cpu kvm64,hv_relaxed,hv_time,hv_synic -m 1G -vga std -drive file=Debian-fs.img,format=raw -drive file=/dev/$vmdisk2,format=raw -drive file=/dev/$vmdisk5,format=raw -rtc base=localtime -device usb-ehci,id=usb,bus=pcie.0,addr=0x3 -device usb-tablet -device usb-kbd -smbios type=2 -nodefaults -netdev tap,id=mynet0,ifname=tap19,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 -device ich9-ahci,id=sata -drive if=pflash,format=raw,readonly=on,file=/usr/local/share/edk2-qemu/QEMU_UEFI_CODE-x86_64.fd -drive if=pflash,format=raw,file=/usr/local/share/edk2-qemu/QEMU_UEFI_VARS-x86_64.fd -nographic -serial none -monitor none &
            ;;
        "2. From TOSHIBA External USB 3.0 932G ZFS to Elements NTFS and viceversa")
        doas zpool export -f zroot2 && umount /dev/$vmdisk5'p1'
        doas /usr/local/bin/qemu-system-x86_64-debian_fs -machine q35 -cpu kvm64,hv_relaxed,hv_time,hv_synic -m 1G -vga std -drive file=Debian-fs.img,format=raw -drive file=/dev/$vmdisk3,format=raw -drive file=/dev/$vmdisk5,format=raw -rtc base=localtime -device usb-ehci,id=usb,bus=pcie.0,addr=0x3 -device usb-tablet -device usb-kbd -smbios type=2 -nodefaults -netdev tap,id=mynet0,ifname=tap19,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 -device ich9-ahci,id=sata -drive if=pflash,format=raw,readonly=on,file=/usr/local/share/edk2-qemu/QEMU_UEFI_CODE-x86_64.fd -drive if=pflash,format=raw,file=/usr/local/share/edk2-qemu/QEMU_UEFI_VARS-x86_64.fd -nographic -serial none -monitor none &
            ;;        
        "3. From G-DRIVE USB UFS to Elements NTFS and viceversa")
            doas umount /dev/$vmdisk4'p2' && umount /dev/$vmdisk5'p1'
            doas /usr/local/bin/qemu-system-x86_64-debian_fs -machine q35 -cpu kvm64,hv_relaxed,hv_time,hv_synic -m 1G -vga std -drive file=Debian-fs.img,format=raw -drive file=/dev/$vmdisk4,format=raw -drive file=/dev/$vmdisk5,format=raw -rtc base=localtime -device usb-ehci,id=usb,bus=pcie.0,addr=0x3 -device usb-tablet -device usb-kbd -smbios type=2 -nodefaults -netdev tap,id=mynet0,ifname=tap19,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 -device ich9-ahci,id=sata -drive if=pflash,format=raw,readonly=on,file=/usr/local/share/edk2-qemu/QEMU_UEFI_CODE-x86_64.fd -drive if=pflash,format=raw,file=/usr/local/share/edk2-qemu/QEMU_UEFI_VARS-x86_64.fd -nographic -serial none -monitor none &
            ;;
        "4. From Seagate M3 Portable 1.8 TB UFS to Elements NTFS and viceversa")
            doas umount /dev/$vmdisk1'p2' && umount /dev/$vmdisk5'p1'
            doas /usr/local/bin/qemu-system-x86_64-debian_fs -machine q35 -cpu kvm64,hv_relaxed,hv_time,hv_synic -m 1G -vga std -drive file=Debian-fs.img,format=raw -drive file=/dev/$vmdisk1,format=raw -drive file=/dev/$vmdisk5,format=raw -rtc base=localtime -device usb-ehci,id=usb,bus=pcie.0,addr=0x3 -device usb-tablet -device usb-kbd -smbios type=2 -nodefaults -netdev tap,id=mynet0,ifname=tap19,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 -device ich9-ahci,id=sata -drive if=pflash,format=raw,readonly=on,file=/usr/local/share/edk2-qemu/QEMU_UEFI_CODE-x86_64.fd -drive if=pflash,format=raw,file=/usr/local/share/edk2-qemu/QEMU_UEFI_VARS-x86_64.fd -nographic -serial none -monitor none &
            ;;
        "5. From WD 3200BMV External UFS to TOSHIBA External USB 3.0 1.8 TB ZFS")
            doas zpool export -f zroot-133 && umount /dev/$vmdisk6'p2'
            doas /usr/local/bin/qemu-system-x86_64-debian_fs -machine q35 -cpu kvm64,hv_relaxed,hv_time,hv_synic -m 1G -vga std -drive file=Debian-fs.img,format=raw -drive file=/dev/$vmdisk1,format=raw -drive file=/dev/$vmdisk6,format=raw -rtc base=localtime -device usb-ehci,id=usb,bus=pcie.0,addr=0x3 -device usb-tablet -device usb-kbd -smbios type=2 -nodefaults -netdev tap,id=mynet0,ifname=tap19,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 -device ich9-ahci,id=sata -drive if=pflash,format=raw,readonly=on,file=/usr/local/share/edk2-qemu/QEMU_UEFI_CODE-x86_64.fd -drive if=pflash,format=raw,file=/usr/local/share/edk2-qemu/QEMU_UEFI_VARS-x86_64.fd -nographic -serial none -monitor none &
            ;;
        "6. ssh debian_fs / Copy Files")
            ssh -Y marietto@192.168.1.2
            ;;
        "7. Check qemu vms")
            ps ax | grep qemu
            ;;
        "8. Kill debian_fs")
            pgrep qemu-system-x86_64-debian_fs | xargs kill
            ;;
        "9. Quit")
            break
            ;;
        *)  echo "invalid option $REPLY";;
    esac
done
 
