/etc/sudoers modification with visudo does not persist after reboot

[jucestain]

If I modify /etc/sudoers with visudo. For instance if I add:

Editor1 ALL = NOPASSWD: /usr/bin/tar

to the suders file so that Editor1 user can use tar as sudo without being prompted for a password, after a reboot it goes away.

So, is there a way to set this through the GUI. If not, is there a best practices to allow system changes to persist after reboot for settings not set through the GUI?

 

[Ericloewe]

If not, is there a best practices to allow system changes to persist after reboot for settings not set through the GUI?

They don't.

So, is there a way to set this through the GUI.

Yes, there's a "permit sudo" checkbox in edit user.

 

[jucestain]

They don't.


Yes, there's a "permit sudo" checkbox in edit user.

I'd like to be able to run the command without prompting for a password, so I specifically need to use :

Editor1 ALL = NOPASSWD: /usr/bin/tar

This user already has sudo enabled through the GUI. Am I just sol?

 

[Ericloewe]

Yeah, I don't think that's supported... Good practices and all.

What are you trying to accomplish? There might be a better way.

 

[jucestain]

Yeah, I don't think that's supported... Good practices and all.

What are you trying to accomplish? There might be a better way.

I am writing a backup script run on a client. It basically tar balls some files over to the storinator, which untars the files with sudo so it maintains permissions. Since this is a backup script run as a cron I don't want to store the password or provide it. Since I have tar configured to run with NOPASSWD, it runs fine for now.

Is there a better way to go about this?

 

[fracai]

I think you just want to tell tar to retain ownership and permissions: https://superuser.com/questions/838...erving-not-only-permissions-but-ownership-too

 

[jucestain]

I think you just want to tell tar to retain ownership and permissions: https://superuser.com/questions/838...erving-not-only-permissions-but-ownership-too

Let me explain a little more:

So how our system is set up, is the client will tar the files, and then send it through ssh over to the storinator. This is done by adding an ssh key from our client to the storinator. I also want to "tell" the storinator to untar the files while preserving permissions. In order to do this you have to run tar as sudo on the storinator. But the problem is that sudo requires a password and this is set up as a nightly cron. So I've gone around this by allowing the user to run tar without a password on the storinator. The command I use on the client looks something like:

tar czpf - $FILE | ssh Editor1@storinator "cd $DIRECTORY && sudo tar xvzpf -"

Is this a bad way to set things up? It's worked perfectly so far. Basically all files are mirrored to the storinator with everything preserved. The only issue right now is if there's a reboot the /etc/sudoers gets reset, so if this happens it will cause our backup scripts to start failing.

 

[fracai]

Ah, I see. I thought you could run the 'tar x' command on the NAS as root, but everything is initiated by the client.

As I see it, one alternative would be to have the NAS pull files from each client. You would place an SSH key for each client user on the NAS. The script to tar, transfer, and extract would be run on the NAS as root.

Or, you could have each client transfer the tar file to the server and a separate task run on the NAS would extract.

Or, why are you bothering to use tar? Just use rsync which can be configured to retain permissions and use compression (which may or may not improve speed depending on your connection speed and CPU performance).

 

[beamish04]

Hi jucestain,

I am having the same issue. I want to enable single command to be executed with sudo. So far I did not manage to add a line persistently. If I add it with visudo it works until the next reboot. After that the sudoers file gets re-generated from the Freenas database and does not contain my config. Also I did not find a tunables to add it to the database ... I would be very thankfull if you share your experince once you found a solution.

thanks & cheers, Daniel

 

[jucestain]

Ah, I see. I thought you could run the 'tar x' command on the NAS as root, but everything is initiated by the client.

As I see it, one alternative would be to have the NAS pull files from each client. You would place an SSH key for each client user on the NAS. The script to tar, transfer, and extract would be run on the NAS as root.

Or, you could have each client transfer the tar file to the server and a separate task run on the NAS would extract.

Or, why are you bothering to use tar? Just use rsync which can be configured to retain permissions and use compression (which may or may not improve speed depending on your connection speed and CPU performance).

I think I will switch to having the NAS do the backups. I like the idea of having everything centralized on the NAS.

I also think rsync needs to be run with sudo to retain permissions? I have also set:

Editor1 ALL = NOPASSWD: /usr/bin/rsync

as well but just didn't post it in the OP. Is it typical to just run these type of backup scripts on root's crontab?

My main issue here is I want to keep the files non-compressed (i.e. no tar.gz or .zip) on the NAS and I also want to retain all permissions.

Thanks!

 

[fracai]

Ah, that's very likely that rsync would need root as well.

In general you should commands as the lowest permission as possible (ie. not root), but if you need to be setting ownership you will need root.