bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

Bearded_Blunder · 2016-08-26 21:42:27

Just that: Even when started by

sudo bl-welcome

I realise that enumerating and parsing such entries then cross checking against a user's group memberships may prove be prohibitively complex to script.

Suggestions:
1. Don't check, simply have the script fail if the user can't supply a password for sudo.

2. Explain you'll ask, give opportunity to continue or quit, then act as in suggestion 1.

3. Skip checking if

 [[ $(id -u) -eq 0 ]]

i.e. script is already running with root priviliges.
Then alter the error message to say:
"... must have sudo rights or be run with root priviliges".
Which should be enough clue to someone with undetected sudo rights to restart the script using sudo.

Horizon_Brave · 2016-08-26 22:08:17

Just so I have this right...you're saying if you explicitly have sudo rights to user Horizon_Brave in the /etc/sudoers.d/ file, and that same user tries to run the bl-welcome with the sudo command, it fails?

Bearded_Blunder · 2016-08-27 05:47:14

I'm saying, if a user has sudo rights granted to a group, such as "domain admins" from Active Directory, in the /etc/sudoers.d/domain_admins file, that user can use sudo for anything else, but bl-welcome aborts with a message saying it can only be run by someone with sudo rights.. which said domain admin does have, uses routinely, but fails the check for made by bl-welcome, which I presume checks the local sudoers group, where said domain admin is of course not listed. Even if that domain admin does

sudo bl-welcome

and supplies his password.

johnraff · 2016-08-27 05:53:46

The script should fail if run by root.

It's an interactive script, intended to be run by a normal user, and sudo permissions are granted as required, getting the user's password when needed. Running as root might cause all kinds of unexpected issues.

Last edited by johnraff (2016-08-27 05:54:47)

ohnonot · 2016-08-27 06:20:46

^ yes, that.

but how is it relevant if the sudo rights are defined in /etc/sudoers.d/* instead of /etc/sudoers?
i've never tried that myself, ever. but shoudn't sudo be happy once the user is added, no matter how?
or does bl-welcome parse /etc/sudoers directly?

johnraff · 2016-08-27 07:13:07

Ah, I see now, it's not about trying to run the script with sudo, it's about not being able to get sudo rights at the appropriate time.

bl-welcome goes through the normal system channels.
First this test:

if [[ ! $(groups) =~ ( |^)sudo( |$) ]]; then
    echo $"Error: Must be a member of the sudo group to run this script" >&2
    exit 1
fi

Then in the first page, "intro":

if sudo -v
then
    say 'Thank you.'
else
    errorExit 'You do not appear to have permission to use sudo,
which is needed in this script.
Please make the necessary adjustments to your system and try again.'
fi

@B_B what is the exact error message you get?

Bearded_Blunder · 2016-08-27 22:39:26

As requested, error:

beardy@domain.tld@bl-ad-test:~$ bl-welcome
beardy@domain.tld@bl-ad-test:~$ Error: Must be a member of the sudo group to run this script

beardy@domain.tld@bl-ad-test:~$ sudo -l
[sudo] password for beardy@domain.tld:
Matching Defaults entries for beardy@domain.tld on bl-ad-test:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User beardy@domain.tld may run the following commands on bl-ad-test:
    (ALL : ALL) ALL
beardy@domain.tld@bl-ad-test:~$

The sudo -v test during intro on the second page I'd pass., However, if I do:

 echo $(groups)

I get all my group memberships in Active Directory, every last one being of the style

group@domain.tld

or

group name@domain.tld

(yes many have spaces in).

suggestion wrote:

Could you perhaps do a check that
[[ $( id -u ) != 0 ]]
to check it's not running as root under sudo, or in an explicitly enabled root account, since you want it to fail then, perhaps with a message explaining why. Then move on to the test in intro? Worst I can see happening is the user can't supply a password, fails sudo -v, and the script exits...

Last edited by Bearded_Blunder (2016-08-28 00:01:54)

ohnonot · 2016-08-28 06:40:43

Bearded_Blunder wrote:

 echo $(groups)

why not

groups

???

johnraff · 2016-08-28 08:31:55

Yes I'm thinking that the later 'sudo -v' is already doing the necessary test of the user's sudo powers, making the check for the "sudo" group earlier unnecessary.

In fact this looks like the way to go:

Bearded_Blunder wrote:

Could you perhaps do a check that
[[ $( id -u ) != 0 ]]
to check it's not running as root under sudo, or in an explicitly enabled root account, since you want it to fail then, perhaps with a message explaining why. Then move on to the test in intro? Worst I can see happening is the user can't supply a password, fails sudo -v, and the script exits...

@BB perhaps you could just comment out the current groups test, and see if bl-welcome then runs sucessfully?

Head_on_a_Stick · 2016-08-28 10:58:40

^ Do we even need the check?

The root account is disabled in a stock BL system so if the script is run as root then `sudo` must have been invoked.

Bearded_Blunder · 2016-08-28 23:38:59

ohnonot wrote:

why not
groups
???

Because I've been busy doing stuff in scripts, and I'm used to DOS/Windows stuff.. and stupid... a rather classic "bearded blunder"

Head_on_a_Stick wrote:

^ Do we even need the check?

apparently we do, because:

johnraff wrote:

The script should fail if run by root.
It's an interactive script, intended to be run by a normal user, and sudo permissions are granted as required, getting the user's password when needed. Running as root might cause all kinds of unexpected issues.

and

 [[ $ ( id -u ) == 0 ]] [[ $ ( id -u ) != 0 ]]

will evaluate as true or false respectively if it's started by sudo or if someone enabled the root account.. or if someone installed the (bl-confgs?) package on a stock LXDE system and logged in as root to run it, the current groups check will fail for root if the account is enabled and he tries to run it, he's not in sudoers, because he doesn't need to be.

johnraff wrote:

@BB perhaps you could just comment out the current groups test, and see if bl-welcome then runs sucessfully?

I can when I can find it, only found the folder with the chunks it calls so far, and it's not called with the absolute path from openbox autostart..

earlier BB wrote:

<snip> ... and stupid...

Head_on_a_Stick · 2016-08-28 23:44:20

Bearded_Blunder wrote:

if someone enabled the root account.. or if someone installed the (bl-confgs?) package on a stock LXDE system and logged in as root to run it

LightDM does not allow a root login.

Anyway, this isn't really my department so I will stop adding noise.

Bearded_Blunder · 2016-08-29 00:27:59

Head_on_a_Stick wrote:

LightDM does not allow a root login.

On stock bunsen you are correct, in the current iteration of my AD test, which I haven't pounded on sufficiently to post about as solved, it does if you enable the account. That being one of the things I've tried to try to break what I did, I have multiple other ways to try to break it to do before I go public with a solution though. The reason (in bunsen) LightDM doesn't is that bl-user-setup exits with a status of 1 for *any* case where $HOME isn't /home/$USER, and for root $HOME is /root resulting in LightDM aborting the login. Comment out the user setup script from LightDM's config, and root can login after enabling the account, but adding "bunsenified" users is broken.

Anyhows, this is off-topic, so I should stop adding to the noise too.

johnraff · 2016-08-29 01:42:14

Bearded_Blunder wrote:

johnraff wrote:
@BB perhaps you could just comment out the current groups test, and see if bl-welcome then runs sucessfully?
I can when I can find it, only found the folder with the chunks it calls so far, and it's not called with the absolute path from openbox autostart..

BL's executable files that are intended to be run by a user are installed in /usr/bin. Because that directory is in PATH, they can be invoked without using the full path. You can always find the location of executables in PATH (they might be in /usr/sbin...) with

which commandname

which in this case will reveal /usr/bin/bl-welcome.

The test to comment out is on lines 112~115.

Bearded_Blunder · 2016-08-29 21:33:50

Yes that cures it for domain admins, who have sudo for non-admins the please enter your password for sudo, flashes up, vanishes, and it moves on to try doing things for which they don't have rights, and of course fails.

If you want to try some testing for yourself, without the pain of setting up AD the steps would be:

1 Create a standard user without sudo rights who is a member of a new group "testgroup"

2 Issue:

echo "%testgroup ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/testgroup

Don't typo with that one, else you lose your own sudo rights, have to boot into recovery mode and delete the file /etc/sudoers.d/testgroup to get them back. Ask me how I know :8

3 Login as the new user.

He will have sudo rights, but unedited bl-welcome fails outright.

With the suggested section disabled, it never seems to do the

sudo -v

check, and moves along to do things requiring sudo, which of course fails.

Last edited by Bearded_Blunder (2016-08-29 23:09:04)

johnraff · 2016-08-30 02:11:35

Bearded_Blunder wrote:

for non-admins the please enter your password for sudo, flashes up, vanishes...

This seems very strange. In a terminal, things don't flash up and vanish.

With the suggested section disabled, it never seems to do the
sudo -v
check, and moves along to do things requiring sudo, which of course fails.

Likewise, I find this hard to understand. The sudo -v command is there. If it's not too much trouble, could you try running the script as 'bash -x bl-welcome'?

This will output a lot of irrelevant stuff, but if you could scroll back to the section around the sudo -v command it might show what's wrong.

Bearded_Blunder · 2016-09-01 05:51:13

The issue is, that for plain users (no sudo), sudo -v simply returns, no password prompt, and the script continues, so I went visiting the manpage for sudo to find an answer, sometimes manpages are useful in my quick tests, with this check commented out:

if [[ ! $(groups) =~ ( |^)sudo( |$) ]]; then
    echo $"Error: Must be a member of the sudo group to run this script" >&2
    exit 1
fi

and:

if sudo -v
then
    say 'Thank you.'
else
    errorExit 'You do not appear to have permission to use sudo,
which is needed in this script.
Please make the necessary adjustments to your system and try again.'
fi

edited to:

if [[ $(sudo -l /usr/bin/sudo | grep /usr/bin/sudo) ]]

Everything works as expected, if a user supplies their logon password once, or 3 incorrect ones, they get the 'You do not appear to have permission...' mesage, they can ctrl+c out at the password prompt, and everything appears fine fine.

