Bug 11513

Summary: Editing the "sudoers" file to use Truecrypt as normal User with no need for root rights to mount the unencrypted volume fails
Product: Mageia Reporter: Uli Selle <uli.effer>
Component: RPM PackagesAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Source RPM: sudo-1.8.8-2.mga4 CVE:
Status comment:

Description Uli Selle 2013-10-23 08:55:33 CEST 
Description of problem:

I want to use Truecrypt as normal user without the need to use root- password for mounting the unencrypted volume.
To reach this I used "visudo" as described in the wiki (https://wiki.mageia.org/en/Truecrypt) and as I did in Mageia3 (sucsessful).

Here the subsection of the resulting "sudoers"

----------

#
# Defaults    requiretty

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
username     machinename=(root) NOPASSWD:/usr/bin/truecrypt
## Allow root to run any commands anywhere

----------

After editing I restarted Mageia, then started Truecrypt as user choosed the encyption- file and tried to mount it. First I gave in the encryption passphrase, this is accepted, but then Mageia asks for the password of the user or root to mount the decrypted volume.
No matter what of the two I use, this request comes again and again, so I cant mount the volume.

Deinstalling sudo-1.8.8-2.mga4 and installing sudo-1.8.6p7-1.mga3 solves this problem, the behaviour of the system is as I expect...


Version-Release number of selected component (if applicable):
"sudo-1.8.8-2.mga4"

How reproducible:
Removing "sudo-1.8.8-2.mga4", installing "sudo-1.8.6p7-1.mga3" - it works ok.
Then: removing "sudo-1.8.6p7-1.mga3" and installing "sudo-1.8.8-2.mga4" again I behaves like described above.

Steps to Reproduce:
1. Try mountig tc- volume results in pw-requests for mounting
2. Deinstallation of "sudo-1.8.8-2.mga4" and installation of "sudo-1.8.6p7-1.mga3" results in mounting the tc- volume without mount- password as I whish.
3. Dinstallation of "sudo-1.8.6p7-1.mga3" and installation of "sudo-1.8.8-2.mga4" results again in requests for mount- pw


Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-10-23 15:27:05 CEST 
I'm not a sudo expert, but maybe there were some upstream changes that need some syntax adjustments for what you're trying to do:
http://www.sudo.ws/sudo/stable.html#1.8.8

Also, note that it's better to not use visudo or edit the sudoers file, but to add new sudoers information into a new file in /etc/sudoers.d
Comment 2 Uli Selle 2013-10-25 06:02:14 CEST 
Hello,

now I did the following:

- read Major Changes of Sudo from your link from 1.8.6p8 to 1.8.8
  - could not find any reason why the first proceeding did'nt work, ist not pretty to edit the " sudoers " file directly but it should work, if I do.

- installed " sudo-1.8.8-2.mga4 "
- took a look in the " sudoers " - it is default - no changes
- last line is " #includedir /etc/sudoers.d " so it should look at this directory and file.

Then created the file:

su
touch /etc/sudoers.d/ergaenzungen
chmod 0440 /etc/sudoers.d/ergaenzungen
nano /etc/sudoers.d/ergaenzungen

# Defaults    requiretty
# Truecrypt Volumes mounten
%truecrypt ALL=(root) NOPASSWD:/usr/bin/truecrypt

Saved and exited it, then reboot the machine.

Next entered Truecrypt again and tried to mount the volume - same behaviour as described in my first post.

After this I reinstalled "sudo-1.8.6p7-1.mga3" to see if this version uses the " /etc/sudoers.d/ergaenzungen " but it does'nt.

The only way to let Truecrypt work like I expect, is to use "sudo-1.8.6p7-1.mga3" and edit the " sudoers " file directly.

Do You have an idea what I did wrong?
Comment 3 David Walser 2013-10-25 17:29:43 CEST 
The sudo from Mageia 3 certain does read the files in /etc/sudoers.d, so it should still work with that version.  Looking more closely at this, I'm not sure that there's a way to override the Defaults requiretty line in /etc/sudoers with another entry in another file, so maybe at least for that, the visudo was still needed.  Also, make sure really have commented that line out, and not just added another commented copy about it, I think sudo 1.8.8 enforces requiretty more strictly (although I think if sudo fails because of that it gives an error message rather than still asking for a password).

BTW, does "which truecrypt" return /usr/bin/truecrypt?  I was just thinking maybe if /bin was in your PATH first and it was resolving to /bin/truecrypt, that wouldn't match what you put in sudoers.

Looking at your %truecrypt syntax, is your user a member of a group called truecrypt?

If you still can't get it to work, you might want to see with sudo upstream if they can help.
Comment 4 Uli Selle 2013-11-08 18:17:34 CET 
After Update of sudo from "sudo-1.8.8-2.mga4" to "sudo-1.8.8-3.mga4" all is working well.
Tested it on two different machines with two kernels, I think it is the sudo package which makes the difference.
I didn't change the "sudoers" configuration...

Status: NEW => RESOLVED
Resolution: (none) => FIXED