editing /etc/sudoers

editing /etc/sudoers

[Jeff Bauer]

I've been trying unsuccessfully to make changes to
/etc/sudoers.  I used visudo by creating a symlink
to /usr/bin/vi (because visudo ignores EDITOR), but
the changes aren't permanent.  What am I missing?

-Jeff

Re: editing /etc/sudoers

[David Larsson]

Hi Jeff,
This is probably not the guix way, but Im usually using SUDO_EDITOR=zile visudo instead of just EDITOR.

B.R.
David

Jeff Bauer – Fri, 14. June 2019 14:36
> I've been trying unsuccessfully to make changes to
> /etc/sudoers. I used visudo by creating a symlink
> to /usr/bin/vi (because visudo ignores EDITOR), but
> the changes aren't permanent. What am I missing?
> 
> -Jeff

Re: editing /etc/sudoers

[Tobias Geerinckx-Rice]

[-- Attachment #1: Type: text/plain, Size: 199 bytes --]

Jeff Bauer wrote:
> What am I missing?

Moar Scheme:

  (operating-system
    …
    (sudoers-file
      (local-file "sudoers")) ; relative to this file
    …)

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: editing /etc/sudoers

[Jeff Bauer]

On Fri, Jun 14, 2019 at 03:21:33PM +0200, Tobias Geerinckx-Rice wrote:
>  (operating-system
>    …
>    (sudoers-file
>      (local-file "sudoers")) ; relative to this file
>    …)

Thanks.  And as a note to myself to RTFM:

https://www.gnu.org/software/guix/manual/en/html_node/Using-the-Configuration-System.html#Using-the-Configuration-System

"One should never have to touch files in /etc or to run
commands that modify the system state such as useradd or
grub-install. In fact, you must avoid that since that
would not only void your warranty but also prevent you
from rolling back to previous versions of your system,
should you ever need to."

-Jeff

Re: editing /etc/sudoers

[Quiliro's lists]

El 2019-06-14 06:55, Jeff Bauer escribió:
> I've been trying unsuccessfully to make changes to
> /etc/sudoers.  I used visudo by creating a symlink
> to /usr/bin/vi (because visudo ignores EDITOR), but
> the changes aren't permanent.  What am I missing?

You cannot have a /usr/bin unless you are on a foreign distro such as
Trisquel or Parabola or any other than GuixSD. If you are on a foreign
distro, Guix does not control your sudoers file; your foreign distro
does.

Regarding the EDITOR variable, if Guix is the installer of the needed
editor it is the only situation when this regards to Guix.

Would you please clarify your issue?

Re: editing /etc/sudoers

[Jeff Bauer]

On Sat, Jun 15, 2019 at 07:27:57PM -0700, Quiliro's lists wrote:
> Regarding the EDITOR variable, if Guix is the installer of the needed
> editor it is the only situation when this regards to Guix.
>
> Would you please clarify your issue?

Issue clarified up-thread:

https://lists.gnu.org/archive/html/help-guix/2019-06/msg00140.html

Generally, assigning the environment variable EDITOR works
for visudo(*), but it appears /usr/bin/vi is hard-coded in
guix's visudo as it does not acknowledge EDITOR.

$ EDITOR=vim visudo ~/etc/guix/sudoers
visudo: no editor found (editor path = /usr/bin/vi)

David Larsson suggested using SUDO_EDITOR, however that
doesn't work either:

$ SUDO_EDITOR=vim visudo ~/etc/guix/sudoers
visudo: no editor found (editor path = /usr/bin/vi)

I'll still use visudo to check my local sudoers file on
the command line, though it's more challenging to remember
to check it (and the consequences of borking sudoers are
severe).

$ visudo --check -f ~/etc/guix/sudoers
~/etc/guix/sudoers: parsed OK

I'm guessing /usr/bin/vi has been hard coded into visudo
for security reasons, but it doesn't make sense if the
/usr/bin/vi editor doesn't exist on Guix System.

-Jeff

----
(*) Or at least it has on other system distros where nano
was the default editor.

Re: editing /etc/sudoers

[Jeff Bauer]

On Sat, Jun 15, 2019 at 07:27:57PM -0700, Quiliro's lists wrote:
> Regarding the EDITOR variable, if Guix is the installer of the needed
> editor it is the only situation when this regards to Guix.
>
> Would you please clarify your issue?

