Tiny Core Base > TCB Q&A Forum
[Solved] Autologin with sudo asking for password
igor.kattar:
mv and tee with passwordless root permissions wouldn't be a good idea, students could move and create code in unpredictable locations, it wouldn't cost much to run something as superuser. :-\
gadget42:
--- Quote from: igor.kattar on June 20, 2025, 10:28:44 PM ---...
The goal is to make the image available via PXE to students but not allow them to install programs and interfere with the computers' disks (installing parted, mounting disks, etc).
--- End quote ---
perhaps searching the forum for "Kiosk Mode" might provide some additional insight?
here is a random sample:
https://forum.tinycorelinux.net/index.php/topic,26764.msg172657.html#msg172657
Rich:
Hi igor.kattar
Another idea. You have 2 files in /etc/, sudoers and sudoerslocked.
sudoers is the original file, sudoerslocked is your modified version.
After ~/.profile runs:
--- Code: ---sudo cp /etc/sudoerslocked /etc/sudoers
--- End code ---
igor.kattar:
--- Quote from: gadget42 on June 21, 2025, 04:47:35 AM ---
--- Quote from: igor.kattar on June 20, 2025, 10:28:44 PM ---...
The goal is to make the image available via PXE to students but not allow them to install programs and interfere with the computers' disks (installing parted, mounting disks, etc).
--- End quote ---
perhaps searching the forum for "Kiosk Mode" might provide some additional insight?
here is a random sample:
https://forum.tinycorelinux.net/index.php/topic,26764.msg172657.html#msg172657
--- End quote ---
That Kiosk approach wouldnt block student access through tty1 nor user shell, they could still use a passwordless sudo.
--- Quote from: Rich on June 21, 2025, 08:38:40 AM ---Hi igor.kattar
Another idea. You have 2 files in /etc/, sudoers and sudoerslocked.
sudoers is the original file, sudoerslocked is your modified version.
After ~/.profile runs:
--- Code: ---sudo cp /etc/sudoerslocked /etc/sudoers
--- End code ---
--- End quote ---
This idea, I guess, hit the spot, this is how I executed it (there must be a more sophisticated way)
At the end of ~/.profile I replaced the tc permissions:
--- Code: ---...
startx
)
sudo sed -i '/^tc/d;/^root.*$/atc ALL=(ALL) ALL\ntc ALL=(ALL) NOPASSWD: \/sbin\/reboot,\/sbin\/halt,\/sbin\/poweroff' /etc/sudoers
--- End code ---
Maintain the /etc/sudoers file with the lines:
--- Code: ---...
root ALL=(ALL) ALL
tc ALL=(ALL) NOPASSWD: ALL
--- End code ---
Keeping some files and directories in /opt/.filetool.lst file
--- Code: ---opt
home
etc/shadow
etc/gshadow
etc/group
etc/passwd
etc/sudoers
root
--- End code ---
Protecting that file
--- Code: ---chown root:root /opt/.filetool.lst
--- End code ---
And protecting the root home
--- Code: ---chown -R root:root /root
chmod 0700 /root
--- End code ---
Finaly backing up with:
--- Code: ---sudo filetool.sh -b
--- End code ---
After a reboot the user autologin normally, can only execute reboot, halt and poweroff with passwordless sudo.
Nice!
Just have to remember to change the /etc/sudoers lines back to:
--- Code: ---...
root ALL=(ALL) ALL
tc ALL=(ALL) NOPASSWD: ALL
--- End code ---
, before running the filetool.sh tool again, but this is another story.
Thank you very much Rich and gadget42. I guess a more protected kiosk would benefit from these ideas.
* I can't find where to mark this post is solved or where could I change the topic name but it is solved.
Rich:
Hi igor.kattar
--- Quote from: igor.kattar on June 21, 2025, 02:33:13 PM --- ... this is how I executed it (there must be a more sophisticated way) ...
--- End quote ---
That's one of the nice things about linux. There's more than one way
to solve a problem.
--- Quote --- ... * I can't find where to mark this post is solved or where could I change the topic name but it is solved.
--- End quote ---
You have to ask me to do that. After 30 minutes, users can not edit their post.
Navigation
[0] Message Index
[*] Previous page
Go to full version