For users with sudo rights, regardless if granted from membership of the sudo group or /etc/sudoers.d/* entries, that check returns true and the script continues.

point-of-netiquette wrote:

If this was a help thread I'd mark it [SOLVED] however, being bug reports, it's for Dev's to mark [FIXED], [WONT_FIX] or [OTHER] assuming they like the proposed fix... (don't want @HoaS on my case again).

xaos52 · 2016-09-01 09:57:06

@B-B,
As root, edit /usr/bin/bl-welcome:
comment out the 4 lines as indicated below:

createFlag 'bl-welcome'
For a quick workaround comment out the 4 lines as indicated below:

# if [[ ! $(groups) =~ ( |^)sudo( |$) ]]; then
#     echo $"Error: Must be a member of the sudo group to run this script" >&2
#     exit 1
# fi

# Run through steps
STEP=1

Looks like this is all that needs to be changed when running in a AD environment.
I have tested this using a dummy user, adding that user to the testgroup and allowing testgroup to run sudo.
bl-welcome then ran OK.

@johnraff,
The test as it is now will always fail when using AD, because AD activates its own 'group' mechanism.
Perhaps you can change the code and only do the test when AD is not used -
test output of 'groups' for presence of '.tld' to determine if AD is used.

Bearded_Blunder · 2016-09-02 00:01:45

xaos52 wrote:

@johnraff,
The test as it is now will always fail when using AD, because AD activates its own 'group' mechanism.
Perhaps you can change the code and only do the test when AD is not used -
test output of 'groups' for presence of '.tld' to determine if AD is used.

beter check might be the presence of "@" since .tld could be .com .net .local .random, but group names are in the format group@domain.suffix I'm not sure that checking groups is needed at all to be honest.

 sudo -l /usr/bin/sudo

will work standalone as the test, as it returns nothing and sets error for users who can't use the command specified after the -l switch (absolute path required), and returns the path to that command for those allowed to use it.

johnraff · 2016-09-02 06:22:05

xaos52 wrote:

@johnraff,
The test as it is now will always fail when using AD, because AD activates its own 'group' mechanism.
Perhaps you can change the code and only do the test when AD is not used -
test output of 'groups' for presence of '.tld' to determine if AD is used.

johnraff wrote:

Yes I'm thinking that the later 'sudo -v' is already doing the necessary test of the user's sudo powers, making the check for the "sudo" group earlier unnecessary.

Bearded_Blunder wrote:

The issue is, that for plain users (no sudo), sudo -v simply returns, no password prompt, and the script continues...

Bearded_Blunder wrote:

 sudo -l /usr/bin/sudo 
will work standalone as the test, as it returns nothing...

Stop right there. @B_B What version of sudo are you using? On my system, 'sudo -v' returns failure if ran by a user without sudo permissions, and 'sudo -l /usr/bin/sudo' returns "/usr/bin/sudo", as 'man sudo' confirms.

johnraff wrote:

B_B wrote:
...it never seems to do the
sudo -v
check, and moves along to do things requiring sudo, which of course fails.
...I find this hard to understand. The sudo -v command is there. If it's not too much trouble, could you try running the script as 'bash -x bl-welcome'?
This will output a lot of irrelevant stuff, but if you could scroll back to the section around the sudo -v command it might show what's wrong.

point-of-netiquette wrote:

If this was a help thread I'd mark it [SOLVED] however, being bug reports, it's for Dev's to mark [FIXED], [WONT_FIX] or [OTHER] assuming they like the proposed fix...

Quite correct. It's not fixed yet.

We have already agreed, I think, that the user groups test is unnecessary, and should perhaps be replaced by a simple check that the current user is not root.

Why 'sudo -v' does not work as a check for B_B remains mysterious.

#1 2016-08-26 21:42:27

bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#2 2016-08-26 22:08:17

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#3 2016-08-27 05:47:14

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#4 2016-08-27 05:53:46

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#5 2016-08-27 06:20:46

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#6 2016-08-27 07:13:07

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#7 2016-08-27 22:39:26

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#8 2016-08-28 06:40:43

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#9 2016-08-28 08:31:55

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#10 2016-08-28 10:58:40

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#11 2016-08-28 23:38:59

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#12 2016-08-28 23:44:20

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#13 2016-08-29 00:27:59

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#14 2016-08-29 01:42:14

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#15 2016-08-29 21:33:50

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#16 2016-08-30 02:11:35

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#17 2016-09-01 05:51:13

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#18 2016-09-01 09:57:06

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#19 2016-09-02 00:01:45

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

#20 2016-09-02 06:22:05

Re: bl-welcome fails if sudo rights are granted by /etc/suoders.d/ entries

Board footer