Howto setup Linux sudo Hosts file editing

In this article we go over how to setup your Linux machine to allow editing of hosts file and clearing DNS cache for password-less access. This allows the WizardAssistant app to be able to spawn these processes without sudo password prompts each time for power users or those just annoyed it requires sudo to flush your resolver cache.

To give you an idea of how the app works for Linux:

It by default tries to open the files via xed/gedit as admin which is the Ubuntu Mint/Linux default.

xed admin:///etc/hosts

Which relies on the gvfsd-admin binary. If you get the full path to that:

whereis gvfsd-admin
gvfsd-admin: /usr/libexec/gvfsd-admin

You can then safely setup a sudoers include for all or just your username like the below:

sudo visudo -f /etc/sudoers.d/wizardassistant

All users:

ALL ALL=NOPASSWD: /usr/bin/xed, /usr/libexec/gvfsd-admin, /bin/systemctl, /usr/bin/systemd-resolve

A specific username “mike”

mike mike=NOPASSWD: /usr/bin/xed, /usr/libexec/gvfsd-admin, /bin/systemctl, /usr/bin/systemd-resolve

It tries to flush the dns resolvers of the popular types via one of these methods

sudo systemctl is-active systemd-resolved.service && sudo systemd-resolve --flush-caches
sudo systemctl is-active dnsmasq.service && sudo systemctl restart dnsmasq.service
sudo systemctl is-active nscd.service && sudo systemctl restart nscd.service

The above covers the systemctl and admin prompts for sudo access to flush dns and edit hosts file via sudo /usr/bin/xed /etc/hosts.


Polkit sudo access

On Ubuntu/Debian Mint Linux there is one other thing I recommend for avoiding the polkit related prompts for admin:// prefixed editing.

If we take a look at the below log entry from tailing the auth.log: `tail -f /var/log/auth.log` We see that this action “org.gtk.vfs.file-operations” is controlled by polkitd.

polkitd(authority=local): Operator of unix-session:c2 successfully authenticated as unix-user:mike to gain TEMPORARY authorization for action org.gtk.vfs.file-operations for unix-process:6718:33430 [xed] (owned by unix-user:mike)

So to allow those with in “sudo” group or “wheel” on some OS’s we just need to setup a policy rule. After browsing the internet I stumbled on the below link which was very helpful but not immediately usable for my needs.
https://gitlab.gnome.org/GNOME/gvfs/blob/master/daemon/org.gtk.vfs.file-operations.rules

// Allows users belonging to wheel group to start gvfsd-admin without
// authorization. This prevents redundant password prompt when starting
// gvfsd-admin. The gvfsd-admin causes another password prompts to be shown
// for each client process using the different action id and for the subject
// based on the client process.
polkit.addRule(function(action, subject) {
        if ((action.id == "org.gtk.vfs.file-operations-helper") &&
            subject.local &&
            subject.active &&
            subject.isInGroup ("wheel")) {
            return polkit.Result.YES;
        }
});

So what I did was consult the Debian wiki and adopted their example for systemd unit management for the gvfsd-admin editing.

To allow users of group somegroup to manage systemd services, create /etc/polkit-1/localauthority/50-local.d/manage-units.pkla with the following content:

[Allow users to manage services]
Identity=unix-group:somegroup
Action=org.freedesktop.systemd1.manage-units
ResultActive=yes

The below rule is the one I’m using which solves the issue.

[Allows users belonging to sudo group to start gvfsd-admin ]
Identity=unix-group:sudo
Action=org.gtk.vfs.file-operations-helper
Action=org.gtk.vfs.file-operations
ResultActive=yes

I created the file via the below commands at: /etc/polkit-1/localauthority/50-local.d/gvfsd-admin.pkla

sudo -s;
nano /etc/polkit-1/localauthority/50-local.d/gvfsd-admin.pkla

You could also alternatively wget it to proper location as root if this is a Ubuntu/Debian/Mint Linux OS:

wget -O /etc/polkit-1/localauthority/50-local.d/gvfsd-admin.pkla https://gitlab.com/wizardassistantscripts/wizardassistant-desktop-helper

Now when using this function via `xed admin:///etc/hosts` there is no prompt and it is opened with write permissions which is amazingly helpful as a sysadmin and developer who frequently needs to flush dns cache and edit hosts files.

When paired with the WizardAssistant app which initiates these actions from Tools menu to run the commands you can easily edit save flush cache and switch between a live and dev site with ease.

Resource/Reference links for more detailed information on these topics is below for your convenience.

https://askubuntu.com/questions/159007/how-do-i-run-specific-sudo-commands-without-a-password
https://unix.stackexchange.com/questions/356113/how-to-properly-edit-system-files-as-root-in-gui-and-cli-in-gnu-linux
https://itsfoss.com/gksu-replacement-ubuntu/

Leave a Comment

Item added to cart.
0 items - $0.00