Tiny Core Linux
Tiny Core Base => TCB Talk => Topic started by: Alatun on September 02, 2015, 08:51:54 AM
-
To bring some security to my rdesktop system I added a password for root and removed the line for user "tc" from the sudoers file.
tc has no password and if it is present in the sudoers file a root password won't bring any security.
But this causes problems:
When user tc is being logged in automatically, a password prompt appears. -> .profile script uses sudo and relies that current user is in sudoers with option NOPASSWD. Looks like a bit strange to me.
When I hit enter (tc has no password) -> "segmentation fault". Seems the version of sudo in busybox has a serious issue here.
Currently I only see that "tee" is being used with sudo. Does anybody know, if other commands are being used with sudo during the startup process?
-
I did some trial and error to restrict the rights of user "tc" in the sudoers file.
But this causes a lot of strange problems. The worst problem in my case: the system does no longer start the X server. The reason for this could be, that the extensions are no longer loaded. (I don't see any mounts to sqashfs).
I tried this as a config line in sudoers:
tc ALL = NOPASSWD: /usr/bin/tee, /usr/mount, /sbin/poweroff, /sbin/reboot
poweroff, reboot are required for "exittc". tee is used by the ".profile" script. mount was a guess, because the sqash mounts are missing now.
This leaves me in an uncomfortable situation: I cannot restrict rights for user "tc" in sudoers and cannot ensure that users cannot get to the linux console.
-
To prevent an escape to the shell,
add 2 lines to tc's .profile so that at the end it reads:
TERMTYPE=`/usr/bin/tty`
while true ; do
[ ${TERMTYPE:5:3} == "tty" ] && (
[ ! -f /etc/sysconfig/Xserver ] ||
[ -f /etc/sysconfig/text ] ||
[ -e /tmp/.X11-unix/X0 ] ||
startx
)
done
-
There is no complete list, but a recursive grep should give an answer.
If you don't mean to load extensions or do other system tasks after boot, how about leaving tc with normal sudo access (but with a password), and using a different user for the autologin?
-
Again thanks for your proposals.
I will try what I can do until our system goes live.
-
Hi Curaga!
Which problems can occour if a new user is created (with the same .profile as tc) and user tc is completely removed?
-
What would that accomplish?
-
That's the question! Will it bring any kind of problems to the system?
-
Hi Zendrael
Actually, I believe gerald_clark ask you the opposite question, i.e. what do you think you will gain by doing that?
-
Hi Rich!
I was thinking on the side of this post, by removing tc from sudoers and removing the user from the system.
With a new user, not part of the sudores, but with same .profile, it will be able to start X and do all the stuff that tc does (minus the stuff which require sudo)?
-
tc is just the default user.
the USER= boot code just changes the name of the user. Everything works the same.
Changing the name of the user ( or using another user with same configuration as tc ) really accomplishes nothing since the user is normally autologin.
If you don't want autologin, use the noautologin boot code.
If you don't want sudo privileges for tc, rewrite /etc/sudoers in bootlocal.sh.
-
Ok Mr. Gerald_Clark!
Thanks!