Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: suauth and pam.d

  1. #1
    Join Date
    Jul 2008
    Beans
    77

    suauth and pam.d

    Hi,

    Can anyone tell me how to run a command as a different user within a script, without requiring password input? I tried editing /etc/suauth so that my "leeko" user can run the following script, which runs irexec as user "mythtv".

    Code:
    #!/bin/bash
    # Launcher for IREXEC because it's STUPID and won't launch properly in startup scripts!
    sleep 30
    killall irexec
    su mythtv -c "irexec /home/leeko/.lircrc" &
    exit 0
    My /etc/suauth looks like this:

    Code:
    leeko@leeko-media:~$ cat /etc/suauth
    #leeko and mythtv can su to each other without a password
    leeko:mythtv:NOPASS
    mythtv:leeko:NOPASS
    #
    It didn't work, so I googled and found this page:

    http://ubuntuforums.org/showthread.p...ghlight=suauth

    It suggests that ubuntu has deprecated /etc/suauth, and instead uses pam.d/su. But, I can't figure out how to edit this file so that user "leeko" can su to user "mythtv" without a password. Can anyone point me in the right direction?

    Thanks,

    Lee

  2. #2
    Join Date
    May 2008
    Location
    Eugene, OR, USA
    Beans
    435

    Re: suauth and pam.d

    You can do this pretty easily with sudo instead of su. First add this line to your /etc/sudoers file:

    Code:
    leeko   ALL = (mythtv) NOPASSWD: ALL
    Then, instead of using su in your script, use a line like:

    Code:
    sudo -u mythtv irexec /home/leeko/.lircrc &
    Hal Pomeranz, Deer Run Associates
    [[ Various Linux/Unix related documents ]]
    [[ Command-Line Kung Fu blog ]]

  3. #3
    Join Date
    Jul 2008
    Beans
    77

    Re: suauth and pam.d

    Hi Hal,

    Thanks for the reply. I did as you suggested, but I ran into a small snag: It still asks me for a password when I run the script.

    Here's the contents of my sudoers file:

    Code:
    # /etc/sudoers
    #
    # This file MUST be edited with the 'visudo' command as root.
    #
    # See the man page for details on how to write a sudoers file.
    #
    
    Defaults        env_reset
    
    # Uncomment to allow members of group sudo to not need a password
    # %sudo ALL=NOPASSWD: ALL
    
    # Host alias specification
    
    # User alias specification
    
    # Cmnd alias specification
    
    # User privilege specification
    root    ALL=(ALL) ALL
    mythtv ALL=NOPASSWD: /etc/acpi/*
    leeko ALL=NOPASSWD: /etc/acpi/*
    mythuser ALL=NOPASSWD: /etc/acpi/*
    mythtv ALL=NOPASSWD:/sbin/halt,/sbin/shutdown,/sbin/reboot,/bin/mount,/bin/umount,/usr/sbin/pmi
    leeko ALL=NOPASSWD: /usr/sbin/pmi
    leeko ALL = (mythtv) NOPASSWD: ALL
    
    # Members of the admin group may gain root privileges
    %admin ALL=(ALL) ALL
    And my startup script (which is owned by leeko):

    Code:
    leeko@leeko-media:~$ cat /usr/local/bin/irexeclauncher
    #!/bin/bash
    # Launcher for IREXEC because it's STUPID and won't launch properly in startup scripts!
    sleep 20
    killall irexec
    sudo -u mythtv irexec /home/leeko/.lircrc &
    exit 0
    When I reboot, the script kills the existing process, then does nothing else. If I run the script manually, it asks me for a password. If I've previously run a sudo command and entered my password, then the script runs flawlessly without requiring a password.

    I'm guessing that the entry in sudoers isn't doing what it's supposed to, but I've no idea how to fix it.

    Any ideas?

    Thanks,

    Lee
    Last edited by leeko; September 8th, 2008 at 10:03 PM. Reason: Typo

  4. #4
    Join Date
    Jul 2008
    Beans
    77

    Re: suauth and pam.d

    Been playing around a bit more -

    If I try:

    sudo -u mythtv <command>

    from the CLI, it does the same thing (asks me for a sudoers password). If I've already used sudo in that session, it doesn't ask.

