Solved How to allow users to issue sudo command and be root and skip asking for password when sudo command is issued.

ok. I'm trying to issue this command with doas :

Code: 
[marietto@marietto ~]==> doas mount -t ufs /dev/da3p2 /mnt/da3p2

the error is :

Code: 
doas: syntax error at line 9

my doas.conf file is :

Code: 
#permit :wheel
#permit nopass keepenv marietto

permit nopass :marietto cmd zpool args import -f -R /mnt/zroot2 zroot2
permit nopass :marietto cmd zpool args import -f -R /mnt/zroot-133 zroot-133
permit nopass :marietto cmd zpool args export -f zroot2
permit nopass :marietto cmd zpool args export -f zroot-133
permit nopass :marietto cmd qemu-system-x86_64-debian_fs
permit nopass :marietto cmd mount

line 9 is :
Code: 
permit nopass :marietto cmd mount

I've also added this to # ~/.zshrc :

Code: 
# zsh autocompletion for sudo and doas
zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin

the mount executable is on /sbin ;

I don't understand why I get that error. I've also tried :

Code: 
permit nopass :marietto cmd mount args -t ufs

but the error is the same.

also tried :

Code: 
permit nopass :marietto cmd mount args -t ufs /dev/da3p2 /mnt/da3p2

nothing...

Code: 
permit nopass :marietto cmd /sbin/mount args -t ufs /dev/da3p2 /mnt/da3p2

nothing...
 
the doas.conf can be a bit fussy
might be a whitespace character

id try removing the rules and re adding them
also note the order of the rules matters and the later rules over ride the previous rules

i have this in my doas.conf

Code: 
# mount drives
permit nopass :djwilcox cmd mount
permit nopass :djwilcox cmd umount

i also have this at the bottom of doas.conf

Code: 
# root as root
permit nopass keepenv root as root

check the doas.conf

Code: 
doas -C /usr/local/etc/doas.conf
 
try commenting out the commands with dashes

Code: 
#permit nopass :marietto cmd zpool args import -f -R /mnt/zroot2 zroot2
#permit nopass :marietto cmd zpool args import -f -R /mnt/zroot-133 zroot-133
#permit nopass :marietto cmd zpool args export -f zroot2
#permit nopass :marietto cmd zpool args export -f zroot-133
permit nopass :marietto cmd qemu-system-x86_64-debian_fs
permit nopass :marietto cmd mount

and then check the doas.conf for errors

Code: 
doas -C /usr/local/etc/doas.conf
 
try using this instead

Code: 
permit nopass :marietto cmd zpool
permit nopass :marietto cmd qemu-system-x86_64-debian_fs
permit nopass :marietto cmd mount

and then check the doas.conf for errors

Code: 
doas -C /usr/local/etc/doas.conf
 
ziomario said:
[...] my doas.conf file is :
Code: 
#permit :wheel
     ...
permit nopass :marietto cmd mount
Click to expand...
What is the output of cat -n doas.conf ?

doas.conf(5):
Code: 
NOTES
    ...
                                                              Please make sure
       each rule in your doas.conf file ends with a newline (Enter) character.
       Otherwise syntax	checks will  fail  with	 an  error  "syntax  error  at
       line..."
 
NapoleonWils0n said:
the doas.conf can be a bit fussy
might be a whitespace character

id try removing the rules and re adding them
also note the order of the rules matters and the later rules over ride the previous rules

i have this in my doas.conf

Code: 
# mount drives
permit nopass :djwilcox cmd mount
permit nopass :djwilcox cmd umount

i also have this at the bottom of doas.conf

Code: 
# root as root
permit nopass keepenv root as root

check the doas.conf

Code: 
doas -C /usr/local/etc/doas.conf
Click to expand...

bingo : there was a whitespace character at the end of the line.
 
I've just understood how much important is to believe in God. And you have been his/her intermediary. Good job.
 
Look, I don't think it ought to be blasphemy, just saying "Jehovah".

You're only making it worse for yourself!

Making it worse? How could it be worse? Jehovah! Jehovah! Jehovah!

I'm warning you! If you say "Jehovah" once more...
 
NapoleonWils0n said:
Look, I don't think it ought to be blasphemy, just saying "Jehovah".

You're only making it worse for yourself!

Making it worse? How could it be worse? Jehovah! Jehovah! Jehovah!

I'm warning you! If you say "Jehovah" once more...
Click to expand...

I don't understand what you mean.
 
Anyway,my consideration is more phylosophical than teological. Based on my idea of God,it is something that you see only on the little details or you don't see it at all. But what you see is a sensible difference between before and after,like the whitespace character. It was there but impossible to see if one didn't experiment it in some way. A little,invisible difference that makes the difference between what works and what does not work....in the setup of your life.
 
Crucifixion?
Er, no, freedom actually.

What?
Yeah, they said I hadn't done anything and I could go and live on an island somewhere.

Oh I say, that's very nice. Well, off you go then.
No, I'm just pulling your leg, it's crucifixion really.
 
