most secure way to start root session without requiring password - Setup

This is a discussion on most secure way to start root session without requiring password - Setup ; On my laptop running linux (CentOS 4.4) I want a root window (a copy of emacs running under root) on my console (the lcd screen) in addition to the normal windows I have up on that console. Previously, (on the ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: most secure way to start root session without requiring password

  1. most secure way to start root session without requiring password

    On my laptop running linux (CentOS 4.4) I want a root window (a copy
    of emacs running under root) on my console (the lcd screen) in
    addition to the normal windows I have up on that console.

    Previously, (on the laptop this one is replacing, which ran CentOS
    4.2), I had this setup using a little shell script called su-xemacs
    that my .x-startup invoked, and I've copied that script over to my new
    machine.

    It's relatively trival saying roughly, "#!/bin/sh\nsudo -c xemacs\n".
    However, previously, I either did something to the script (made it
    setuid with a user name of root) or did something with my pam
    configuration, because the script would run and would bring up the
    xemacs window without asking for a password. However, the current
    version doesn't work that way. If I invoke the script from a shell
    prompt on the console it asks for a password and then works, but from
    the .x-startup file the request for a password never appears anywhere
    and the window (running emacs) never comes up.

    I'm trying to figure out the most secure (and convenient) way to
    achieve what I used to have. I looked at my pam configuration for
    sudo and didn't find anything on the old system that was different
    than the new one. I also read several man pages, hoping that
    something like "sufficient pam_securetty" would be what I wanted (and
    it doesn't appear to be).

    So, I figured I would poll the collective wisdom here, before I do
    something which is less secure than I intend it to be. For example,
    the solution may be to make the script setuid with owner root, but
    that means that potentially the script could be run by other users
    over network connections and that would be less secure than I want,
    since from time to time, I may want to hook the laptop up to a network
    somewhere, and that could be the time someone finds a way to login to
    "my" machine from that network. I would live with that risk if there
    is no other way to achieve what I want, but not if there is another
    solution that is less risky and still achieves my goals.

    Thanks,
    -Chris

  2. Re: most secure way to start root session without requiring password

    In comp.os.linux.setup Chris F Clark :
    > On my laptop running linux (CentOS 4.4) I want a root window (a copy
    > of emacs running under root) on my console (the lcd screen) in
    > addition to the normal windows I have up on that console.

    [..]

    > It's relatively trival saying roughly, "#!/bin/sh\nsudo -c xemacs\n".
    > However, previously, I either did something to the script (made it
    > setuid with a user name of root) or did something with my pam
    > configuration, because the script would run and would bring up the
    > xemacs window without asking for a password. However, the current
    > version doesn't work that way. If I invoke the script from a shell


    Probably you used 'visudo' to configure the sudoers file to allow
    you user to execute xemacs with the NOPASSWD tag on your old
    system but forgot about it? Your backups should be helpful look
    for /etc/sudoers.

    [..]

    > So, I figured I would poll the collective wisdom here, before I do
    > something which is less secure than I intend it to be. For example,
    > the solution may be to make the script setuid with owner root, but
    > that means that potentially the script could be run by other users


    It will not work, the Linux kernel will not run a SUID script
    other then with UID of the caller, unless you use sudo or hack
    some SUID C wrapper together, which isn't advisable.

    Good luck

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 118: the router thinks its a printer.

  3. Re: most secure way to start root session without requiring password

    Thank you.

    I had looked at the old /etc/sudoers and copied over one line, which
    allowed the account to run sudo at all, but perhaps I missed
    something. It is worth a 2nd look on my part and some more playing.

  4. Re: most secure way to start root session without requiring password

    In comp.os.linux.setup Chris F Clark :
    > Thank you.


    > I had looked at the old /etc/sudoers and copied over one line, which
    > allowed the account to run sudo at all, but perhaps I missed
    > something. It is worth a 2nd look on my part and some more playing.


    I don't know if it works now or not? Post the line(s) out of
    /etc/sudoers and the error messages you get.

    Good luck

    BTW
    Please quote context on reply, thx:
    http://groups.google.com/support/bin...y?answer=14213

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 77: Typo in the code

  5. Re: most secure way to start root session without requiring password

    Michael Heiming writes:

    > In comp.os.linux.setup Chris F Clark :
    >> Thank you.

    >
    >> I had looked at the old /etc/sudoers and copied over one line, which
    >> allowed the account to run sudo at all, but perhaps I missed
    >> something. It is worth a 2nd look on my part and some more playing.

    >
    > I don't know if it works now or not? Post the line(s) out of
    > /etc/sudoers and the error messages you get.
    >
    > Good luck
    >
    > BTW
    > Please quote context on reply, thx:
    > http://groups.google.com/support/bin...y?answer=14213
    >
    > --
    > Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    > mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    > #bofh excuse 77: Typo in the code


    Sorry, for the long delay. The problem was in my sudoers file. And,
    after looking again at the correct and the new one I found it. So,
    your suggestion to look at that was a good one. It helped guide me to
    the mistake I was making. I no longer remember what the problem was,
    as I've since moved on to other problems. All I recall was that once
    I knew the right place to look, the problem was obvious. (Moverover,
    I don't want to speculate on what the problem was, as that is as
    likely to be wrong and thus misleading as right.)

    Thank you, again. My apologies for not closing the loop on this before.

    -Chris

+ Reply to Thread