Refracta Development, Scripts, etc.
Post a reply

Re: some feedback on refracta2usb/installer

Sun Feb 09, 2014 4:57 pm

These are the relevant sudoers lines (in live session). I'm not sure if live-boot scripts might add at least one of them
Code:
%sudo ALL=(ALL:ALL) ALL
user ALL=(ALL) NOPASSWD: ALL

Another possible way for the installer to handle sudo is give the user simple choices:

1) disable sudo (recommended, default): Installer could parse these two lines and (in the installation) comment them automatically, using grep|sed

2) enable sudo (optional, maybe with security warning): Just leave "%sudo ALL= (ALL:ALL) ALL" and add $newuser to sudoers group. (IMO) we should not directly support password-less sudo at all, that line should be gone.

3) user edits manually, same as before. Or not, since a user who want custom sudo configs can do so post-install and should already know how to.

That could suit everyone, whether you find doing visudo manually confusing or simply tedious.

Re: some feedback on refracta2usb/installer

Mon Feb 10, 2014 9:39 am

so if options

1) disable sudo (recommended, default):... comment them automatically


2) ..... (IMO) we should not directly support password-less sudo at all, that line should be gone.

I agree with this, password-less sudo is not to be advocated -so option 2) not necessary

3) user edits manually, same as before. Or not,...

and if does not want to edit, that is option 4) "No thanks" .. ahem, 3) if there's no 2)

Re: some feedback on refracta2usb/installer

Mon Feb 10, 2014 11:21 am

This:
Code:
for line in $(grep NOPASSWD sudoers);do sed -i "s/$line/#$line/" sudoers ; done

changed this:
Code:
#user   ALL=(ALL) NOPASSWD: ALL

to this:
Code:
##user   ##ALL=(ALL) #NOPASSWD: ALL
Not what I expected, but I guess it would work.

Installer could check if user is member of sudo group. If so, leave it alone. Changing user name should not change the group memberships. Installer also needs to check for NOPASSD, comment it out and give user option to edit sudoers or become member of sudo group.

But if stock debian-live has no root password, that could leave you with no way to be root. Gotta run now. More later.

Re: some feedback on refracta2usb/installer

Mon Feb 10, 2014 9:28 pm

There's some stuff that needs reviewing here anyway, which probably affects refractasnapshot and future refracta live-images.
Code:
user ALL=(ALL) NOPASSWD: ALL

appears to have no business at all in sudoers in =>wheezy .. it's done in sudoers.d/live by live-config script 0040-sudo in standard debian images . Refractainstaller should delete that file (or line) automatically but it does not. Wherever it's placed, it is for live use only.

Note, it could be other than "user" in a different distro, or with a custom username (debian live tools do actually support that)

%sudo line seems present by default in sudoers, if you want sudo all you need do is add your user to sudo group (and maybe edit a few dot files in $HOME).

I got most of this info from comparing the official Debian-Live wheezy/xfce with official Refracta images (and might have missed or got something wrong). However (as Dean reminded me) I have forgotten what the official Debian installer does with sudo and root password (I don't use it much, prefer debootstrap) and it's about time I run it again.

I don't see why manual visudo is necessary at all in refractainstaller. The solution is not difficult..more later when I done a few tests.

Re: some feedback on refracta2usb/installer

Tue Feb 11, 2014 2:53 pm

I'll move the NOPASSWD line into sudoers.d/live, and add that file to the installer excludes list. It might be good to either re-create the file when making a snapshot or at least give the user instructions, in case they want sudo with no password in their live iso.

Does 0040-sudo need 'config=sudo' in the boot cmdline, or does it run with just 'config'? Looks like it would be nice to use that, since it deals with some of the user's config files, but it also looks like it might not work with a pre-configured user.

Re: some feedback on refracta2usb/installer

Tue Feb 11, 2014 4:41 pm

If you have a preconfigured user (and/or other stuff) 'config' can cause unpredictable problems (all scripts run, e.g. user-setup), you need "config=script1,script2,script3" OR "config noconfig=script1,script2,script3"

BTW if you're running sid with live-* from experimental (you probably should be, it's in quite good shape at the moment) "config" has changed to "components"

I can test later that "components=sudo" (config=sudo) works ok as I got a sid test box set up.

Today I'm testing a patch which sets sudo in one dialog box with no manual visudo. So far, it works. If anyone is interested I can put it to a pastebin (not here because of a censored directory!) Snip:

Code:
TITLE="Refracta Installer"

TEXT="\n\nLive images normally use 'sudo' for root access.\n\\nIt is recommended to disable sudo in the installation and use 'su' with a root password \n\nOptionally you may keep sudo if preferred. The installer will configure the root password later. \n\n\Disable default sudo in the installed system?"

yad --image=gtk-dialog-question --width=460 --height=240 --title="$TITLE" --button="Disable sudo":0 --button="Use sudo":1 --text="$TEXT"

(using 9.0.9-beta7) the graphical locales setup works. Every locale on the live system is automatically checked, it's tedious to deselect them manually. Would like to find how to change that.

Re: some feedback on refracta2usb/installer

Tue Feb 11, 2014 10:44 pm

@dzz: When I run loc-timezn.sh, only the locales I have configured are checked. I tried it on my sid and on my refracta/wheezy (main install).

@orbspider: The only time I get the terminal version of the locales setup after the graphical version is if I cancel the graphical version. I can change the script so it doesn't do that. If I let the graphical version complete, then that's the end - I don't get the terminal version.

And regarding the windows that are too small to show all the choices - it looks like you're using zenity, not yad. Unfortunately, I don't do as much testing with zenity, but I'll take a look at that.

Re: some feedback on refracta2usb/installer

Wed Feb 12, 2014 12:06 am

Here's the current wording for changing the root password in the installer:
Would you like to change the root password? (Recommended)
You'll need to go to the terminal again...

Note: If your system has no root user, and you want
to keep it that way, say No.
"


I think I'll change that to
Note: If your system has no root user, and
uses sudo for all administrative tasks, and you
want to keep it that way, say No.

Re: some feedback on refracta2usb/installer

Wed Feb 12, 2014 1:58 am

Here is a diff for the installer mod I just tested on a sid image: http://paste.debian.net/81588/ It's only a suggestion and a rough draft (but it works and avoids manual visudo) It checks automatically if root password is unset and allows to keep it that way.

The locales which are configured in the live system are all checked, that's quite a few. A live image needs as many as possible to be international but an installation only needs the one(s) it will actually use.

I meant, it is tedious to go through the whole list and uncheck them. The easy way is just leave them in (but they take a little time to generate, with a busy cpu and no status output of what is happening) There must be a cache file somewhere because it remembers what you did last but I haven't found it yet. It's not a major problem but (like visudo) slows you down.

Re: some feedback on refracta2usb/installer

Wed Feb 12, 2014 9:26 pm

bookmarked refs:
http://people.debian.org/~schultmc/locales.html
https://wiki.archlinux.org/index.php/locale
Post a reply