fedora-26-minimal sudo not working -- workaround and possible fix

[trueriver]

Qubes OS version:

R 4.0

Affected component(s):

template fedora-26-minimal sudo

---

Steps to reproduce the behavior:

Install template fedora-26-minimal
Open user xterm from gui or from dom0 command line

sudo -i

Check you have a dollar prompt

Expected behavior:

Get a root prompt: root

NB: the documentation suggests sudo is not installed: if this were true then the expected behaviour would be

bash: sudo command not found

Actual behavior:

sudo prompts for a password.

General notes:

sudo is an important part of many people's workflow. If it is a security risk it should not be installed; if it is not a significant risk then it should be properly configured, IMO

Workaround for Qubes users

I am assuming you are working with a cloned minimal template called fedora-26-mini

Open a root terminal on both Fedora-26-mini and on Fedora-26 using the following command in Dom0 terminal

for t in Fedora-26{,-mini} do; qvm-run -u root $t xterm & echo $t; done

(NB you do need that single & and it must be followed by a command so echo is as good as any)

In each terminal

ls -l /etc/sudoers.d

Note that two more files are included in the full template as compared to the minimal. The one that seems to matter for passwordless sudo is qubes. Copy this from the full template to the minimal one.

In the full template root user:

qvm-copy /etc/sudoers.d/qubes

In the minimal template root user

mv /home/QubesIncoming/fedora26/qubes /etc/sudoers.d/
chown root:root /etc/sudoers.d/qubes

Stop the minimal template domain. Open the xterm in the template from the GUI. At the user prompt type

sudo -i

and you should now get a root prompt.

Request to template devs:

[this section deleted by author -- see next post]

Related issues:

This is a known issue cited in the online docs, but I could not find a relevant open issue - apols if I missed it. I could not find any searching back to mid 2017. There are too many posts that reference sudo in command lines to look at them all the way back to the big bang

My reason for posting is to alert other users to a workaround, and to suggest how the devs could fix this when they have the time. Is this forum the right place to post user workarounds?

[trueriver]

I now realise #3157 applies.

That issue said the current behaviour is intended, and the issue closed; followed by an offer to reconsider. I am now asking you to consider a slightly different way of achieving the effect to enable the normal qubes behaviour.

Please including a version of the qubes file that has the relevant line commented out. Add above that line a comment saying that uncommenting the following line will activate passwordless root.

The advantage would be to make it a lot easier for a user unfamiliar with both sudo and qubes to get sudo working.

I also suggest the same for qubes-input-trigger, for the same reasons.

I suggest this sets a better balance between the intent (to not have features enabled if possible) and making it reasonably easy to add the feature. The cost is two short config files and I feel that fedora-26-minimal is not so minimal that another two disk blocks really matters. Omitting a package is one thing, including the package without the (commented out) normal qubes config is too miserly, in my opinion.

The current doc advice that sudo is "not installed" is misleading (inciting futile attempts to dnf install sudo). This should be changed to say that sudo is installed but deliberately not configured for passwordless root, followed by brief instructions about how to enable it for those wishing to.

Same for enabling the qubes-input-trigger file.

[trueriver]

I now realise #3157 applies.

That issue said the current behaviour is intended, and the issue closed; followed by an offer to reconsider. I am now asking you to consider a slightly different way of achieving the effect to enable the normal qubes behaviour.

Please including a version of the qubes file that has the relevant line commented out. Add above that line a comment saying that uncommenting the following line will activate passwordless root.

The advantage would be to make it a lot easier for a user unfamiliar with both sudo and qubes to get sudo working.

I also suggest the same for qubes-input-trigger, for the same reasons.

I suggest this sets a better balance between the intent (to not have features enabled if possible) and making it reasonably easy to add the feature. The cost is two short config files and I feel that fedora-26-minimal is not so minimal that another two disk blocks really matters. Omitting a package is one thing, including the package without the (commented out) normal qubes config is too miserly, in my opinion.

The current doc advice that sudo is "not installed" is misleading (inciting futile attempts to dnf install sudo). This should be changed to say that sudo is installed but deliberately not configured for passwordless root, followed by brief instructions about how to enable it for those wishing to.

Same for enabling the qubes-input-trigger file.

[marmarek]

Actually, making passwordless sudo working in minimal template is as easy as installing qubes-core-agent-passwordless-root package.

See https://www.qubes-os.org/doc/templates/fedora-minimal/

[marmarek]

Actually, making passwordless sudo working in minimal template is as easy as installing qubes-core-agent-passwordless-root package.

See https://www.qubes-os.org/doc/templates/fedora-minimal/

[andrewdavidwong]

The current doc advice that sudo is "not installed" is misleading (inciting futile attempts to dnf install sudo). This should be changed to say that sudo is installed but deliberately not configured for passwordless root, followed by brief instructions about how to enable it for those wishing to.

