Sudoers to remove password from specific commands
Clash Royale CLAN TAG#URR8PPP
I'm having a bit of trouble with sudoers syntax. Long story short, I'm struggling with my graphics card and I recently found out that I can turn it on and off with a simple command (previously it was always off, which is good 90% of the times, but sometimes I'd like to use its extra power sometimes). My idea is to use these two commands in various script to turn on the GC, execute a command that uses the GC and then turn it off, something like this:
sudo tee /proc/acpi/bbswitch <<<ON
optirun [command]
sudo tee /proc/acpi/bbswitch <<<OFF
Problem is, these script are very rarely executed in a shell, they are mostly executed by double-clicking on the .sh file. So I looked into how to avoid password for specific sudo commands and found out about sudoers.
I executed visudo and added a line at the end of the file:
grb ALL=(ALL) NOPASSWD: tee /proc/acpi/bbswitch <<<OFF, tee /proc/acpi/bbswitch <<<ON
but as soon as I close the editor, visudo says there is a syntax error, but nothing more. The syntax error is raised even if I add only one command:
grb ALL=(ALL) NOPASSWD: tee /proc/acpi/bbswitch <<<OFF
This line was added as the last and it's the first time that I edit the sudoers file.
If it's useful, I'm using Ubuntu MATE 18.04. I suspect the answer is really simple, but I can't find any documentation specific enough for my case. I want to stress that I need to limit the possible inputs to /proc/acpi/bbswitch to ON and OFF, I don't know what happens if I write something different and judging from the amount of troubles my GC gave me it will probably be something bad. I have to know that if I'm asked a password or the program doesn't start, I have to check that the switch commands are written correctly.
ubuntu sudo
edited Feb 18 at 15:15
Rui F Ribeiro
41.5k1482140
asked Feb 18 at 14:15
GRBGRB
1114
|
show 4 more comments
I'm having a bit of trouble with sudoers syntax. Long story short, I'm struggling with my graphics card and I recently found out that I can turn it on and off with a simple command (previously it was always off, which is good 90% of the times, but sometimes I'd like to use its extra power sometimes). My idea is to use these two commands in various script to turn on the GC, execute a command that uses the GC and then turn it off, something like this:
sudo tee /proc/acpi/bbswitch <<<ON
optirun [command]
sudo tee /proc/acpi/bbswitch <<<OFF
Problem is, these script are very rarely executed in a shell, they are mostly executed by double-clicking on the .sh file. So I looked into how to avoid password for specific sudo commands and found out about sudoers.
I executed visudo and added a line at the end of the file:
grb ALL=(ALL) NOPASSWD: tee /proc/acpi/bbswitch <<<OFF, tee /proc/acpi/bbswitch <<<ON
but as soon as I close the editor, visudo says there is a syntax error, but nothing more. The syntax error is raised even if I add only one command:
grb ALL=(ALL) NOPASSWD: tee /proc/acpi/bbswitch <<<OFF
This line was added as the last and it's the first time that I edit the sudoers file.
If it's useful, I'm using Ubuntu MATE 18.04. I suspect the answer is really simple, but I can't find any documentation specific enough for my case. I want to stress that I need to limit the possible inputs to /proc/acpi/bbswitch to ON and OFF, I don't know what happens if I write something different and judging from the amount of troubles my GC gave me it will probably be something bad. I have to know that if I'm asked a password or the program doesn't start, I have to check that the switch commands are written correctly.
ubuntu sudo
edited Feb 18 at 15:15
Rui F Ribeiro
41.5k1482140
asked Feb 18 at 14:15
GRBGRB
1114
3
Note that the redirection is not part of the command.
– Kusalananda
Feb 18 at 14:27
1
Maybe the practical solution would be to create a script (perhaps using acasestatement, that does nothing for cases other thanONandOFF) and make that executable without a password?
– steeldriver
Feb 18 at 14:56
@Kusalananda That's what I suspected. Is there a way to make it part of the command?
– GRB
Feb 18 at 15:04
I'd usegksudoinstead of sudo, so a windows, when used, will prompt a graphic dialog to enter the password
– DDS
Feb 18 at 15:05
@steeldriver That may be a really good and easy idea. If there are no direct solutions, you should post your answer, so that I can accept it.
