Tiny Core Linux
Tiny Core Base => TCB Q&A Forum => Topic started by: igor.kattar on June 20, 2025, 10:28:44 PM
-
How can I autologin with a user that asks for sudo password?
I set the passwords for tc and root users, then changed sudoers with sudo visudo
If in the /etc/sudoers file I have:
root ALL=(ALL) ALL
tc ALL=(ALL) ALL
tc ALL=(ALL) NOPASSWD: /sbin/reboot,/sbin/poweroff,/sbin/halt
I cannot autologin anymore (I have to supply the password multiple times)
If I have the standard:
root ALL=(ALL) ALL
tc ALL=(ALL) NOPASSWD: ALL
I can autologin.
In the /opt/.filetool.lst file I have
opt
home
etc/shadow
etc/passwd
etc/sudoers
every change I run sudo filetool.sh -b and since its a VM for tests, I have snapshots too.
It is a x86_64 machine with the 16.1 version of TinyCorePure64.
The goal is to make the image available via PXE to students but not allow them to install programs and interfere with the computers' disks (installing parted, mounting disks, etc).
-
Hi igor.kattar
Welcome to the forum.
If I understand the issue, what happens if you add login and autologin to NOPASSWD:
tc ALL=(ALL) NOPASSWD: /sbin/reboot,/sbin/poweroff,/sbin/halt,/sbin/autologin,/bin/login
-
I still have to supply the password.
With the lines in /etc/sudoers:
tc ALL=(ALL) ALL
tc ALL=(ALL) NOPASSWD: /sbin/reboot,/sbin/poweroff,/sbin/halt,/sbin/autologin,/bin/loginAfter forcing the login, holding <enter>, the output of sudo ps auxw is (notice the 3766 and 3786 PIDs)
...
329 root [kworker/R-ext4-]
3090 root /sbin/udevd --daemon
3195 tc -sh
3213 root /sbin/udhcpc -b -i eth0 -x hostname:box -p /var/run/udhcpc.eth0.pid
3718 root /usr/local/lib/xorg/Xorg -nolisten tcp
3720 root /sbin/udevd --daemon
3724 tc flwm_topside
3746 tc aterm
3747 tc sh
3766 tc {wbar.sh} /bin/sh /usr/local/bin/wbar.sh
3786 root sudo mv /tmp/work3766 /usr/local/tce.icons
3788 tc wbar
3801 tc aterm
3802 tc sh
3829 tc -sh
3859 root ps auxw
With the line:
tc ALL=(ALL) NOPASSWD: ALLAfter the autologin the output of sudo ps auxw is
...
432 root [kworker/1:2-mm_]
3134 root /sbin/udevd --daemon
3135 root /sbin/udevd --daemon
3236 tc -sh
3412 root /sbin/udhcpc -b -i eth0 -x hostname:box -p /var/run/udhcpc.eth0.pid
3794 root /usr/local/lib/xorg/Xorg -nolisten tcp
3799 tc flwm_topside
3848 tc wbar
3862 tc aterm
3863 tc sh
3883 tc -sh
3913 root ps auxw
-
Hi igor.kattar
Maybe add /bin/mv to the list?
-
Hi igor.kattar
Another potential sudo issue:
tc@E310:~$ grep sudo .profile
[ "`id -un`" = "`cat /etc/sysconfig/tcuser`" ] && echo "$BACKUP" | sudo tee /etc/sysconfig/backup >/dev/null 2>&1You might need to add tee to the list.
-
mv and tee with passwordless root permissions wouldn't be a good idea, students could move and create code in unpredictable locations, it wouldn't cost much to run something as superuser. :-\
-
...
The goal is to make the image available via PXE to students but not allow them to install programs and interfere with the computers' disks (installing parted, mounting disks, etc).
perhaps searching the forum for "Kiosk Mode" might provide some additional insight?
here is a random sample:
https://forum.tinycorelinux.net/index.php/topic,26764.msg172657.html#msg172657
-
Hi igor.kattar
Another idea. You have 2 files in /etc/, sudoers and sudoerslocked.
sudoers is the original file, sudoerslocked is your modified version.
After ~/.profile runs:
sudo cp /etc/sudoerslocked /etc/sudoers
-
...
The goal is to make the image available via PXE to students but not allow them to install programs and interfere with the computers' disks (installing parted, mounting disks, etc).
perhaps searching the forum for "Kiosk Mode" might provide some additional insight?
here is a random sample:
https://forum.tinycorelinux.net/index.php/topic,26764.msg172657.html#msg172657
That Kiosk approach wouldnt block student access through tty1 nor user shell, they could still use a passwordless sudo.
Hi igor.kattar
Another idea. You have 2 files in /etc/, sudoers and sudoerslocked.
sudoers is the original file, sudoerslocked is your modified version.
After ~/.profile runs:
sudo cp /etc/sudoerslocked /etc/sudoers
This idea, I guess, hit the spot, this is how I executed it (there must be a more sophisticated way)
At the end of ~/.profile I replaced the tc permissions:
...
startx
)
sudo sed -i '/^tc/d;/^root.*$/atc ALL=(ALL) ALL\ntc ALL=(ALL) NOPASSWD: \/sbin\/reboot,\/sbin\/halt,\/sbin\/poweroff' /etc/sudoers
Maintain the /etc/sudoers file with the lines:
...
root ALL=(ALL) ALL
tc ALL=(ALL) NOPASSWD: ALL
Keeping some files and directories in /opt/.filetool.lst file
opt
home
etc/shadow
etc/gshadow
etc/group
etc/passwd
etc/sudoers
root
Protecting that file
chown root:root /opt/.filetool.lstAnd protecting the root home
chown -R root:root /root
chmod 0700 /root
Finaly backing up with:
sudo filetool.sh -b
After a reboot the user autologin normally, can only execute reboot, halt and poweroff with passwordless sudo.
Nice!
Just have to remember to change the /etc/sudoers lines back to:
...
root ALL=(ALL) ALL
tc ALL=(ALL) NOPASSWD: ALL, before running the filetool.sh tool again, but this is another story.
Thank you very much Rich and gadget42. I guess a more protected kiosk would benefit from these ideas.
* I can't find where to mark this post is solved or where could I change the topic name but it is solved.
-
Hi igor.kattar
... this is how I executed it (there must be a more sophisticated way) ...
That's one of the nice things about linux. There's more than one way
to solve a problem.
... * I can't find where to mark this post is solved or where could I change the topic name but it is solved.
You have to ask me to do that. After 30 minutes, users can not edit their post.