Please consider submitting a PR for this.

[andrewdavidwong]

The current doc advice that sudo is "not installed" is misleading (inciting futile attempts to dnf install sudo). This should be changed to say that sudo is installed but deliberately not configured for passwordless root, followed by brief instructions about how to enable it for those wishing to.

Please consider submitting a PR for this.

[trueriver]

On 20 April 2018 at 01:57, Andrew David Wong wrote: The current doc advice that sudo is "not installed" is misleading (inciting futile attempts to dnf install sudo). This should be changed to say that sudo is installed but deliberately not configured for passwordless root, followed by brief instructions about how to enable it for those wishing to. Please consider submitting a PR <https://www.qubes-os.org/doc/doc-guidelines/#how-to-contribute> for this.

Thanks for the heads up - I am learning my way around here and am glad to be pointed in the right direction. Thanks too for the link to the info on how to do so. Submitting a PR will be new stuff for me, something I am eager to learn but not today, not right this minute when I have other stuff on. I hope to find time to do so in the next couple of days.

…

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#3833 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADFfw4L7NLF3m6nAN9IIpIJHB6DQKJW4ks5tqTJhgaJpZM4TbY18> .

-- 9831*2^1441403+1 is prime, >400k digits

[trueriver]

On 20 April 2018 at 01:57, Andrew David Wong wrote: The current doc advice that sudo is "not installed" is misleading (inciting futile attempts to dnf install sudo). This should be changed to say that sudo is installed but deliberately not configured for passwordless root, followed by brief instructions about how to enable it for those wishing to. Please consider submitting a PR <https://www.qubes-os.org/doc/doc-guidelines/#how-to-contribute> for this.

Thanks for the heads up - I am learning my way around here and am glad to be pointed in the right direction. Thanks too for the link to the info on how to do so. Submitting a PR will be new stuff for me, something I am eager to learn but not today, not right this minute when I have other stuff on. I hope to find time to do so in the next couple of days.

…

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#3833 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADFfw4L7NLF3m6nAN9IIpIJHB6DQKJW4ks5tqTJhgaJpZM4TbY18> .

-- 9831*2^1441403+1 is prime, >400k digits

[trueriver]

Then I withdraw my request to include modified files in the minimal template. Your solution is more robust than mine. This also strengthens my desire to have the documentation updated: had I known that a few days ago it would have saved me a couple of hours figuring out a less elegant way to achieve what I wanted. In fairness I now see the info is there, but I would like to make it clearer for newcomers and dummies like myself. I intend to try to do a PR on this page in the next few days and attempt to do so myself, so I also withdraw my request for devs to do this :)

…

On 20 April 2018 at 00:01, Marek Marczykowski-Górecki < ***@***.***> wrote: Actually, making passwordless sudo working in minimal template is as easy as installing qubes-core-agent-passwordless-root package. See https://www.qubes-os.org/doc/templates/fedora-minimal/ — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#3833 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADFfwxq_7rnGLakEyWgvko7P_-qOVQudks5tqRdcgaJpZM4TbY18> .

-- 9831*2^1441403+1 is prime, >400k digits

[trueriver]

Then I withdraw my request to include modified files in the minimal template. Your solution is more robust than mine. This also strengthens my desire to have the documentation updated: had I known that a few days ago it would have saved me a couple of hours figuring out a less elegant way to achieve what I wanted. In fairness I now see the info is there, but I would like to make it clearer for newcomers and dummies like myself. I intend to try to do a PR on this page in the next few days and attempt to do so myself, so I also withdraw my request for devs to do this :)

…

On 20 April 2018 at 00:01, Marek Marczykowski-Górecki < ***@***.***> wrote: Actually, making passwordless sudo working in minimal template is as easy as installing qubes-core-agent-passwordless-root package. See https://www.qubes-os.org/doc/templates/fedora-minimal/ — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#3833 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADFfwxq_7rnGLakEyWgvko7P_-qOVQudks5tqRdcgaJpZM4TbY18> .

-- 9831*2^1441403+1 is prime, >400k digits

[andrewdavidwong]

Reopening this issue so that it can be closed by your PR. 😃

[andrewdavidwong]

Reopening this issue so that it can be closed by your PR. 😃

[trueriver]

Reopening this issue so that it can be closed by your PR.

Thanks Andrew, and I notice you closed it again afterwards.

Next time I submit a PR I will include the "Fixes" info to triggr auto-close.

[trueriver]

Reopening this issue so that it can be closed by your PR.

Thanks Andrew, and I notice you closed it again afterwards.

Next time I submit a PR I will include the "Fixes" info to triggr auto-close.