    Any help much appreciated

    Lee

  5. #5
    Join Date
    May 2008
    Location
    Eugene, OR, USA
    Beans
    435

    Re: suauth and pam.d

    Weird, your sudoers file looks correct to me and the syntax I gave you should work. What UID is the mythtv user ("grep mythtv: /etc/passwd" and look at the number in the third field)? Does the mythtv user have the same UID as some other user on the system?
    Hal Pomeranz, Deer Run Associates
    [[ Various Linux/Unix related documents ]]
    [[ Command-Line Kung Fu blog ]]

  6. #6
    Join Date
    Jul 2008
    Beans
    77

    Re: suauth and pam.d

    Hi Hal,

    grep gives:

    Code:
    leeko@leeko-media:~$ grep mythtv: /etc/passwd
    mythtv:x:105:110::/home/mythtv:/bin/sh
    leeko@leeko-media:~$
    grepping for 105 gives only the mythtv entry. grepping for 110 gives:

    Code:
    leeko@leeko-media:~$ grep 110: /etc/passwd
    mythtv:x:105:110::/home/mythtv:/bin/sh
    sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
    Not sure what to make of it. I don't think they have the same UID?

    Thanks,

    Lee

  7. #7
    Join Date
    Jul 2008
    Beans
    77

    Re: suauth and pam.d

    Actually, I've noticed some slightly different (equally weird) behaviour after a reset:

    - The existing irexec -d process is killed, but then nothing else happens
    - If I manually run /usr/local/bin/irexeclauncher while logged in as user leeko, it sleeps for 20 seconds, then I get:

    Code:
    leeko@leeko-media:~$ /usr/local/bin/irexeclauncher
    irexec: no process killed
    [sudo] password for leeko: leeko@leeko-media:~$
    That's not a typo above - as soon as it asks me for the sudo password, it puts "leeko@leeko-media:~$" right after the prompt. As soon, as I press any key, I get :

    Code:
    sudo: pam_authenticate: Conversation error
    Then, it returns my prompt (leeko@leeko-media). But, keypresses are not shown on screen. They do register, and I can logout, but they are not shown.

    I don't really understand this. Please help!

    Thanks,

    Lee

  8. #8
    Join Date
    May 2008
    Location
    Eugene, OR, USA
    Beans
    435

    Re: suauth and pam.d

    The weird terminal behavior you're seeing is because your script is launching the sudo command in the background (that's what the "&" at the end of the sudo line means). You could do this instead:

    Code:
    sudo -u mythtv irexec --daemon /home/leeko/.lircrc
    This way you'll get the sudo password prompt as normal and it won't mess up your terminal.

    But the point is, obviously, that you shouldn't be getting the password prompt in the first place. It's very strange-- everything looks correct to me. There should be some log messages in /var/log/auth.log from your sudo attempts-- could you just try doing a command like "sudo -u mythtv id" and post the relevant log entries from /var/log/auth.log? Maybe there's something I'm missing that will be obvious once I look at the logs.
    Hal Pomeranz, Deer Run Associates
    [[ Various Linux/Unix related documents ]]
    [[ Command-Line Kung Fu blog ]]

  9. #9
    Join Date
    Jul 2008
    Beans
    77

    Re: suauth and pam.d

    Hi Hal,

    Again, thanks for your persistence with this!

    sudo -u mythtv id asks me for my password as usual, then afte rpassword entry it gives:

    Code:
    leeko@leeko-media:~$ sudo -u mythtv id                                                                                             
    [sudo] password for leeko:                                                                                                         
    uid=105(mythtv) gid=110(mythtv) groups=20(dialout),24(cdrom),29(audio),44(video),110(mythtv)
    cat /var/log/auth.log gives:

    Code:
    Sep  8 18:23:24 leeko-media sudo:    leeko : TTY=pts/0 ; PWD=/home/leeko ; USER=mythtv ; COMMAND=/usr/bin/id
    Sep  8 18:23:24 leeko-media sudo: pam_unix(sudo:session): session opened for user mythtv by leeko(uid=0)
    Sep  8 18:23:24 leeko-media sudo: pam_unix(sudo:session): session closed for user mythtv
    Hope this helps,

    Cheers,

    Lee

  10. #10
    Join Date
    May 2008
    Location
    Eugene, OR, USA
    Beans
    435

    Re: suauth and pam.d

    Hmmm, well the log messages look normal. Nothing out of the ordinary there.

    Perhaps your "leeko" account is sharing a UID with another account? Try "grep leeko: /etc/passwd", note the UID, and then check to see if there are other accounts in the password file with your UID.

    I notice that there are a couple of other sudoers entries for your leeko account:

    Code:
    leeko ALL=NOPASSWD: /etc/acpi/*
    ...
    leeko ALL=NOPASSWD: /usr/sbin/pmi
    If you run "sudo /usr/sbin/pmi" from your leeko account, do you get prompted for a password the first time, or does it let you run the command without typing the password ever?
    Hal Pomeranz, Deer Run Associates
    [[ Various Linux/Unix related documents ]]
    [[ Command-Line Kung Fu blog ]]

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •