[mythtvnz] New install - mythbackend password not accepted
Stephen Worthington
stephen_agent at jsw.gen.nz
Wed Apr 7 19:24:07 BST 2021
On Thu, 8 Apr 2021 04:39:05 +1200, you wrote:
>I'll check the sudoers.d helper and make the other changes regarding the
>shutdown bug .
>
>One thing I wondered about regarding the helper script was ,in your
>installation procedure ,for the helper script in /mythtv/bin you issue:
>chmod ug=rx,o= mythtv-systemctl-helper.sh command and for the one in
>/etc/sudoers.d you use: chmod ug=r,o= mythtv-systemctl-helper without x
>to make executable. Was this intentional? or a typo?
The helper script is a bash script, so it must have executable
permissions. It is not particularly security sensitive as its ability
to do things without a password is not in this file but in the sudoers
config file referring to it. Using it only makes sense in the context
of using it with an sudoers configuration that allows it to work
without needing a password. In any other situation where you do need
to use a password, it is normally simpler just to use the systemctl
commands directly.
The sudoers file is not executable, it is a configuration file, and a
very security sensitive one at that. The permissions on sudoers files
have to be exactly right or sudo will ignore them, as if they have the
wrong permissions that would allow someone to easily get root access.
The recommendation for sudoers files is that they have no more than
read access for the user and group and nothing else, and be only root
ownership and root group. So even root can not write them without
changing their permissions first. When you do an sudo command from
other than a root account, sudo will be run as root and will look up
its sudoers config files to see if it has permission to do what it is
being asked to do. So it will be reading those sudoers config files
as root:root. If it does not find a match in the sudoers file, it
will not execute the command (at all, and certainly not as root). If
it does find a match, it sees what permissions it has been given to
execute things. In this case the config says it can execute the
specified file without requesting a password, so that is what it does.
When you do a normal sudo command from your non-root account, sudo
will match that against this config found in /etc/sudoers:
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
That says that sudo is allowed to execute any command as root if the
account is a member of the sudo group, but as there is not a NOPASSWD
option, it has to ask for a password first. The login account that
gets set up when you install Ubuntu is automatically added to the sudo
group (and the admin group that is allowed to use su to switch to the
root account).
>I'll be busy for the following 2 days and be making the changes on
>Saturday.
>
>-Paul
More information about the mythtvnz
mailing list