site
contact
newsGoodbye sudo package
There are scripts in EasyOS that have first two lines like this (for example, /usr/sbin/bootmanager):
WHOIAM="$(whoami)"
[ "${WHOIAM}" != "root" ] && exec sudo -A ${0} ${@}
The 'sudo -A' means to run an app to ask for a password. The file /etc/sudo.conf has this:
# sudo 1.7.2 required askpass in /etc/sudoers, but 1.8.1p2 reports that as a syntax error
# and requires it in this file (see: http://www.gratisoft.us/sudo/man/1.8.0/sudo.man.html)
Path askpass /usr/sbin/askpass
/usr/sbin/askpass is a shell script that brings up a little GUI
asking for the root password, which is then passed via stdin to
'sudo', and the script, 'bootmanager' for example, will then run
as the root user.
This is a mechanism that I developed in 2015 for Quicky Linux. However, 'sudo' no longer works. Easy uses busybox utilities for password management. For example, to set the root password in the 'init' script in the initrd:
ePW="$(cryptpw -m SHA512 ${rootPW})" #note: busybox mkpasswd is an alias for cryptpw
grep -v -E '^zeus|^root' /easy_ro/easy_sfs/etc/shadow > /mnt/${WKG_DEV}/${WKG_DIR}.session/etc/shadow
echo "zeus:${ePW}:17693:0:99999:7:::
root:${ePW}:17693:0:99999:7:::" >> /mnt/${WKG_DEV}/${WKG_DIR}.session/etc/shadow
I think that the 'sudo' utility stopped working when I changed busybox to "SHA512" encryption. I couldn't figure out a fix, so had a thought why do we even need 'sudo'?
Busybox 'su' can replace 'sudo'. Well, indirectly, as the 'busybox' utility does not have the suid bit set, so 'su' cannot be run from a non-root user. I ended up creating a very simple script, /usr/bin/sudo:
#!/bin/ash
#20230623
#sudo does not work. something to do with busybox mkpasswd now using sha512?
#whatever, if a script has this (ex: /usr/sbin/bootmanager):
# WHOIAM="$(whoami)"
# [ "${WHOIAM}" != "root" ] && exec sudo -A ${0} ${@}
#use busybox 'su' instead. 'su' does not read pw from stdin, but via
#the 'script' utility it works. ref:
# https://stackoverflow.com/questions/19164222/su-pass-password-to-script
#note, /usr/bin/sudo does not have to be suid.
shift #need this coz first argument is "-A"
askpass | script -qc "su root -c '${*}' | tail -n +2" /dev/null
/usr/bin/sudo script is not suid. The 'su' utility does not read the password from stdin, but I got the idea to use the 'script' utility, from here:
https://stackoverflow.com/questions/19164222/su-pass-password-to-script
Works great. All the complexity of sudo has been thrown out, but is this solution too simplistic?
The next release of Easy will have this 'sudo' script and will not have the 'sudo' package.
EDIT:
Refinements to 'sudo' and 'xdg-open' scripts:
https://github.com/bkauler/woofq/commit/744b08a0675e9601b616387676ecd85de5cf893b
Forum discussion is here:
https://forum.puppylinux.com/viewtopic.php?t=9019
Tags: easy