“The greatest prank the devil has ever pulled was to convince the world that he / she doesn't exist and like nothing… he / she disappears…” : like that whitespace character...
 
ziomario said:
I don't want to use a password only when I run "sudo zpool import -f -R /mnt/zroot2 zroot2" as user "marietto" that's inside the wheel group.
Click to expand...

Code: 
Cmnd_Alias ZPOOL = /sbin/zpool import -f -R /mnt/zroot2 zroot2

%wheel ALL = (ALL) ALL, NOPASSWD: ZPOOL
Or more relaxed, allowing all arguments to both zfs(8) and zpool(8):
Code: 
Cmnd_Alias ZPOOL = /sbin/zpool *
Cmnd_Alias ZFS = /sbin/zfs *

%wheel ALL = (ALL) ALL, NOPASSWD: ZFS, ZPOOL
You could use just one Cmnd_Alias :
Code: 
Cmnd_Alias ZFS = /sbin/zpool *, /sbin/zfs *

%wheel ALL = (ALL) ALL, NOPASSWD: ZFS

I usually split up the commands with various aliases, that makes the permission lines a little easier to read and the list of commands easier to modify.
 
Again on doas :

I've added these parameters to doas.conf :

Code: 
permit nopass :marietto cmd bhyvectl
permit nopass :marietto cmd bhyve
permit nopass :marietto cmd bhyve-lin
permit nopass :marietto cmd bhyve-win

because I want to boot a bhyve vm without being root. When I run this script :

Code: 
#!/bin/sh

setxkbmap it
vms="$(ls /dev/vmm/*)"
vncs="$(ps ax | awk '/vncviewer [0]/{print $6}')"
echo $vms
echo $vncs

if ! pciconf -l pci0:2:0:0 | grep -q "^ppt"; then
echo "rtx 2080ti slot 2/0/0 is not attached to ppt,attaching..."
else
echo "rtx 2080ti slot 2/0/0 is already attached to ppt"
fi

if ! pciconf -l pci0:2:0:1 | grep -q "^ppt"; then
echo "rtx 2080ti slot 2/0/1 is not attached to ppt,attaching..."
else
echo "rtx 2080ti slot 2/0/1 is already attached to ppt"
fi

if ! pciconf -l pci0:2:0:2 | grep -q "^ppt"; then
echo "rtx 2080ti slot 2/0/2 is not attached to ppt,attaching..."
else
echo "rtx 2080ti slot 2/0/2 is already attached to ppt"
fi

if ! pciconf -l pci0:2:0:3 | grep -q "^ppt"; then
echo "rtx 2080ti slot 2/0/3 is not attached to ppt,attaching..."
else
echo "rtx 2080ti slot 2/0/3 is already attached to ppt"
fi

echo "rtx 2080ti is fully attached to ppt"

for vm in $vms; do
                session="${vm##*/}"
                echo "bhyve session = $session"
                echo "vnc session = $vncs"    
                                if ! printf '%s\n' "${vncs}" | grep "${session#vm}"; then
                                printf 'VNC session not found,destroying ghost vms\n'
                                bhyvectl --vm=$session --destroy
                else
                                printf 'Found VNC session %s\n' "${session},no ghost vms found,not destroying them"
                fi
done

vmdisk0=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (NM13N4CZ)/ && d{print d}'`
echo "Seagate M3 Portable 1.8 TB UFS ; $vmdisk0"

vmdisk1=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (2022285F1175)/ && d{print d}'`
echo "CT1000P1SSD8 ; $vmdisk1"

vmdisk2=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (2015020204055E)/ && d{print d}'`
echo "TOSHIBA External USB 3.0 1.8 TB ZFS ; $vmdisk2"

vmdisk3=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (20130506005976F)/ && d{print d}'`
echo "TOSHIBA External USB 3.0 932G ; $vmdisk3"

vmdisk4=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (BE0191500218)/ && d{print d}'`
echo "G-DRIVE USB ; $vmdisk4"

vmdisk5=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (38434B4237354B45)/ && d{print d}'`
echo "Elements 25A3 ; $vmdisk5"

vmdisk6=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (WD-WCAV2X597309)/ && d{print d}'`
echo "WDC WD3200AAJS-00L7A0-298 GB ; $vmdisk6"

vmdisk7=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (0774911DDC4200A6)/ && d{print d}'`
echo "SanDisk Cruzer-15GB ; $vmdisk7"

vmdisk8=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (60A44C4138D8F311190A0149)/ && d{print d}'`
echo "Kingston DataTraveler 2.0 ; $vmdisk8"

vmdisk9=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (20140100006C)/ && d{print d}'`
echo "Corsair Force 3 SSD ; $vmdisk9"

vmdisk10=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (1924E20B2AE5)/ && d{print d}'`
echo "CT500MX500SSD4 ; $vmdisk10"

vmdisk11=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (575845583038524844323238)/ && d{print d}'`
echo "WD-2500BMV ; $vmdisk11"

vmdisk12=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (57442D575845323039544433303334)/ && d{print d}'`
echo "WD-3200BMV ; $vmdisk12"

vmdisk13=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (S3Z2NB0KB99028V)/ && d{print d}'`
echo "Samsung SSD 860 EVO 500GB ; $vmdisk13"

vmdisk14=`geom disk list | awk '/^Geom name: /{d=$NF} /^ *ident: (0706220000007747)/ && d{print d}'`
echo "SanDisk SDDR-B531 ; $vmdisk14"

/usr/sbin/./bhyve-lin -S -c sockets=2,cores=2,threads=2 -m 4G -w -H -A \
-s 0,hostbridge \
-s 1,ahci-hd,/mnt/zroot2/zroot2/bhyve/img/Linux/Ubuntu2310.img,bootindex=1 \
-s 4,ahci-hd,/dev/$vmdisk5 \
-s 5,ahci-hd,/mnt/zroot-133/bhyve/img/Linux/Debian-now.img \
-s 6,nvme,/dev/nda0 \
-s 11,hda,play=/dev/dsp,rec=/dev/dsp \
-s 13,virtio-net,tap1 \
-s 14,virtio-9p,sharename=/ \
-s 29,fbuf,tcp=0.0.0.0:5901,w=1600,h=950,wait \
-s 30,xhci,tablet \
-s 31,lpc \
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \
vm0:1 < /dev/null & sleep 2 && vncviewer 0:1

this is what happens :

Code: 
[marietto@marietto /bhyve]==> doas ./01-Ubuntu-2310-vm1
doas: Operation not permitted

OR :

[marietto@marietto /bhyve]==> ./01-Ubuntu-2310-vm1
ls: /dev/vmm/*: No such file or directory

rtx 2080ti slot 2/0/0 is already attached to ppt
rtx 2080ti slot 2/0/1 is already attached to ppt
rtx 2080ti slot 2/0/2 is already attached to ppt
rtx 2080ti slot 2/0/3 is already attached to ppt
rtx 2080ti is fully attached to ppt
Seagate M3 Portable 1.8 TB UFS ; da5
CT1000P1SSD8 ; nda0
TOSHIBA External USB 3.0 1.8 TB ZFS ; da0
TOSHIBA External USB 3.0 932G ; da6
G-DRIVE USB ; da4
Elements 25A3 ; da8
WDC WD3200AAJS-00L7A0-298 GB ; ada2
SanDisk Cruzer-15GB ; da2
Kingston DataTraveler 2.0 ;
Corsair Force 3 SSD ;
CT500MX500SSD4 ; ada0
WD-2500BMV ; da3
WD-3200BMV ; da1
Samsung SSD 860 EVO 500GB ; ada1
SanDisk SDDR-B531 ;

----> vm_create: Operation not permitted

TigerVNC Viewer v1.13.1
Built on: 2023-11-14 09:15
Copyright (C) 1999-2022 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.

Fri May 31 14:51:00 2024
 Parameters:  Failed to read line 21 in file
              /home/marietto/.vnc/default.tigervnc: Unknown parameter
 Parameters:  Failed to read line 22 in file
              /home/marietto/.vnc/default.tigervnc: Unknown parameter
 DecodeManager: Detected 16 CPU core(s)
 DecodeManager: Creating 4 decoder thread(s)
 CConn:       unable to connect to socket: Connection refused (61)
 DecodeManager:   Total: 0 rects, 0 pixels
 DecodeManager:          0 B (1:nan ratio)

I don't understand why. As root it works as expected.
 
try moving the script to /usr/local/bin

and add the following to your ~/.zshrc

Code: 
zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/sbin
 
I forgot to mention that I've already added these lines to : # ~/.zshrc

Code: 
# zsh autocompletion for sudo and doas
zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin
 
I've also added the /bhyve path to zstyle,like this :

Code: 
zstyle ":completion:*sudo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve

but I get the same error :

Code: 
vm_create: Operation not permitted
 
Issuing the command bhyve out of the script seems to work :

Code: 
[marietto@marietto /bhyve]==> bhyve

Usage: bhyve [-AaCDeHhPSuWwxY]
             [-c [[cpus=]numcpus][,sockets=n][,cores=n][,threads=n]]
             [-G port] [-k config_file] [-l lpc] [-m mem] [-o var=value]
             [-p vcpu:hostcpu] [-r file] [-s pci] [-U uuid] vmname
       -A: create ACPI tables
       -a: local apic is in xAPIC mode (deprecated)
       -C: include guest memory in core file
       -c: number of CPUs and/or topology specification
       -D: destroy on power-off
       -e: exit on unhandled I/O access
       -G: start a debug server
       -H: vmexit from the guest on HLT
       -h: help
       -k: key=value flat config file
       -K: PS2 keyboard layout
       -l: LPC device configuration
       -m: memory size
       -o: set config 'var' to 'value'
       -P: vmexit from the guest on pause
       -p: pin 'vcpu' to 'hostcpu'
       -S: guest memory cannot be swapped
       -s: <slot,driver,configinfo> PCI slot config
       -U: UUID
       -u: RTC keeps UTC time
       -W: force virtio to use single-vector MSI
       -w: ignore unimplemented MSRs
       -x: local APIC is in x2APIC mode
       -Y: disable MPtable generation
 
You must log in or register to reply here.
Back
Top