Welcome
Welcome to refracta

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

some feedback on refracta2usb/installer

Refracta Development, Scripts, etc.

Re: some feedback on refracta2usb/installer

Postby dzz » Sun Feb 09, 2014 4:57 pm

These are the relevant sudoers lines (in live session). I'm not sure if live-boot scripts might add at least one of them
Code: Select all
%sudo ALL=(ALL:ALL) ALL
user ALL=(ALL) NOPASSWD: ALL

Another possible way for the installer to handle sudo is give the user simple choices:

1) disable sudo (recommended, default): Installer could parse these two lines and (in the installation) comment them automatically, using grep|sed

2) enable sudo (optional, maybe with security warning): Just leave "%sudo ALL= (ALL:ALL) ALL" and add $newuser to sudoers group. (IMO) we should not directly support password-less sudo at all, that line should be gone.

3) user edits manually, same as before. Or not, since a user who want custom sudo configs can do so post-install and should already know how to.

That could suit everyone, whether you find doing visudo manually confusing or simply tedious.
dzz
 
Posts: 629
Joined: Wed Apr 27, 2011 11:53 am
Location: Devon, England

Re: some feedback on refracta2usb/installer

Postby orbspider » Mon Feb 10, 2014 9:39 am

so if options

1) disable sudo (recommended, default):... comment them automatically


2) ..... (IMO) we should not directly support password-less sudo at all, that line should be gone.

I agree with this, password-less sudo is not to be advocated -so option 2) not necessary

3) user edits manually, same as before. Or not,...

and if does not want to edit, that is option 4) "No thanks" .. ahem, 3) if there's no 2)
orbspider
 
Posts: 40
Joined: Mon Oct 07, 2013 9:35 am

Re: some feedback on refracta2usb/installer

Postby fsmithred » Mon Feb 10, 2014 11:21 am

This:
Code: Select all
for line in $(grep NOPASSWD sudoers);do sed -i "s/$line/#$line/" sudoers ; done

changed this:
Code: Select all
#user   ALL=(ALL) NOPASSWD: ALL

to this:
Code: Select all
##user   ##ALL=(ALL) #NOPASSWD: ALL
Not what I expected, but I guess it would work.

Installer could check if user is member of sudo group. If so, leave it alone. Changing user name should not change the group memberships. Installer also needs to check for NOPASSD, comment it out and give user option to edit sudoers or become member of sudo group.

But if stock debian-live has no root password, that could leave you with no way to be root. Gotta run now. More later.
User avatar
fsmithred
 
Posts: 1987
Joined: Wed Mar 09, 2011 9:13 pm

Re: some feedback on refracta2usb/installer

Postby dzz » Mon Feb 10, 2014 9:28 pm

There's some stuff that needs reviewing here anyway, which probably affects refractasnapshot and future refracta live-images.
Code: Select all
user ALL=(ALL) NOPASSWD: ALL

appears to have no business at all in sudoers in =>wheezy .. it's done in sudoers.d/live by live-config script 0040-sudo in standard debian images . Refractainstaller should delete that file (or line) automatically but it does not. Wherever it's placed, it is for live use only.

Note, it could be other than "user" in a different distro, or with a custom username (debian live tools do actually support that)

%sudo line seems present by default in sudoers, if you want sudo all you need do is add your user to sudo group (and maybe edit a few dot files in $HOME).

I got most of this info from comparing the official Debian-Live wheezy/xfce with official Refracta images (and might have missed or got something wrong). However (as Dean reminded me) I have forgotten what the official Debian installer does with sudo and root password (I don't use it much, prefer debootstrap) and it's about time I run it again.

I don't see why manual visudo is necessary at all in refractainstaller. The solution is not difficult..more later when I done a few tests.
dzz
 
Posts: 629
Joined: Wed Apr 27, 2011 11:53 am
Location: Devon, England

Re: some feedback on refracta2usb/installer

Postby fsmithred » Tue Feb 11, 2014 2:53 pm

I'll move the NOPASSWD line into sudoers.d/live, and add that file to the installer excludes list. It might be good to either re-create the file when making a snapshot or at least give the user instructions, in case they want sudo with no password in their live iso.

