Ubuntu: Unable to give permission through sudoers to a script accessing /dev/tty13



Question:

Here abc is the username and ak.sh is the file which I wish to get all the permissions. Have added the following line on the top of sudoers.tmp which I opened like sudo visudo:

abc ALL=NOPASSWD: /home/abc/ak.sh  

ak.sh contains:

#!/bin/bash  sudo cat /dev/tty13  

When I run the script file, it asks me for password.


Solution:1

You need to actually use sudo for a sudoers rule to be of use. Either:

  1. Use the current sudoers rule and run sudo /home/abc/ak.sh
  2. Use the other rule you mentioned, but with absolute path for cat like this:
    abc ALL=NOPASSWD: /bin/cat /dev/tty13 and run sudo cat /dev/tty13 in the script.


Solution:2

Assuming your method of password exemption works the same way as changing sudoers, you need to call the SCRIPT with sudo, not the command IN the script. Or change sudoers. In other words:

sudo /home/abc/ak.sh  

is what you exempted from requiring a password, not cat. You still have to use sudo but if you did it right, you won't be required to enter a pass.

@muru

# # # # # # # # # # # # # # # # # # # #

Why it seems to me to be better to password exempt the script CONTAINING a cat command rather than cat itself:

$ ls / | grep secrets  secrets_root_does_not_want_to_share_.txt  $ # hmmm, that looks interesting . . .  $ cat /secrets_root_does_not_want_to_share_.txt  cat: /secrets_root_does_not_want_to_share_.txt: Permission denied  $ # Curses! My evil plans are foiled because:  $ stat /secrets_root_does_not_want_to_share_.txt | grep 'Access: ('  Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)  $ # But wait! I'm pass exempted! So:  $ sudo cat /secrets_root_does_not_want_to_share_.txt  Oh, my. Sensitive stuff is exposed to ordinary users.  

Password exempting sudo cat isn't as dangerous as, for instance, password exempting sudo echo but it does seem to me to be a fairly bad practice.

# # # # # # # # # # # # # # # # # # # #

Added later to address Muru's skepticism regarding the equivalence of sudo cat when the password has not expired from a previous use of sudo to sudo cat when cat has been password exempted:

I added a rule to the beginning of my pass exemption section in /etc/sudoers like so:

me THIS_LOCAL_SYS=(ALL)NOPASSWD:/bin/cat, . . . [many other rules, separated by commas]  

Then in a fresh terminal:

$ # Demonstrating that password is not un-expired from previous use of sudo:  $ sudo ls /root  [sudo] password for j:   $ stat /secrets_root_does_not_want_to_share_.txt|grep 'Access: ('  Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)  $ cat /secrets_root_does_not_want_to_share_.txt   cat: /secrets_root_does_not_want_to_share_.txt: Permission denied  $ # And rightly so, but with pass exempted sudo:  $ sudo cat /secrets_root_does_not_want_to_share_.txt   Oh, my. Sensitive stuff is exposed to ordinary users.  $   

So, yes, they ARE equivalent, just as they should be; yes, I DO understand how sudo works - I've only edited that file a few hundred times; and yes, password exempting plain /bin/cat, instead of a script containing cat, is an unsound practice from a security perspective. Again, not the disastrous stupidity that password exempting sudo echo or sudo vi would be, but still a bad idea.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »