[sudo-users] sudo -l semantics
Alec Leamas
leamas.alec at gmail.com
Sat Jan 4 14:21:47 MST 2014
On 2014-01-02 23:05, Alec Leamas wrote:
> On 2014-01-02 19:57, Alec Leamas wrote:
>> On 2014-01-02 19:37, Shawn McMahon wrote: However, if you're bound
>> and determined to do this, you could give that
>>> user a passwordless sudo rule allowing them to run "sudo -U
>>> <username> -l"
>>> as root, and parse that output for what you're searching for.
>>
>> Not really. This is a chicken and egg problem, to handle what happens
>> when my app is started after a clean install. Of course, opening up
>> for all users as part of installation is an option, but that would be
>> system-wide and not really the way to go IMHO. The username is
>> basically unknown at installation time.
>>
>> Perhaps if I installed a rule allowing all users to run exactly "sudo
>> -l my-cmd" or so.... Dunno, that is perhaps not to bad?!
>>
>> --alec
>>
> Which doesn't seem to work :(. I cannot specify a sane rule that
> allows running sudo with a particular set of options, it basically
> becomes something like "sudo sudo ..." which doesn't work (and
> shouldn't).
>
> Seems that my usecase cannot work unless there is a simple way
> (option) to ask if I can issue 'sudo -l' questions without running
> into a prompt. Need to find other ways around this (polkit?).
>
> --alec
>
At last I have been able to use pkexec instead of sudo for the initial
bootstrapping - basically adding a group to the running user. Although
pkexec works better for this purpose, IMHO sudo is still superior when
it comes to assigning permissions to users in that group. And the two
dependencies sudo and polkit doesn't really matter, most users have
them in place anyway.
That said, it would have been great if I had been able to use sudo for
everything. Using two different tools adds some complexity.
--alec
More information about the sudo-users
mailing list