Tiny Core Linux

Tiny Core Base => TCB Bugs => Topic started by: cosmin_ap on May 09, 2011, 07:08:14 PM

Title: new users prevented to login because of sudo in ~/.profile
Post by: cosmin_ap on May 09, 2011, 07:08:14 PM

~/.profile tries to do a sudo when logging in; but new users can't sudo since there's no root password. this means that adding new users at boot time with adduser will make them unable to login.

btw, is this the right way to make new users or is it better to have your own passwd/shadow/group copied over in /etc? I imagine there are other programs that mess with users and groups at load time in their tce.installed script so I'd rather not copy my own version of these files and issue adduser/addgroup commands in bootsync.sh instead.

Title: Re: new users prevented to login because of sudo in ~/.profile
Post by: maro on May 09, 2011, 07:44:53 PM

I'm not sure if I understand your problem: If I use the boot code 'user=try' an additional user (i.e. 'try') will be created (i.e. some additional entries in files like '/etc/passwd', and '/etc/shadow' with a default password of 'tcuser' will be created). As this new user has also been added to '/etc/sudoers' there should not be a problem with executing 'sudo COMMAND' as this new user.

If you want to ensure that those changes to the '/etc/...' files are "surviving" the next re-boot you'll have to include the relevant files to the backup "whitelist" (e.g. via for FILE in group gshadow passwd shadow sudoers ; do echo "etc/${FILE}" >> /opt/.filetool.lst ; done). It would probably be a good idea to ensure that a backup is been performed (e.g. via filetool.sh -b).

Otherwise you could try to continue to use the 'user=...' boot code, but I'm not sure what side effects that might have with repeated use.

Title: Re: new users prevented to login because of sudo in ~/.profile
Post by: Guy on May 09, 2011, 10:27:42 PM

I have experienced a similar thing.

Include "user=name" in bootloader.

Use this method to save passwords

Quote

sudo cp /etc/shadow /opt/shadow

Add the following to /opt/bootsync.sh

sudo mv /etc/shadow /etc/shadow_old
sudo cp /opt/shadow /etc/shadow

But also add group, gshadow, passwd and sudoers, using the same method.

Restart the computer.

The user can't log in.

It requires a password (without using noautologin), and it seems it is not the password in /etc/shadow.

If someone knows how to overcome this, let us know.

This may be a bug in the base, and need modifications.

Title: Re: new users prevented to login because of sudo in ~/.profile
Post by: cosmin_ap on May 10, 2011, 03:02:47 AM

Quote from: maro on May 09, 2011, 07:44:53 PM

I'm not sure if I understand your problem: If I use the boot code 'user=try' an additional user (i.e. 'try') will be created (i.e. some additional entries in files like '/etc/passwd', and '/etc/shadow' with a default password of 'tcuser' will be created). As this new user has also been added to '/etc/sudoers' there should not be a problem with executing 'sudo COMMAND' as this new user.

Sorry I wasn't very clear. The user= bootcode works because it uses addUser() from tc-config. But I'm talking of adding a new user with adduser user, which copies /etc/skel in /home/user. The /etc/skel/.profile contains a sudo which makes the new user unable to login because there's no root password by default. Of course there are tricks to do at boot time to prevent this, like echo "user ALL=NOPASSWD: ALL" >> /etc/sudoers", but I think the adduser command is intended to provide you a loggable user by default, and that sudo prevents it.

Title: Re: new users prevented to login because of sudo in ~/.profile
Post by: curaga on May 10, 2011, 04:41:32 AM

Good point. Many local users isn't a supported scenario currently, but this appears to break ssh too. Since only the local user should be allowed to control backup, try the attached patch.

Title: Re: new users prevented to login because of sudo in ~/.profile
Post by: Guy on May 10, 2011, 04:52:05 AM

I think in the long term, Tiny Core should be designed to support several users.

Title: Re: new users prevented to login because of sudo in ~/.profile
Post by: curaga on May 10, 2011, 04:55:48 AM

From a scenario of one admin and several users without app install privileges, we aren't far currently.

Title: Re: new users prevented to login because of sudo in ~/.profile
Post by: SamK on May 10, 2011, 05:26:27 AM

Quote from: Guy on May 10, 2011, 04:52:05 AM

I think in the long term, Tiny Core should be designed to support several users.

+1   (hopefully not too long term)
   

Title: Re: new users prevented to login because of sudo in ~/.profile
Post by: ToasterKing on June 16, 2011, 06:39:26 PM

If you want to keep backups working so that files in the user's home directory are picked up you may find this alternate /etc/sudoers file useful.  It allows the user tking to log in without errors, run backups, and launch the GUI.

Quote

root    ALL=(ALL) ALL
tc      ALL=NOPASSWD: ALL
Cmnd_Alias BACKUP = /usr/bin/tee, /usr/bin/bcrypt, /bin/umount \
                    /bin/mount, /bin/mv, /bin/touch, \
                    /bin/rm -f /tmp/backup_status, /bin/busybox tar *, \
                    /bin/busybox ls *

Cmnd_Alias WBAR   = /bin/cp /usr/share/wbar/dot.wbar /usr/local/tce.icons, \
                    /bin/chown root.staff /usr/local/tce.icons, \
                    /bin/chmod g+w /usr/local/tce.icons, \
                    /usr/bin/flwm_topside_initmenu, \
                    /bin/rm -rf /usr/local/tce.icons, \
                    /bin/kill


tking    ALL=NOPASSWD: BACKUP, WBAR

tking still has more privileges through the GUI than are absolutely necessary, and I don't like the bare /bin/mv or /bin/kill but this works for me.  At least in 3.6, I haven't tried it with 3.7 yet.