I run a few scripts as normal use with commands which normally require root privileges. To avoid having to enter the root password in the scripts I use the sudo command with an entry in the /etc/sudoers file like that (here in Bold):
## User privilege specification
##
root ALL=(ALL) ALL
**uli ALL=(ALL) NOPASSWD: /bin/mount, /bin/umount, /usr/local/bin/protonvpn**
## Uncomment to allow members of group wheel to execute any command
Up to now this always worked without any problems but now I always get asked for the root password. Has there anything changed?
uli@linux-4skc:~/bin> sudo protonvpn c --cc DE
[sudo] password for root:
uli@linux-4skc:~/bin> ^C
it still work for me … I suspect a problem within the sudoers file config. do you have any other permissions made to a group uli would be member or the uli user in the sudoers file ?
can you show the full sudoers file and any file in /etc/sudoers.d directory ?
Thank you, PerfMonk, the rest of the sudoers file was never touched and there is no other file in /etc/sudoers.d:
linux-4skc:~ # cd /etc/sudoers.d/
linux-4skc:/etc/sudoers.d # ls
linux-4skc:/etc/sudoers.d # cat ../sudoers
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##
##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias WEBSERVERS = www1, www2, www3
##
## User alias specification
##
## Groups of users. These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias ADMINS = millert, dowdy, mikef
##
## Cmnd alias specification
##
## Groups of commands. Often used to group related commands together.
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# /usr/bin/pkill, /usr/bin/top
# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
##
## Defaults specification
##
## Prevent environment variables from influencing programs in an
## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
Defaults always_set_home
## Path that will be used for every command run from sudo
Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
Defaults env_reset
## Change env_reset to !env_reset in previous line to keep all environment variables
## Following list will no longer be nevessary after this change
Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
## Comment out the preceding line and uncomment the following one if you need
## to use special input methods. This may allow users to compromise the root
## account if they are allowed to run commands without authentication.
#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
## Do not insult users when they enter an incorrect password.
Defaults !insults
## Uncomment to use a hard-coded PATH instead of the user's to find commands
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
##
## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
## In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system. When configuring sudo, delete the two
## following lines:
Defaults targetpw # ask for the password of the target user i.e. root
ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
##
## Runas alias specification
##
##
## User privilege specification
##
root ALL=(ALL) ALL
#uli ALL=(ALL) NOPASSWD:/bin/mount,/bin/umount,/usr/local/bin/protonvpn
uli linux-4skc=NOPASSWD:/bin/mount,/bin/umount,/usr/local/bin/protonvpn
## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d
linux-4skc:/etc/sudoers.d #
As you can see I have played around a bit with different options, so far no success. The mount/umount is to mount the NAS for backups (not very regularly). I have the same line in the sudoers file on my Leap computers (with mount/unmount - not protonvpn). Have to check whether it still works there.
OK, the normal mount command works with sudo - the problem is the openvpn command:
uli@linux-4skc:~/bin> sudo mount -t nfs 192.168.2.2:/mnt/md1/ulimnt /home/uli/ulimnt
Created symlink /run/systemd/system/remote-fs.target.wants/rpc-statd.service → /usr/lib/systemd/system/rpc-statd.service.
uli@linux-4skc:~/bin> sudo protonvpn c --cc DE
[sudo] password for root:
uli@linux-4skc:~/bin>
So as root the openvpn command is no problem:
uli@linux-4skc:~/bin> su -
Password:
linux-4skc:~ # protonvpn c --cc DE
Connecting to DE#33 via UDP...
Connected!
linux-4skc:~ # protonvpn d
Disconnected.
linux-4skc:~ #
Sorry, arvidjaar, I meant protonvpn (which is based on openvpn). My mistake. So now I have to find out why protonvpn works without problem when I use it as root but not with the sudo command before.
Thanks for the link, malcolmlewis, but then I would need to have a sudo NOPASSWD set-up for systemd. What I want to do is have an icon on the desktop which activates protonVPN so that people without knowledge of the commandline (like my wife) can activate the VPN. In the command (or script) behind the icon should not be the root password anywhere - hence the setup with sudo and NOPASSWD. I have seen the sudoers line “user ALL = (root) NOPASSWD: /usr/local/bin/protonvpn” (which has (root) instead of (ALL) in https://github.com/ProtonVPN/linux-cli/blob/master/USAGE.md#disable-sudo-password-query and I will try this later.
Hi
I don’t use vpn, but would imagine a policy kit rule, run the systemd service as your user (which as far as I can tell, this is what the user suggest), activate it at boot (which the service does).
I see no reason why it needs to be run as root, seems it should run as a user process…
THat does not work either - still asks for root password. I must admit I expected this result since the line “root ALL=(ALL) ALL” in the sudoers file indicates that there is no difference between (ALL) and (root).
In the link you send me there is the following:
Enable and start the service sudo systemctl enable protonvpn.service
sudo systemctl start protonvpn.service
The VPN should not start at boot but only when required. So far from command line as root it is no problem and I used it for quite some time. THe attempt to make it easy to use is the problem…
I must admit that I don’t quite understand what this script does (or how the systemd services are set up and work). I presume if I follow the instructions the protonvpn service would start at boot (at least when they are enabled). That would mean if I don’t want it to start at boot every time this service needs to be disabled. Then I would need the first line in the sudoers file to enable the service, a second line to start the service and a third line to stop the service. The alternative would be to allow all sytemctl command with sudo and without password and I don’t want to allow that. The second question is whether your line works at all with the command, the option and the service in one line in the sudoers file (may be with quotation marks because of the spaces, etc. You know much more about all of these things but for me it looks that it would be easier to try to find the solution to the single line to enable “sudoprotonvpn” with NOPASSWD.
So I installed the protonVPN GUI and there is first have to log into my protonVPN account and afterwards it asks for the root password. I added the following line in /etc/sudoers:
but I am still asked for the root password. THen I came across the following:
uli@linux-4skc:~> sudo which protonvpn
[sudo] password for root:
which: no protonvpn in (/usr/sbin:/usr/bin:/sbin:/bin)
uli@linux-4skc:~> su -
Password:
linux-4skc:~ # which protonvpn
/usr/local/bin/protonvpn
linux-4skc:~ #
Here it looks as if the sudo command looks onlyu in the path /usr/sbin:/usr/bin:/sbin:/bin and nowhere else. How come? That explains why I am asked for the root password and why the mounting/unmounting command works with sudo. Is that what you want to tell me arvidjaar, that I have ton set “secure_path” to include /usr/local/bin/?
Good find!