– GRB
Feb 18 at 15:06
|
show 4 more comments
I'm having a bit of trouble with sudoers syntax. Long story short, I'm struggling with my graphics card and I recently found out that I can turn it on and off with a simple command (previously it was always off, which is good 90% of the times, but sometimes I'd like to use its extra power sometimes). My idea is to use these two commands in various script to turn on the GC, execute a command that uses the GC and then turn it off, something like this:
sudo tee /proc/acpi/bbswitch <<<ON
optirun [command]
sudo tee /proc/acpi/bbswitch <<<OFF
Problem is, these script are very rarely executed in a shell, they are mostly executed by double-clicking on the .sh file. So I looked into how to avoid password for specific sudo commands and found out about sudoers.
I executed visudo and added a line at the end of the file:
grb ALL=(ALL) NOPASSWD: tee /proc/acpi/bbswitch <<<OFF, tee /proc/acpi/bbswitch <<<ON
but as soon as I close the editor, visudo says there is a syntax error, but nothing more. The syntax error is raised even if I add only one command:
grb ALL=(ALL) NOPASSWD: tee /proc/acpi/bbswitch <<<OFF
This line was added as the last and it's the first time that I edit the sudoers file.
If it's useful, I'm using Ubuntu MATE 18.04. I suspect the answer is really simple, but I can't find any documentation specific enough for my case. I want to stress that I need to limit the possible inputs to /proc/acpi/bbswitch to ON and OFF, I don't know what happens if I write something different and judging from the amount of troubles my GC gave me it will probably be something bad. I have to know that if I'm asked a password or the program doesn't start, I have to check that the switch commands are written correctly.
ubuntu sudo
edited Feb 18 at 15:15
Rui F Ribeiro
41.5k1482140
asked Feb 18 at 14:15
GRBGRB
1114
I'm having a bit of trouble with sudoers syntax. Long story short, I'm struggling with my graphics card and I recently found out that I can turn it on and off with a simple command (previously it was always off, which is good 90% of the times, but sometimes I'd like to use its extra power sometimes). My idea is to use these two commands in various script to turn on the GC, execute a command that uses the GC and then turn it off, something like this:
sudo tee /proc/acpi/bbswitch <<<ON
optirun [command]
sudo tee /proc/acpi/bbswitch <<<OFF
Problem is, these script are very rarely executed in a shell, they are mostly executed by double-clicking on the .sh file. So I looked into how to avoid password for specific sudo commands and found out about sudoers.
I executed visudo and added a line at the end of the file:
grb ALL=(ALL) NOPASSWD: tee /proc/acpi/bbswitch <<<OFF, tee /proc/acpi/bbswitch <<<ON
but as soon as I close the editor, visudo says there is a syntax error, but nothing more. The syntax error is raised even if I add only one command:
grb ALL=(ALL) NOPASSWD: tee /proc/acpi/bbswitch <<<OFF
This line was added as the last and it's the first time that I edit the sudoers file.
If it's useful, I'm using Ubuntu MATE 18.04. I suspect the answer is really simple, but I can't find any documentation specific enough for my case. I want to stress that I need to limit the possible inputs to /proc/acpi/bbswitch to ON and OFF, I don't know what happens if I write something different and judging from the amount of troubles my GC gave me it will probably be something bad. I have to know that if I'm asked a password or the program doesn't start, I have to check that the switch commands are written correctly.
ubuntu sudo
ubuntu sudo
edited Feb 18 at 15:15
Rui F Ribeiro
41.5k1482140
asked Feb 18 at 14:15
GRBGRB
1114
edited Feb 18 at 15:15
Rui F Ribeiro
41.5k1482140
asked Feb 18 at 14:15
GRBGRB
1114
edited Feb 18 at 15:15
Rui F Ribeiro
41.5k1482140
edited Feb 18 at 15:15
Rui F Ribeiro
41.5k1482140
edited Feb 18 at 15:15
Rui F Ribeiro
41.5k1482140
41.5k1482140
asked Feb 18 at 14:15
GRBGRB
1114
asked Feb 18 at 14:15
GRBGRB
1114
asked Feb 18 at 14:15
GRBGRB
1114
1114
3
Note that the redirection is not part of the command.
– Kusalananda
Feb 18 at 14:27
1
Maybe the practical solution would be to create a script (perhaps using acasestatement, that does nothing for cases other thanONandOFF) and make that executable without a password?