Issue clarified up-thread:

https://lists.gnu.org/archive/html/help-guix/2019-06/msg00140.html

Generally, assigning the environment variable EDITOR works
for visudo(*), but it appears /usr/bin/vi is hard-coded in
guix's visudo as it does not acknowledge EDITOR.

$ EDITOR=vim visudo ~/etc/guix/sudoers
visudo: no editor found (editor path = /usr/bin/vi)

David Larsson suggested using SUDO_EDITOR, however that
doesn't work either:

$ SUDO_EDITOR=vim visudo ~/etc/guix/sudoers
visudo: no editor found (editor path = /usr/bin/vi)

I'll still use visudo to check my local sudoers file on
the command line, though it's more challenging to remember
to check it (and the consequences of borking sudoers are
severe).

$ visudo --check -f ~/etc/guix/sudoers
~/etc/guix/sudoers: parsed OK

I'm guessing /usr/bin/vi has been hard coded into visudo
for security reasons, but it doesn't make sense if the
/usr/bin/vi editor doesn't exist on Guix System.

-Jeff

----
(*) Or at least it has on other system distros where nano
was the default editor.

Re: editing /etc/sudoers

[Quiliro's lists]

El 2019-06-16 09:30, Jeff Bauer escribió:
> On Sat, Jun 15, 2019 at 07:27:57PM -0700, Quiliro's lists wrote:
>> Regarding the EDITOR variable, if Guix is the installer of the needed
>> editor it is the only situation when this regards to Guix.
>>
>> Would you please clarify your issue?
> 
> Issue clarified up-thread:
> 
> https://lists.gnu.org/archive/html/help-guix/2019-06/msg00140.html

No you have not. It is not clear wether you are using Guix System
Distribution or another GNU distribution such as Debian.

Re: editing /etc/sudoers

[Jeff Bauer]

On Sun, Jun 16, 2019 at 04:08:06PM -0700, Quiliro's lists wrote:
> El 2019-06-16 09:30, Jeff Bauer escribió:
> > On Sat, Jun 15, 2019 at 07:27:57PM -0700, Quiliro's lists wrote:
> >> Regarding the EDITOR variable, if Guix is the installer of the needed
> >> editor it is the only situation when this regards to Guix.
> >>
> >> Would you please clarify your issue?
> >
> > Issue clarified up-thread:
> >
> > https://lists.gnu.org/archive/html/help-guix/2019-06/msg00140.html
>
> No you have not. It is not clear wether you are using Guix System
> Distribution or another GNU distribution such as Debian.

Okay, to make it more clear: I was having a problem
trying to use visudo on a native Guix System.  The
visudo packaged with the Guix System cannot actually
edit a sudoers file because it relies on /usr/bin/vi,
but it can be used as a command line validation checker.

-Jeff

Re: editing /etc/sudoers

[Andreas Enge]

Hello,

On Sun, Jun 16, 2019 at 06:20:54PM -0500, Jeff Bauer wrote:
> Okay, to make it more clear: I was having a problem
> trying to use visudo on a native Guix System.  The
> visudo packaged with the Guix System cannot actually
> edit a sudoers file because it relies on /usr/bin/vi,
> but it can be used as a command line validation checker.

maybe my reply is off-topic and does not solve your problem, but to just
give sudoer capabilities to a user, it is enough to add them to the "wheel"
group in the system declaration, with something like:

(operating-system
  (users (cons* (user-account
                 (name "andreas")
                 (comment "Andreas Enge")
                 (group "users")
                 (supplementary-groups '("wheel"))
                 (home-directory "/home/andreas"))
                %base-user-accounts))
  ...

This is in line with the principle that "global" files should not be edited,
but instead be declared in some way in the operating system definition.

For more sophisticated uses, the file could be declared in the operating
system definition, I suppose, but I have no experience with this.

Andreas

Re: editing /etc/sudoers

[Quiliro's lists]

El 2019-06-17 02:17, Andreas Enge escribió:
> Hello,
> 
> On Sun, Jun 16, 2019 at 06:20:54PM -0500, Jeff Bauer wrote:
>> Okay, to make it more clear: I was having a problem
>> trying to use visudo on a native Guix System.  The
>> visudo packaged with the Guix System cannot actually
>> edit a sudoers file because it relies on /usr/bin/vi,
>> but it can be used as a command line validation checker.
> 
> maybe my reply is off-topic and does not solve your problem, but to just
> give sudoer capabilities to a user, it is enough to add them to the "wheel"
> group in the system declaration, with something like:
> 
> (operating-system
>   (users (cons* (user-account
>                  (name "andreas")
>                  (comment "Andreas Enge")
>                  (group "users")
>                  (supplementary-groups '("wheel"))
>                  (home-directory "/home/andreas"))
>                 %base-user-accounts))
>   ...
> 
> This is in line with the principle that "global" files should not be edited,
> but instead be declared in some way in the operating system definition.
> 
> For more sophisticated uses, the file could be declared in the operating
> system definition, I suppose, but I have no experience with this.
> 
> Andreas

Exactly: if you are using GuixSD, you do not use visudo; you use what
Andreas proposes. If you are using just Guix, then you use visudo from
the distro you are on.

Re: editing /etc/sudoers

[Jeff Bauer]

On Mon, Jun 17, 2019 at 07:34:46AM -0700, Quiliro's lists wrote:
> El 2019-06-17 02:17, Andreas Enge escribió:
> > maybe my reply is off-topic and does not solve your problem, but to just
> > give sudoer capabilities to a user, it is enough to add them to the "wheel"
> > group in the system declaration, with something like:
> >
> > (operating-system
> >   (users (cons* (user-account
> >                  (name "andreas")
> >                  (comment "Andreas Enge")
> >                  (group "users")
> >                  (supplementary-groups '("wheel"))
> >                  (home-directory "/home/andreas"))
> >                 %base-user-accounts))
> >   ...
> >
> > This is in line with the principle that "global" files should not be edited,
> > but instead be declared in some way in the operating system definition.
> >
> > For more sophisticated uses, the file could be declared in the operating
> > system definition, I suppose, but I have no experience with this.
> >
> > Andreas
>
> Exactly: if you are using GuixSD, you do not use visudo; you use what
> Andreas proposes. If you are using just Guix, then you use visudo from
> the distro you are on.

My needs go beyond adding a user to the wheel group.  I want
specific programs to run without a sudo password challenge,
so editing my local copy of sudoers is necessary.  I'm now
using guix visudo as a command-line validation tool to
ensure that sudoers isn't borked -- which is it's primary
purpose.

-Jeff

Re: editing /etc/sudoers

[John Soo]

Hi Jeff,

Sorry this is so confusing. Let me know if I’m missed something since I’ve been half-following this thread. I think what you may want to do is use the sudoers-file field when specifying your operating system rather than using visudo to edit the file. This way you will have persistent and declarative specification for the sudoers file. The sudoers-file field allows you to place an arbitrary file-like object in it, so you can put whatever you want to add using visudo there and it will work the same. Check the manual for reference: https://www.gnu.org/software/guix/manual/en/html_node/operating_002dsystem-Reference.html#operating_002dsystem-Reference

Hope that helps,

John

> On Jun 17, 2019, at 8:44 AM, Jeff Bauer <jeffrubic@gmail.com> wrote:
> 
>> On Mon, Jun 17, 2019 at 07:34:46AM -0700, Quiliro's lists wrote:
>> El 2019-06-17 02:17, Andreas Enge escribió:
>>> maybe my reply is off-topic and does not solve your problem, but to just
>>> give sudoer capabilities to a user, it is enough to add them to the "wheel"
>>> group in the system declaration, with something like:
>>> 
>>> (operating-system
>>>  (users (cons* (user-account
>>>                 (name "andreas")
>>>                 (comment "Andreas Enge")
>>>                 (group "users")
>>>                 (supplementary-groups '("wheel"))
>>>                 (home-directory "/home/andreas"))
>>>                %base-user-accounts))
>>>  ...
>>> 
>>> This is in line with the principle that "global" files should not be edited,
>>> but instead be declared in some way in the operating system definition.
>>> 
>>> For more sophisticated uses, the file could be declared in the operating
>>> system definition, I suppose, but I have no experience with this.
>>> 
>>> Andreas
>> 
>> Exactly: if you are using GuixSD, you do not use visudo; you use what
>> Andreas proposes. If you are using just Guix, then you use visudo from
>> the distro you are on.
> 
> My needs go beyond adding a user to the wheel group.  I want
> specific programs to run without a sudo password challenge,
> so editing my local copy of sudoers is necessary.  I'm now
> using guix visudo as a command-line validation tool to
> ensure that sudoers isn't borked -- which is it's primary
> purpose.
> 
> -Jeff
> 

Re: editing /etc/sudoers

[Jeff Bauer]

On Mon, Jun 17, 2019 at 10:03:20AM -0700, John Soo wrote:
>    Sorry this is so confusing. Let me know if I’m missed something since
>    I’ve been half-following this thread. I think what you may want to do
>    is use the sudoers-file field when specifying your operating system
>    rather than using visudo to edit the file. This way you will have
>    persistent and declarative specification for the sudoers file. The
>    sudoers-file field allows you to place an arbitrary file-like object in
>    it, so you can put whatever you want to add using visudo there and it
>    will work the same. Check the manual for
>    reference: [1]https://www.gnu.org/software/guix/manual/en/html_node/ope
>    rating_002dsystem-Reference.html#operating_002dsystem-Reference

John,

Correct, I got my local sudoers working a few
days ago, so there's no longer any confusion on
my end (but thanks for your reply).

However, guix's visudo should probably be patched
to allow editing of a *local* ~/etc/sudoers file,
which currently won't work because /usr/bin/vi
appears to be hard-coded.

-Jeff

Re: editing /etc/sudoers

[John Soo]

Thanks Jeff,

Sounds good. Do you think this thread is effectively solved, then? You might consider opening a bug report for visudo. 

- John

> On Jun 17, 2019, at 11:02 AM, Jeff Bauer <jeffrubic@gmail.com> wrote:
> 
>> On Mon, Jun 17, 2019 at 10:03:20AM -0700, John Soo wrote:
>>   Sorry this is so confusing. Let me know if I’m missed something since
>>   I’ve been half-following this thread. I think what you may want to do
>>   is use the sudoers-file field when specifying your operating system
>>   rather than using visudo to edit the file. This way you will have
>>   persistent and declarative specification for the sudoers file. The
>>   sudoers-file field allows you to place an arbitrary file-like object in
>>   it, so you can put whatever you want to add using visudo there and it
>>   will work the same. Check the manual for
>>   reference: [1]https://www.gnu.org/software/guix/manual/en/html_node/ope
>>   rating_002dsystem-Reference.html#operating_002dsystem-Reference
> 
> John,
> 
> Correct, I got my local sudoers working a few
> days ago, so there's no longer any confusion on
> my end (but thanks for your reply).
> 
> However, guix's visudo should probably be patched
> to allow editing of a *local* ~/etc/sudoers file,
> which currently won't work because /usr/bin/vi
> appears to be hard-coded.
> 
> -Jeff

Re: editing /etc/sudoers

[Hartmut Goebel]

Am 17.06.19 um 01:20 schrieb Jeff Bauer:
> Okay, to make it more clear: I was having a problem
> trying to use visudo on a native Guix System.  The
> visudo packaged with the Guix System cannot actually
> edit a sudoers file because it relies on /usr/bin/vi,

Try

VISUAL=/path/tp/my/editor visudo

See the man-page for details

-- 
Regards
Hartmut Goebel

| Hartmut Goebel          | h.goebel@crazy-compilers.com               |
| www.crazy-compilers.com | compilers which you thought are impossible |

Re: editing /etc/sudoers

[Jeff Bauer]

On Mon, Jun 17, 2019 at 09:53:46AM +0200, Hartmut Goebel wrote:
> Try
>
> VISUAL=/path/tp/my/editor visudo
>
> See the man-page for details

Nope, same error:

$ VISUAL=~/.guix-profile/bin/vim visudo -f ~/etc/guix/config.scm
visudo: no editor found (editor path = /usr/bin/vi)

It appears /usr/bin/vi is hard-coded into the guix version
of visudo.  EDITOR or VISUAL works for me on non-guix systems.

-Jeff