On 11/09/2006 16:39, backyard wrote: > > --- Karol Kwiatkowski <[EMAIL PROTECTED]> > wrote: > >> Good day everyone, >> >> I'm trying to make it possible to restart (as in >> 'shutdown -r now') a >> FreeBSD based router from LAN network as easy as >> possible so it can be >> used by non-technical people. >> >> I'm sure some will ask why would I need that - it's >> an USB modem >> connecting to ADSL line that locks up sometimes and >> all my attempts to >> make it restart itself have failed. >> >> I came up with this idea: >> >> - add another user to the system, let it be >> 'restart' >> - add 'restart' to group operator >> - let 'restart' to login through SSH from LAN with a >> key (passwords >> forbidden) >> - put a restart command as it's shell (so it >> automagically restarts >> the router) >> >> Does that sound reasonably? Security is not an >> issue, it's "secure >> enough" for me. >> >> >> OK, now for technical question. I realise I cannot >> put arguments to >> the command in the "shell area" in passwd file, so I >> wrote a short script: >> >> $ cat /home/restart/restart.sh >> #!/bin/sh >> /sbin/shutdown -r now >> $ ls -l /home/restart/restart.sh >> -rwx------ 1 restart restart 33 Sep 11 15:24 >> >> >> put that as restart's user shell: >> >> # grep restart /etc/master.passwd >> > restart:*:1017:1017::0:0:restart:/home/restart:/home/restart/restart.sh >> >> and tried locally but it's not working: >> >> # su - restart >> su: /home/restart/restart.sh: Permission denied >> >> >> I'm not sure where 'Permission denied' come from. >> Setup looks to be >> OK, here's what I get with /usr/bin/id as a shell: >> >> # su - restart >> uid=1017(restart) gid=1017(restart) >> groups=1017(restart), 5(operator) >> >> >> I'm sure I'm missing something here. Anyone have >> some pointers? >> > > make the shell script group executable and make it > group operator maybe try making it owned by root. I > think what is happening is it is running under the > priveledges of restart not operator because operators > groups cannot execute the command only the restart > user can due to the priveledges. And when the > restart.sh passes its group priveledges to the sript > callout to shutdown it fails because shutdown can only > run as operator. That would be my guess > > > -brian
Hi brian, I tried to test it further together with Alex's suggestion to use "-x" in the script first line, only to discover I don't know why it won't work :) If anyone has some (possible) explanations I'll be glad to hear them. Meanwhile I moved to much cleaner and elegant solution based on what Kirk Strauser proposed in other email. For the record here's what I additionally tested: # chmod 4550 /home/restart/restart.sh # chown root:operator /home/restart/restart.sh # ls -l /home/restart/restart.sh -r-sr-x--- 1 root operator 36 Sep 11 16:46 /home/restart/restart.sh result from the same machine: # su - restart su: /home/restart/restart.sh: Permission denied and from other: # ssh -l restart -i restart_rsa router Last login: Tue Sep 12 12:47:02 2006 from blablabla [...] /home/restart/restart.sh: Permission denied Connection to orchid closed. Interestingly (or not ;) execution of the script (with default permissions) works if I log in as a user 'restart' (after giving him /bin/sh as shell). A suid binary seems to work: # cp -p /usr/bin/id /sbin/ # chown root:operator /sbin/id # chmod 4550 /sbin/id # vipw [ restart:*:1017:1017::0:0:restart:/home/restart:/sbin/id ] # su - restart uid=1017(restart) euid=0(root) gid=1017(restart) groups=1017(restart), 5(operator) # ssh -l restart -i restart_rsa router Last login: Tue Sep 12 13:11:10 2006 from blablabla [...] uid=1017(restart) euid=0(root) gid=1017(restart) groups=1017(restart), 5(operator) Connection to orchid closed. Looks like some suid issue which I don't really understand. Thanks for suggestions though! Karol -- Karol Kwiatkowski <freebsd at orchid dot homeunix dot org> OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc
signature.asc
Description: OpenPGP digital signature