Does 0040-sudo need 'config=sudo' in the boot cmdline, or does it run with just 'config'? Looks like it would be nice to use that, since it deals with some of the user's config files, but it also looks like it might not work with a pre-configured user.
User avatar
fsmithred
 
Posts: 1987
Joined: Wed Mar 09, 2011 9:13 pm

Re: some feedback on refracta2usb/installer

Postby dzz » Tue Feb 11, 2014 4:41 pm

If you have a preconfigured user (and/or other stuff) 'config' can cause unpredictable problems (all scripts run, e.g. user-setup), you need "config=script1,script2,script3" OR "config noconfig=script1,script2,script3"

BTW if you're running sid with live-* from experimental (you probably should be, it's in quite good shape at the moment) "config" has changed to "components"

I can test later that "components=sudo" (config=sudo) works ok as I got a sid test box set up.

Today I'm testing a patch which sets sudo in one dialog box with no manual visudo. So far, it works. If anyone is interested I can put it to a pastebin (not here because of a censored directory!) Snip:

Code: Select all
TITLE="Refracta Installer"

TEXT="\n\nLive images normally use 'sudo' for root access.\n\\nIt is recommended to disable sudo in the installation and use 'su' with a root password \n\nOptionally you may keep sudo if preferred. The installer will configure the root password later. \n\n\Disable default sudo in the installed system?"

yad --image=gtk-dialog-question --width=460 --height=240 --title="$TITLE" --button="Disable sudo":0 --button="Use sudo":1 --text="$TEXT"

(using 9.0.9-beta7) the graphical locales setup works. Every locale on the live system is automatically checked, it's tedious to deselect them manually. Would like to find how to change that.
dzz
 
Posts: 629
Joined: Wed Apr 27, 2011 11:53 am
Location: Devon, England

Re: some feedback on refracta2usb/installer

Postby fsmithred » Tue Feb 11, 2014 10:44 pm

@dzz: When I run loc-timezn.sh, only the locales I have configured are checked. I tried it on my sid and on my refracta/wheezy (main install).

@orbspider: The only time I get the terminal version of the locales setup after the graphical version is if I cancel the graphical version. I can change the script so it doesn't do that. If I let the graphical version complete, then that's the end - I don't get the terminal version.

And regarding the windows that are too small to show all the choices - it looks like you're using zenity, not yad. Unfortunately, I don't do as much testing with zenity, but I'll take a look at that.
User avatar
fsmithred
 
Posts: 1987
Joined: Wed Mar 09, 2011 9:13 pm

Re: some feedback on refracta2usb/installer

Postby fsmithred » Wed Feb 12, 2014 12:06 am

Here's the current wording for changing the root password in the installer:
Would you like to change the root password? (Recommended)
You'll need to go to the terminal again...

Note: If your system has no root user, and you want
to keep it that way, say No.
"


I think I'll change that to
Note: If your system has no root user, and
uses sudo for all administrative tasks, and you
want to keep it that way, say No.
User avatar
fsmithred
 
Posts: 1987
Joined: Wed Mar 09, 2011 9:13 pm

Re: some feedback on refracta2usb/installer

Postby dzz » Wed Feb 12, 2014 1:58 am

Here is a diff for the installer mod I just tested on a sid image: http://paste.debian.net/81588/ It's only a suggestion and a rough draft (but it works and avoids manual visudo) It checks automatically if root password is unset and allows to keep it that way.

The locales which are configured in the live system are all checked, that's quite a few. A live image needs as many as possible to be international but an installation only needs the one(s) it will actually use.

I meant, it is tedious to go through the whole list and uncheck them. The easy way is just leave them in (but they take a little time to generate, with a busy cpu and no status output of what is happening) There must be a cache file somewhere because it remembers what you did last but I haven't found it yet. It's not a major problem but (like visudo) slows you down.
dzz
 
Posts: 629
Joined: Wed Apr 27, 2011 11:53 am
Location: Devon, England

Re: some feedback on refracta2usb/installer

Postby thwak » Wed Feb 12, 2014 9:26 pm

thwak
 
Posts: 165
Joined: Tue Nov 20, 2012 3:58 am

PreviousNext

Return to Discuss

Who is online

Users browsing this forum: No registered users and 0 guests

suspicion-preferred