Even in this form it does not work :

Code: 
permit :wheel
permit nopass keepenv marietto

I don't understand...
 
To start, the recommendation to replace `sudo` with `doas` is good. If you have the time to follow it, you should. If you don't:

1. Make sure that there isn't a hidden syntax error in your sudoers file:


# /bin/sh # export EDITOR=nano # visudo # exit

Note well that visudo will not let you save the file with syntax errors.

2. If you can save the file, check your work:


# /bin/sh # sudo -U marietto -l

Lists all the commands that user "marietto" can use sudo for elevated privileges. If `su` is not listed try this in sudoers, again with visudo:


... marietto ALL=(ALL) NOPASSWD: ALL ...

That line in /usr/local/etc/sudoers should let user marietto call sudo to escalate privilege for any command on your box. In these situations, I find it easy to start with something that works and scale back to what you need. You are right to limit your user to just what you need. If sudo is saying that you can do the command, login to a different console and try. Note well that if you use ssh with ControlMaster, a new login leverages the current session so changes made to the user/group databases won't reflect in your new session. Ask me how I know this... If you have console access, it would be best to test there. Finally, there are system tools for editing many of these files. If you used nano directly on /etc/master.password or possibly /etc/group, your user/group files can be out of sync with the database that login uses. The commands `man pwd_mkdb` and `man vipw` should help you get things back to where they should be. It's a little trickier to get those commands to use `nano` as your editor but if `nano` is what you like, it's time well spent. I know how to do this in /bin/sh or /bin/ksh but I avoid /bin/csh so I'm not up to snuff there. I also won't recommend that you change roots shell as "there be dragons".

I'll finish by again saying that `doas` is a better `sudo` then `sudo`. It's just that some may not have the time to spend to learn a new system.
 
chilton said:
Note well that visudo will not let you save the file with syntax errors.
Click to expand...
You can syntax check existing files with visudo -c

Code: 
     -c, --check
             Enable check-only mode.  The existing sudoers file (and any other
             files it includes) will be checked for syntax errors.  If the
             path to the sudoers file was not specified, visudo will also
             check the file ownership and permissions (see the -O and -P
             options).  A message will be printed to the standard output
             describing the status of sudoers unless the -q option was
             specified.  If the check completes successfully, visudo will exit
             with a value of 0.  If an error is encountered, visudo will exit
             with a value of 1.

You can use this on the command line but also in automated scripts for example.
 
ziomario said:
I have reopened this thread because sometimes it works,sometimes does not work :

Code: 
[marietto@marietto ~/Desktop/Files/Qemu]==> sudo mousepad /usr/local/etc/doas.conf

permit nopass :marietto cmd zpool args import -f -R /mnt/zroot2 zroot2
permit nopass :marietto cmd zpool args import -f -R /mnt/zroot-133 zroot-133
permit nopass :marietto cmd zpool args export -f zroot2
permit nopass :marietto cmd zpool args export -f zroot-133
permit nopass :marietto cmd /usr/local/bin/qemu-system-x86_64-debian_fs

===>

Code: 
[marietto@marietto ~/Desktop/Files/Qemu]==> doas /usr/local/bin/qemu-system-x86_64-debian_fs -machine q35 -cpu kvm64,hv_relaxed,hv_time,hv_synic -m 1G -vga std -drive file=Debian-fs.img,format=raw -drive file=/dev/$vmdisk1,format=raw -drive file=/dev/$vmdisk6,format=raw -rtc base=localtime -device usb-ehci,id=usb,bus=pcie.0,addr=0x3 -device usb-tablet -device usb-kbd -smbios type=2 -nodefaults -netdev tap,id=mynet0,ifname=tap19,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 -device ich9-ahci,id=sata -drive if=pflash,format=raw,readonly=on,file=/usr/local/share/edk2-qemu/QEMU_UEFI_CODE-x86_64.fd -drive if=pflash,format=raw,file=/usr/local/share/edk2-qemu/QEMU_UEFI_VARS-x86_64.fd -nographic -serial none -monitor none &

qemu-system-x86_64-debian_fs: Could not open '/dev/da3': Operation not permitted
Click to expand...
Well Operation not permitted have nothing to do with issuing doas without password, so it is another issue.
 
You must log in or register to reply here.
Back
Top