site  contact  subhomenews

Goodbye sudo package

June 24, 2023 — BarryK

There are scripts in EasyOS that have first two lines like this (for example, /usr/sbin/bootmanager):

[ "${WHOIAM}" != "root" ] && exec sudo -A ${0} ${@}

The 'sudo -A' means to run an app to ask for a password. The file /etc/sudo.conf has this:

# sudo 1.7.2 required askpass in /etc/sudoers, but 1.8.1p2 reports that as a syntax error
# and requires it in this file (see:
Path askpass /usr/sbin/askpass

/usr/sbin/askpass is a shell script that brings up a little GUI asking for the root password, which is then passed via stdin to 'sudo', and the script, 'bootmanager' for example, will then run as the root user.

This is a mechanism that I developed in 2015 for Quicky Linux. However, 'sudo' no longer works. Easy uses busybox utilities for password management. For example, to set the root password in the 'init' script in the initrd:

  ePW="$(cryptpw -m SHA512 ${rootPW})" #note: busybox mkpasswd is an alias for cryptpw
grep -v -E '^zeus|^root' /easy_ro/easy_sfs/etc/shadow > /mnt/${WKG_DEV}/${WKG_DIR}.session/etc/shadow
echo "zeus:${ePW}:17693:0:99999:7:::
root:${ePW}:17693:0:99999:7:::" >> /mnt/${WKG_DEV}/${WKG_DIR}.session/etc/shadow

I think that the 'sudo' utility stopped working when I changed busybox to "SHA512" encryption. I couldn't figure out a fix, so had a thought why do we even need 'sudo'?

Busybox 'su' can replace 'sudo'. Well, indirectly, as the 'busybox' utility does not have the suid bit set, so 'su' cannot be run from a non-root user. I ended up creating a very simple script, /usr/bin/sudo:

#sudo does not work. something to do with busybox mkpasswd now using sha512?
#whatever, if a script has this (ex: /usr/sbin/bootmanager):
# WHOIAM="$(whoami)"
# [ "${WHOIAM}" != "root" ] && exec sudo -A ${0} ${@}
#use busybox 'su' instead. 'su' does not read pw from stdin, but via
#the 'script' utility it works. ref:
#note, /usr/bin/sudo does not have to be suid.

shift #need this coz first argument is "-A"
askpass | script -qc "su root -c '${*}' | tail -n +2" /dev/null

/usr/bin/sudo script is not suid. The 'su' utility does not read the password from stdin, but I got the idea to use the 'script' utility, from here:

Works great. All the complexity of sudo has been thrown out, but is this solution too simplistic?

The next release of Easy will have this 'sudo' script and will not have the 'sudo' package.

Refinements to 'sudo' and 'xdg-open' scripts: 

Forum discussion is here:  

Tags: easy