sudo and tce-load

[nomer]

May I ask why the tce-* commands (i.e. tce-load, tce-run, ....) can't be run as root?
This seems like it is/was a fairly conscious decision.
When running with the default setup this isn't really a problem, but it is a problem if you want to restrict yourself (or another user) slightly.

I can replace

tc     ALL=NOPASSWD: ALL

with

tc    ALL=ALL

in /etc/sudoers.
This will require the user "tc" to enter a password before executing a program as root.
This makes the originally mentioned scripts nearly impossible to use.
Running:

sudo tce-run <my_app>

will result in:

don't run this as root

And if I do

tce-run <my_app>

I have to enter the password over and over and over and over.......

Actually, the script I'm really concerned about is tce-load.
I suppose that I could comment out line 27 in it and the remove every occurrence of "sudo".
Is this a bad idea?   

P.S. I'm running tinycore 4.1

[maro]

Just voicing my personal opinion here, but if 'root' would be allowed to execute 'tce-load' chances are that ownership of files and directories would be changed in such a way that subsequently using 'tce-load' as a "non-root' user would become impossible. Sure, one could try to catch all those cases with a lot of "if-then-else", but I tend to agree that disallowing 'root' to "mess things up" is a more pragmatic solution (in particular as 'root' could always use 'sudo -u tc tce-load ..." as a work-around).

OTOH, I don't think that this addresses the situation that you've got yourself into be changing '/etc/sudoers'. I guess what you would need is a mechanism that the likes of Ubuntu (and "friends") are using, where you have to enter the user password once for a 'sudo' command and it remains valid for a while (e.g. 15 minutes). Unfortunately I've never looked into the details how they achieve it, in particular as I considered it rather comical that one has to enter the user password (and not a proper 'root' password) to gain 'sudo' rights.

[nomer]

Ahha! Your paragraph offering the possible reasoning behind the system does make sense.

Now that you mention it, I do recall hearing something about the password entered being "cached". I'll look into figuring out how to make that work.

As to entering one's own password for sudo vs. entering the root password, by adding this line to /etc/sudoers

Defaults rootpw

you can make users enter the root password.

[nomer]

Hmmm..... It appears that password "caching" isn't working.
I believe that I have some idea of what the problem is. When I run the sudo command with a user that requires a password, it prints this error before prompting me for the password:

sudo: can't mkdir : No such file or directory

It does this with every command. (e.g. "sudo whoami")

Does anyone know how to make sudo remember when a user last used sudo?
While this won't solve the root of my problem, it would still be of some help.

[curaga]

Can't reproduce. Started TC 4.4, edited sudoers to require password for user tc, "sudo whoami" works fine, and the normal 5-minute caching works.

[nomer]

@ curaga
 Well, what do you know?! I downloaded TinyCore-current.iso (version 4.4) and started it up in a virtual machine.
 Everything related to sudo worked as correctly.
 I'll give updating my "real" system a try, which I think should fix the problem of being asked for the password every time.

Thanks,
Nomer

[nomer]

Yep, Upgrading my install to 4.4 solved the problem with sudo's time stamps not being created.
This will be a temporary fix for my problems.
What I want to do is make so that an otherwise restricted user can load extensions without a password.

If "/usr/bin/tce-load -i" could be run as root, it would be as simple as editing /etc/sudoer to allow that. With the current state of affairs I'm going to have to allow several commands (e.g. mkdir, mount, touch) to be run by the restricted users.

Thanks for the help,
Nomer