cros_sdk: 'sudo -v' inside chroot will prompt for password that will never match. |
|||||
Issue description
On ToT cros_sdk, the file /etc/sudoers.d/90_cros has specified default user id to run sudo without password:
%adm ALL=(ALL) ALL
root ALL=(ALL) ALL
{USER} ALL=NOPASSWD: ALL
However, this will cause 'sudo -v', which many scripts use to extend credential cache, to fail since the -v will always ask for password. As https://ubuntuforums.org/showthread.php?t=2327757&p=13522795#post13522795 indicates, it's probably more correct to always add
Defaults verifypw = any
In 90_cros or 95_cros_base.
Temporarily assign to vapier since he's the last one updated sudo :)
,
Sep 6 2017
stimim and I both see this - "inside" chroot.
sudo -V
Sudo version 1.8.19p2
Sudoers policy plugin version 1.8.19p2
Sudoers file grammar version 45
Sudoers I/O plugin version 1.8.19p2
sudo -v
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
/etc/sudoers:
root ALL=(ALL) ALL
/etc/sudoers.d/90_cros:
Defaults env_keep += "CHROMEOS_OFFICIAL CHROMEOS_VERSION_AUSERVER CHROMEOS_VERSION_DEVSERVER CHROMEOS_VERSION_TRACK GCC_GITHASH GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME GIT_COMMITTER_EMAIL GIT_COMMITTER_NAME GIT_PROXY_COMMAND GIT_SSH RSYNC_PROXY SSH_AGENT_PID SSH_AUTH_SOCK USE all_proxy ftp_proxy http_proxy https_proxy no_proxy CROS_WORKON_SRCROOT PORTAGE_USERNAME"
%adm ALL=(ALL) ALL
root ALL=(ALL) ALL
hungte ALL=NOPASSWD: ALL
/etc/sudoers.d/95_cros_base:
chronos ALL=(ALL) ALL
,
Sep 6 2017
probably because my account is in adm group? # groups adm floppy audio cdrom video portage eng Yes - after I've commented the %adm line, "sudo -v" won't complain for password. Should we remove %adm, or ?
,
Sep 6 2017
,
Sep 6 2017
i can't find any history behind the adm entry. it goes back to the original commits in 2009. the group isn't used inside of the sdk either so shouldn't need to propagate it over.
,
Sep 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/crosutils/+/57fce7bbf9839a8bd9fb4e4baa874c9c6b2ec87a commit 57fce7bbf9839a8bd9fb4e4baa874c9c6b2ec87a Author: Wei-Han Chen <stimim@google.com> Date: Thu Sep 07 22:01:05 2017 chroot_version_hooks.d: make `sudo -v` don't ask for password Even though we mark the user as NOPASSWD, if any other rules match them, the `sudo -v` command ends up prompting for a password. Add a rule disabling that in case rules happen to trigger it. BUG= chromium:762445 TEST=cros_sdk --nousepkg --replace --enter --nouse-image; sudo -v Change-Id: I3cb5abea515e8416431740d1bb4b4c6cfeb224cf Reviewed-on: https://chromium-review.googlesource.com/652206 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Hung-Te Lin <hungte@chromium.org> [add] https://crrev.com/57fce7bbf9839a8bd9fb4e4baa874c9c6b2ec87a/chroot_version_hooks.d/152_rewrite_sudoers.d [modify] https://crrev.com/57fce7bbf9839a8bd9fb4e4baa874c9c6b2ec87a/chroot_version_hooks.d/45_rewrite_sudoers.d
,
Sep 7 2017
,
Jan 22 2018
,
Jan 23 2018
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by vapier@chromium.org
, Sep 6 2017