– steeldriver
Feb 18 at 14:56
@Kusalananda That's what I suspected. Is there a way to make it part of the command?
– GRB
Feb 18 at 15:04
I'd usegksudoinstead of sudo, so a windows, when used, will prompt a graphic dialog to enter the password
– DDS
Feb 18 at 15:05
@steeldriver That may be a really good and easy idea. If there are no direct solutions, you should post your answer, so that I can accept it.
– GRB
Feb 18 at 15:06
|
show 4 more comments
3
Note that the redirection is not part of the command.
– Kusalananda
Feb 18 at 14:27
1
Maybe the practical solution would be to create a script (perhaps using acasestatement, that does nothing for cases other thanONandOFF) and make that executable without a password?
– steeldriver
Feb 18 at 14:56
@Kusalananda That's what I suspected. Is there a way to make it part of the command?
– GRB
Feb 18 at 15:04
I'd usegksudoinstead of sudo, so a windows, when used, will prompt a graphic dialog to enter the password
– DDS
Feb 18 at 15:05
@steeldriver That may be a really good and easy idea. If there are no direct solutions, you should post your answer, so that I can accept it.
– GRB
Feb 18 at 15:06
3
3
Note that the redirection is not part of the command.
– Kusalananda
Feb 18 at 14:27
Note that the redirection is not part of the command.
– Kusalananda
Feb 18 at 14:27
1
1
Maybe the practical solution would be to create a script (perhaps using a
case statement, that does nothing for cases other than ON and OFF) and make that executable without a password?– steeldriver
Feb 18 at 14:56
Maybe the practical solution would be to create a script (perhaps using a
case statement, that does nothing for cases other than ON and OFF) and make that executable without a password?– steeldriver
Feb 18 at 14:56
@Kusalananda That's what I suspected. Is there a way to make it part of the command?
– GRB
Feb 18 at 15:04
@Kusalananda That's what I suspected. Is there a way to make it part of the command?
– GRB
Feb 18 at 15:04
I'd use
gksudo instead of sudo, so a windows, when used, will prompt a graphic dialog to enter the password– DDS
Feb 18 at 15:05
I'd use
gksudo instead of sudo, so a windows, when used, will prompt a graphic dialog to enter the password– DDS
Feb 18 at 15:05
@steeldriver That may be a really good and easy idea. If there are no direct solutions, you should post your answer, so that I can accept it.
– GRB
Feb 18 at 15:06
@steeldriver That may be a really good and easy idea. If there are no direct solutions, you should post your answer, so that I can accept it.
– GRB
Feb 18 at 15:06
|
show 4 more comments
1 Answer
1
active
oldest
votes
A redirection is not part of the actual command. It's just an instruction to the shell to arrange the plumbing for standard input and output in certain ways before actually running the command.
Therefore, it makes no sense to include the <<< "here-string" redirection in the command in the sudoers file.
Instead, since you'd like to restrict the use to only allowing the strings ON or OFF to be written to /proc/acpi/bbswitch, you could make a script like this:
#!/bin/sh
case $1 in
ON) ;; # nothing
OFF) ;; # nothing here either
*) printf 'Usage: %s ON|OFFn' "$0" >&2
exit 1
esac
printf '%sn' "$1" >/proc/acpi/bbswitch
You would then put this in a directory where the required users could access it, but not modify it, and allow them to use it with the ON or OFF command line argument, e.g.
grb ALL=(ALL) NOPASSWD: /some/path/script.sh ON, /some/path/script.sh OFF
(or something similar)
answered Feb 18 at 15:54
KusalanandaKusalananda
135k17255422
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f501366%2fsudoers-to-remove-password-from-specific-commands%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
A redirection is not part of the actual command. It's just an instruction to the shell to arrange the plumbing for standard input and output in certain ways before actually running the command.
Therefore, it makes no sense to include the <<< "here-string" redirection in the command in the sudoers file.
Instead, since you'd like to restrict the use to only allowing the strings ON or OFF to be written to /proc/acpi/bbswitch, you could make a script like this:
#!/bin/sh
case $1 in
ON) ;; # nothing
OFF) ;; # nothing here either
*) printf 'Usage: %s ON|OFFn' "$0" >&2
exit 1
esac
printf '%sn' "$1" >/proc/acpi/bbswitch
You would then put this in a directory where the required users could access it, but not modify it, and allow them to use it with the ON or OFF command line argument, e.g.
grb ALL=(ALL) NOPASSWD: /some/path/script.sh ON, /some/path/script.sh OFF
(or something similar)
answered Feb 18 at 15:54
KusalanandaKusalananda
135k17255422
add a comment |
A redirection is not part of the actual command. It's just an instruction to the shell to arrange the plumbing for standard input and output in certain ways before actually running the command.
Therefore, it makes no sense to include the <<< "here-string" redirection in the command in the sudoers file.
Instead, since you'd like to restrict the use to only allowing the strings ON or OFF to be written to /proc/acpi/bbswitch, you could make a script like this:
#!/bin/sh
case $1 in
ON) ;; # nothing
OFF) ;; # nothing here either
*) printf 'Usage: %s ON|OFFn' "$0" >&2
exit 1
esac
printf '%sn' "$1" >/proc/acpi/bbswitch
You would then put this in a directory where the required users could access it, but not modify it, and allow them to use it with the ON or OFF command line argument, e.g.
grb ALL=(ALL) NOPASSWD: /some/path/script.sh ON, /some/path/script.sh OFF
(or something similar)
answered Feb 18 at 15:54
KusalanandaKusalananda
135k17255422
add a comment |
A redirection is not part of the actual command. It's just an instruction to the shell to arrange the plumbing for standard input and output in certain ways before actually running the command.
Therefore, it makes no sense to include the <<< "here-string" redirection in the command in the sudoers file.
Instead, since you'd like to restrict the use to only allowing the strings ON or OFF to be written to /proc/acpi/bbswitch, you could make a script like this:
#!/bin/sh
case $1 in
ON) ;; # nothing
OFF) ;; # nothing here either
*) printf 'Usage: %s ON|OFFn' "$0" >&2
exit 1
esac
printf '%sn' "$1" >/proc/acpi/bbswitch
You would then put this in a directory where the required users could access it, but not modify it, and allow them to use it with the ON or OFF command line argument, e.g.
grb ALL=(ALL) NOPASSWD: /some/path/script.sh ON, /some/path/script.sh OFF
(or something similar)
answered Feb 18 at 15:54
KusalanandaKusalananda
135k17255422
A redirection is not part of the actual command. It's just an instruction to the shell to arrange the plumbing for standard input and output in certain ways before actually running the command.
Therefore, it makes no sense to include the <<< "here-string" redirection in the command in the sudoers file.
Instead, since you'd like to restrict the use to only allowing the strings ON or OFF to be written to /proc/acpi/bbswitch, you could make a script like this:
#!/bin/sh
case $1 in
ON) ;; # nothing
OFF) ;; # nothing here either
*) printf 'Usage: %s ON|OFFn' "$0" >&2
exit 1
esac
printf '%sn' "$1" >/proc/acpi/bbswitch
You would then put this in a directory where the required users could access it, but not modify it, and allow them to use it with the ON or OFF command line argument, e.g.
grb ALL=(ALL) NOPASSWD: /some/path/script.sh ON, /some/path/script.sh OFF
(or something similar)
answered Feb 18 at 15:54
KusalanandaKusalananda
135k17255422
answered Feb 18 at 15:54
KusalanandaKusalananda
135k17255422
answered Feb 18 at 15:54
KusalanandaKusalananda
135k17255422
answered Feb 18 at 15:54
KusalanandaKusalananda
135k17255422
135k17255422
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f501366%2fsudoers-to-remove-password-from-specific-commands%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
Note that the redirection is not part of the command.
– Kusalananda
Feb 18 at 14:27
1
Maybe the practical solution would be to create a script (perhaps using a
casestatement, that does nothing for cases other thanONandOFF) and make that executable without a password?– steeldriver
Feb 18 at 14:56
@Kusalananda That's what I suspected. Is there a way to make it part of the command?
– GRB
Feb 18 at 15:04
I'd use
gksudoinstead of sudo, so a windows, when used, will prompt a graphic dialog to enter the password– DDS
Feb 18 at 15:05
@steeldriver That may be a really good and easy idea. If there are no direct solutions, you should post your answer, so that I can accept it.
– GRB
Feb 18 at 15:06