SUSE Conversations


Bypass Gnomesu for Sudo LAN Configuration for Non-Root Users



By: Alex_F

July 20, 2006 12:00 am

Reads:254

Comments:0

Rating:0

This article is also available as a PDF

This document contains the basic steps for enabling the sudo functionality, that non-root users gain the right to change the network configuration of the SUSE Linux Enterprise Desktop featuring a seamless integration within GNOME. Discovering the GNOME Desktop, one will notice that the network configuration can be launched from different places, e.g. using “Control Center->Network Card” or through the NetworkManager Applet. All actions that need root access will start “gnomesu” with its pop-up window as shown below. After the root password is typed in, the corresponding YaST module will be called. In our case, for configuring the network, “/sbin/yast2 lan” is called.

Requirements

  • The desktop user may not have root access, e.g. is not able to call YaST for system configuration.
  • The non-root user shall be able to change the network configuration, to be able to configure the wired and wlan network interface.

EDITING SUDOERS

The “sudo” configuration file specifies what a user may execute as another user and can be used for adding system function calls like “/sbin/yast2 lan” that requires root permissions. After sudoers is configured, the user may execute “sudo /sbin/yast lan” without being asked to type in the root password. Here in the example we will create our own shell script “mod_lan.sh” which works as a helper script.

To edit /etc/sudoers perform the following steps:

  • Login as root
  • Execute: visudo
    Note: Do not use “vi /etc/sudoers”, it is recommended to use “visudo” for editing sudeors.
  • Add the following line:
    ALL ALL = NOPASSWD:/usr/bin/mod_lan.sh

Script mod_lan.sh

This is the helper script which covers the yast2 function call and is basically used to export the DISPLAY environment variable, that the yast2 application running as root may display its output to the users X-window. Furthermore the user has to perform “xhost +local:root” to allow it. This can be done automatically by setting up a specific profile e.g. “/etc/profile.d/xdialog.sh” which performs the task, each time when a users logs into the system.

To create “mod_lan.sh” use the editor of your choice and perform the following steps:

  • Login as root
  • e.g. “vi /usr/bin/mod_lan.sh”
  • cut and paste the following lines below
  • save file
  • chmod 755 /usr/bin/mod_lan.sh
#!/bin/bash
#
export DISPLAY=:0.0
/sbin/yast2 lan

Script xdialog.sh

The helper script “/etc/profile.d/xdialog.sh” allows root application on the localhost to be displayed on the users X-window. To create “xdialog.sh” use the editor of your choice and perform the following steps:

  • Login as root
  • e.g. “vi /etc/profile.d/xdialog.sh”
  • cut and paste the following lines below
  • save file
  • chmod 755 /etc/profile.d/xdialog.sh
#!/bin/bash
#
# Enable root X messages to be written on Users Xterm
xhost +local:root

Note: For testing the actual result just call “sudo /usr/bin/mod_lan.sh”. If Yast2 starts in text mode run xdialog.sh, because you have to logout and login again to run the profile scripts located below.

/etc/profile.d

MODIFYING GNOMESU

The gnomesu function is provided by the libgnomesu-1.0.0.-32.5 package. To achieve a seamless integration within GNOME we have to copy the original gnomesu function and have to replace it by our own “gnomesu” function, which takes over control only in the case when “/sbin/yast2 lan” is requested. You should be aware, that this solution is a kind of “hack” and you have to take care every time you update your system, because new versions of the libgnomesu package will overwrite our customized gnomesu and will disable the sudo lan configuration option again.

If you still feel ready to go forward with this solution, perform the following the steps:

  • mv /opt/gnome/bin/gnomesu /opt/gnome/bin/gnomesu.orig
  • create a file “/opt/gnome/bin/gnomesu” with the following entries:
!/bin/bash
#
# Plattform:     SuSE Linux Enterprise Desktop 10
#
# Purpose:       Helper Script to enable sudo access for non-privileged users for
#                for the following system configurations:
#
#                - lan
#
# Prerequisite:  Replace existing gnomesu with this script and rename it to
#                gnomesu.orig
#
#                Add /opt/PSA/bin/mod_lan.sh to sudeors.
#
# Note: depending on if "yast lan" is called from NM or control center the parameter
# nb. differs
if [ "$2" = "lan" -o "$3" = "lan" ]; then
        sudo /opt/PSA/bin/mod_lan.sh
else
    $(/opt/gnome/bin/gnomesu.orig $1 $2 $3 $4)
fi

LESSON LEARNED

What about timezone? Just repeat the above steps for “/sbin/yast2 timezone”:

  • Edit sudoers and add a script named “mod_time.sh”.
  • Create the helper script mod_time.sh
  • Add a further if /else case in gnomesu:
. . .
. . .
 if [ "$2" = "timezone" -o "$3" = "timezone" ]; then
                        sudo /opt/PSA/bin/mod_time.sh
              else
. . .

Have fun!

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Categories: Uncategorized

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS