WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: new users prevented to login because of sudo in ~/.profile  (Read 3525 times)

Offline cosmin_ap

  • Newbie
  • *
  • Posts: 48
~/.profile tries to do a sudo when logging in; but new users can't sudo since there's no root password. this means that adding new users at boot time with adduser will make them unable to login.

btw, is this the right way to make new users or is it better to have your own passwd/shadow/group copied over in /etc? I imagine there are other programs that mess with users and groups at load time in their tce.installed script so I'd rather not copy my own version of these files and issue adduser/addgroup commands in bootsync.sh instead.


Offline maro

  • Hero Member
  • *****
  • Posts: 1228
Re: new users prevented to login because of sudo in ~/.profile
« Reply #1 on: May 09, 2011, 07:44:53 PM »
I'm not sure if I understand your problem: If I use the boot code 'user=try' an additional user (i.e. 'try') will be created (i.e. some additional entries in files like '/etc/passwd', and '/etc/shadow' with a default password of 'tcuser' will be created). As this new user has also been added to '/etc/sudoers' there should not be a problem with executing 'sudo COMMAND' as this new user.

If you want to ensure that those changes to the '/etc/...' files are "surviving" the next re-boot you'll have to include the relevant files to the backup "whitelist" (e.g. via for FILE in group gshadow passwd shadow sudoers ; do echo "etc/${FILE}" >> /opt/.filetool.lst ; done). It would probably be a good idea to ensure that a backup is been performed (e.g. via filetool.sh -b).

Otherwise you could try to continue to use the 'user=...' boot code, but I'm not sure what side effects that might have with repeated use.

Offline Guy

  • Hero Member
  • *****
  • Posts: 1089
Re: new users prevented to login because of sudo in ~/.profile
« Reply #2 on: May 09, 2011, 10:27:42 PM »
I have experienced a similar thing.

Include "user=name" in bootloader.

Use this method to save passwords

Quote
sudo cp /etc/shadow /opt/shadow

Add the following to /opt/bootsync.sh

sudo mv /etc/shadow /etc/shadow_old
sudo cp /opt/shadow /etc/shadow

But also add group, gshadow, passwd and sudoers, using the same method.

Restart the computer.

The user can't log in.

It requires a password (without using noautologin), and it seems it is not the password in /etc/shadow.

If someone knows how to overcome this, let us know.

This may be a bug in the base, and need modifications.
Many people see what is. Some people see what can be, and make a difference.

Offline cosmin_ap

  • Newbie
  • *
  • Posts: 48
Re: new users prevented to login because of sudo in ~/.profile
« Reply #3 on: May 10, 2011, 03:02:47 AM »
I'm not sure if I understand your problem: If I use the boot code 'user=try' an additional user (i.e. 'try') will be created (i.e. some additional entries in files like '/etc/passwd', and '/etc/shadow' with a default password of 'tcuser' will be created). As this new user has also been added to '/etc/sudoers' there should not be a problem with executing 'sudo COMMAND' as this new user.

Sorry I wasn't very clear. The user= bootcode works because it uses addUser() from tc-config. But I'm talking of adding a new user with adduser user, which copies /etc/skel in /home/user. The /etc/skel/.profile contains a sudo which makes the new user unable to login because there's no root password by default. Of course there are tricks to do at boot time to prevent this, like echo "user ALL=NOPASSWD: ALL" >> /etc/sudoers", but I think the adduser command is intended to provide you a loggable user by default, and that sudo prevents it.


Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 11044
Re: new users prevented to login because of sudo in ~/.profile
« Reply #4 on: May 10, 2011, 04:41:32 AM »
Good point. Many local users isn't a supported scenario currently, but this appears to break ssh too. Since only the local user should be allowed to control backup, try the attached patch.
The only barriers that can stop you are the ones you create yourself.

Offline Guy

  • Hero Member
  • *****
  • Posts: 1089
Re: new users prevented to login because of sudo in ~/.profile
« Reply #5 on: May 10, 2011, 04:52:05 AM »
I think in the long term, Tiny Core should be designed to support several users.
Many people see what is. Some people see what can be, and make a difference.

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 11044
Re: new users prevented to login because of sudo in ~/.profile
« Reply #6 on: May 10, 2011, 04:55:48 AM »
From a scenario of one admin and several users without app install privileges, we aren't far currently.
The only barriers that can stop you are the ones you create yourself.

Offline SamK

  • Hero Member
  • *****
  • Posts: 713
Re: new users prevented to login because of sudo in ~/.profile
« Reply #7 on: May 10, 2011, 05:26:27 AM »
I think in the long term, Tiny Core should be designed to support several users.
+1   (hopefully not too long term)
   

Offline ToasterKing

  • Newbie
  • *
  • Posts: 14
Re: new users prevented to login because of sudo in ~/.profile
« Reply #8 on: June 16, 2011, 06:39:26 PM »
If you want to keep backups working so that files in the user's home directory are picked up you may find this alternate /etc/sudoers file useful.  It allows the user tking to log in without errors, run backups, and launch the GUI.

Quote
root    ALL=(ALL) ALL
tc      ALL=NOPASSWD: ALL
Cmnd_Alias BACKUP = /usr/bin/tee, /usr/bin/bcrypt, /bin/umount \
                    /bin/mount, /bin/mv, /bin/touch, \
                    /bin/rm -f /tmp/backup_status, /bin/busybox tar *, \
                    /bin/busybox ls *

Cmnd_Alias WBAR   = /bin/cp /usr/share/wbar/dot.wbar /usr/local/tce.icons, \
                    /bin/chown root.staff /usr/local/tce.icons, \
                    /bin/chmod g+w /usr/local/tce.icons, \
                    /usr/bin/flwm_topside_initmenu, \
                    /bin/rm -rf /usr/local/tce.icons, \
                    /bin/kill


tking    ALL=NOPASSWD: BACKUP, WBAR


tking still has more privileges through the GUI than are absolutely necessary, and I don't like the bare /bin/mv or /bin/kill but this works for me.  At least in 3.6, I haven't tried it with 3.7 yet.