sudoers - remove entry for user "tc"

[Alatun]

To bring some security to my rdesktop system I added a password for root and removed the line for user "tc" from the sudoers file.
tc has no password and if it is present in the sudoers file a root password won't bring any security.

But this causes problems:
When user tc is being logged in automatically, a password prompt appears. -> .profile script uses sudo and relies that current user is in sudoers with option NOPASSWD. Looks like a bit strange to me.

When I hit enter (tc has no password) -> "segmentation fault". Seems the version of sudo in busybox has a serious issue here.

Currently I only see that "tee" is being used with sudo. Does anybody know, if other commands are being used with sudo during the startup process?

[Alatun]

I did some trial and error to restrict the rights of user "tc" in the sudoers file.

But this causes a lot of strange problems. The worst problem in my case: the system does no longer start the X server. The reason for this could be, that the extensions are no longer loaded. (I don't see any mounts to sqashfs).

I tried this as a config line in sudoers:

Code: [Select]

tc     ALL = NOPASSWD: /usr/bin/tee, /usr/mount, /sbin/poweroff, /sbin/reboot

poweroff, reboot are required for "exittc". tee is used by the ".profile" script. mount was a guess, because the sqash mounts are missing now.

This leaves me in an uncomfortable situation: I cannot restrict rights for user "tc" in sudoers and cannot ensure that users cannot get to the linux console.

[gerald_clark]

To prevent an escape to the shell,
add 2 lines to tc's .profile so that at the end it reads:

TERMTYPE=`/usr/bin/tty`
while true ; do
[ ${TERMTYPE:5:3} == "tty" ] && (
[ ! -f /etc/sysconfig/Xserver ] ||
[ -f /etc/sysconfig/text ] ||
[ -e /tmp/.X11-unix/X0 ] ||
startx
)
done

[curaga]

There is no complete list, but a recursive grep should give an answer.

If you don't mean to load extensions or do other system tasks after boot, how about leaving tc with normal sudo access (but with a password), and using a different user for the autologin?

[Alatun]

Again thanks for your proposals.

I will try what I can do until our system goes live.

[Zendrael]

Hi Curaga!

Which problems can occour if a new user is created (with the same .profile as tc) and user tc is completely removed?

[gerald_clark]

What would that accomplish?

[Zendrael]

That's the question! Will it bring any kind of problems to the system?

[Rich]

Hi Zendrael
Actually, I believe gerald_clark ask you the opposite question, i.e. what do you think you will gain by doing that?

[Zendrael]

Hi Rich!

I was thinking on the side of this post, by removing tc from sudoers and removing the user from the system.

With a new user, not part of the sudores, but with same .profile, it will be able to start X and do all the stuff that tc does (minus the stuff which require sudo)?

[gerald_clark]

tc is just the default user.
the USER= boot code just changes the name of the user.  Everything works the same.

Changing the name of the user ( or using another user with same configuration as tc ) really accomplishes nothing since the user is normally autologin.
If you don't want autologin, use the noautologin boot code.
If you don't want sudo privileges for tc, rewrite /etc/sudoers in bootlocal.sh.

[Zendrael]

Ok Mr. Gerald_Clark!

Thanks!