[Solved] Autologin with sudo asking for password

[igor.kattar]

How can I autologin with a user that asks for sudo password?

I set the passwords for tc and root users, then changed sudoers with

Code: [Select]

sudo visudo
If in the /etc/sudoers file I have:

Code: [Select]

root ALL=(ALL) ALL
tc ALL=(ALL) ALL
tc ALL=(ALL) NOPASSWD: /sbin/reboot,/sbin/poweroff,/sbin/halt
I cannot autologin anymore (I have to supply the password multiple times)

If I have the standard:

Code: [Select]

root ALL=(ALL) ALL
tc ALL=(ALL) NOPASSWD: ALL
I can autologin.

In the /opt/.filetool.lst file I have

Code: [Select]

opt
home
etc/shadow
etc/passwd
etc/sudoers
every change I run

Code: [Select]

sudo filetool.sh -b and since its a VM for tests, I have snapshots too.

It is a x86_64 machine with the 16.1 version of TinyCorePure64.

The goal is to make the image available via PXE to students but not allow them to install programs and interfere with the computers' disks (installing parted, mounting disks, etc).

[Rich]

Hi igor.kattar
Welcome to the forum.

If I understand the issue, what happens if you add login and autologin to NOPASSWD:

Code: [Select]

tc ALL=(ALL) NOPASSWD: /sbin/reboot,/sbin/poweroff,/sbin/halt,/sbin/autologin,/bin/login

[igor.kattar]

I still have to supply the password.

With the lines in /etc/sudoers:

Code: [Select]

tc    ALL=(ALL) ALL
tc    ALL=(ALL) NOPASSWD: /sbin/reboot,/sbin/poweroff,/sbin/halt,/sbin/autologin,/bin/loginAfter forcing the login, holding <enter>, the output of

Code: [Select]

sudo ps auxw is (notice the 3766 and 3786 PIDs)

Code: [Select]

...
  329 root     [kworker/R-ext4-]
 3090 root     /sbin/udevd --daemon
 3195 tc     -sh
 3213 root     /sbin/udhcpc -b -i eth0 -x hostname:box -p /var/run/udhcpc.eth0.pid
 3718 root     /usr/local/lib/xorg/Xorg -nolisten tcp
 3720 root     /sbin/udevd --daemon
 3724 tc     flwm_topside
 3746 tc     aterm
 3747 tc     sh
 3766 tc     {wbar.sh} /bin/sh /usr/local/bin/wbar.sh
 3786 root     sudo mv /tmp/work3766 /usr/local/tce.icons
 3788 tc     wbar
 3801 tc     aterm
 3802 tc     sh
 3829 tc     -sh
 3859 root     ps auxw
With the line:

Code: [Select]

tc   ALL=(ALL) NOPASSWD: ALLAfter the autologin the output of

Code: [Select]

sudo ps auxw is

Code: [Select]

...
  432 root     [kworker/1:2-mm_]
 3134 root     /sbin/udevd --daemon
 3135 root     /sbin/udevd --daemon
 3236 tc     -sh
 3412 root     /sbin/udhcpc -b -i eth0 -x hostname:box -p /var/run/udhcpc.eth0.pid
 3794 root     /usr/local/lib/xorg/Xorg -nolisten tcp
 3799 tc     flwm_topside
 3848 tc     wbar
 3862 tc     aterm
 3863 tc     sh
 3883 tc     -sh
 3913 root     ps auxw

[Rich]

Hi igor.kattar
Maybe add  /bin/mv  to the list?

[Rich]

Hi igor.kattar
Another potential sudo issue:

Code: [Select]

tc@E310:~$ grep sudo .profile
[ "`id -un`" = "`cat /etc/sysconfig/tcuser`" ] && echo "$BACKUP" | sudo tee /etc/sysconfig/backup >/dev/null 2>&1You might need to add  tee  to the list.

[igor.kattar]

mv and tee with passwordless root permissions wouldn't be a good idea, students could move and create code in unpredictable locations, it wouldn't cost much to run something as superuser. 

[gadget42]

...
The goal is to make the image available via PXE to students but not allow them to install programs and interfere with the computers' disks (installing parted, mounting disks, etc).

perhaps searching the forum for "Kiosk Mode" might provide some additional insight?

here is a random sample:
https://forum.tinycorelinux.net/index.php/topic,26764.msg172657.html#msg172657

[Rich]

Hi igor.kattar
Another idea. You have 2 files in /etc/,  sudoers  and  sudoerslocked.
sudoers is the original file, sudoerslocked is your modified version.
After ~/.profile runs:

Code: [Select]

sudo cp /etc/sudoerslocked /etc/sudoers

[igor.kattar]

...
The goal is to make the image available via PXE to students but not allow them to install programs and interfere with the computers' disks (installing parted, mounting disks, etc).

perhaps searching the forum for "Kiosk Mode" might provide some additional insight?

here is a random sample:
https://forum.tinycorelinux.net/index.php/topic,26764.msg172657.html#msg172657

That Kiosk approach wouldnt block student access through tty1 nor user shell, they could still use a passwordless sudo.

Hi igor.kattar
Another idea. You have 2 files in /etc/,  sudoers  and  sudoerslocked.
sudoers is the original file, sudoerslocked is your modified version.
After ~/.profile runs:

Code: [Select]

sudo cp /etc/sudoerslocked /etc/sudoers

This idea, I guess, hit the spot, this is how I executed it (there must be a more sophisticated way)

At the end of ~/.profile I replaced the tc permissions:

Code: [Select]

...
startx
)
sudo sed -i '/^tc/d;/^root.*$/atc ALL=(ALL) ALL\ntc ALL=(ALL) NOPASSWD: \/sbin\/reboot,\/sbin\/halt,\/sbin\/poweroff' /etc/sudoers
Maintain the /etc/sudoers file with the lines:

Code: [Select]

...
root ALL=(ALL) ALL
tc ALL=(ALL) NOPASSWD: ALL
Keeping some files and directories in /opt/.filetool.lst file

Code: [Select]

opt
home
etc/shadow
etc/gshadow
etc/group
etc/passwd
etc/sudoers
root
Protecting that file

Code: [Select]

chown root:root /opt/.filetool.lstAnd protecting the root home

Code: [Select]

chown -R root:root /root
chmod 0700 /root
Finaly backing up with:

Code: [Select]

sudo filetool.sh -b
After a reboot the user autologin normally, can only execute reboot, halt and poweroff with passwordless sudo.
Nice!

Just have to remember to change the /etc/sudoers lines back to:

Code: [Select]

...
root ALL=(ALL) ALL
tc ALL=(ALL) NOPASSWD: ALL, before running the filetool.sh tool again, but this is another story.

Thank you very much Rich and gadget42. I guess a more protected kiosk would benefit from these ideas.

* I can't find where to mark this post is solved or where could I change the topic name but it is solved.

[Rich]

Hi igor.kattar

... this is how I executed it (there must be a more sophisticated way) ...

That's one of the nice things about linux. There's more than one way
to solve a problem.

... * I can't find where to mark this post is solved or where could I change the topic name but it is solved.

You have to ask me to do that. After 30 minutes, users can not edit their post.