On Tue 10 May 2022 at 08:21:00 (-0600), Charles Curley wrote: > On Tue, 10 May 2022 07:50:18 -0400 rhkra...@gmail.com wrote: > > > Background: 8 years ago I wrote a set of scripts to help me mount and > > unmount LUKS encrypted partitions as needed and as myself > > (<myuserid>) rather than as root. > > Why the aversion to doing things as root? Why not just run your scripts > as root? This is exactly the sort of thing that is reserved to root for > reasons of security.
That complicates unlocking partitions remotely because, even if you can log in as root, you normally can't log in remotely as root. I use a special user called unlock, whose home directory is on /var/local/, to unlock my /home partitions: $ cat /var/local/home/unlock/.profile [[ $- = *i* ]] && printf '%s\n' "(This is $HOME/.profile 2022 March 02 on $HOSTNAME, $(sed -e 's/.* \([^ ]\+\) *$/\1/;q' /etc/apt/sources.list) on $(findmnt -n -o SOURCE,LABEL -M /))" [ ! -f /home/0 ] && printf '\n%s\n\n' "/home is mounted already" && sleep 1 && exit 9 for j in /dev/disk/by-partlabel/*-Home; do printf 'Unlocking %s\n' "$j" sudo udisksctl unlock --block-device "$j" done printf 'Checking partition\n' # in case there's a pause mount /home sleep 1 if [ ! -f /home/0 ]; then printf '%s\n' "/home is now mounted" && exit 0 else printf '\n%s\n\n' "/home is NOT mounted" && sleep 1 && exit 99 fi # $ So after introducing itself (note: my sources.list is doctored), it checks that /home is not already mounted (note: there's an empty file called 0 in the /home directory on the rootfs), and then unlocks any partition whose PARTLABEL ends with -Home. It then mounts the one that matches the entry in fstab. Here's how I call it remotely: $ type unlock-acer unlock-acer is a function unlock-acer () { ping -c 1 -W 1 acer | grep 'bytes from'; date && ssh -X acer -l unlock } $ And, of course, that would normally follow a call to wake-acer (assuming it's not a laptop): $ type wake-acer wake-acer is a function wake-acer () { wakeonlan 22:44:66:88:aa:cc } $ If you're not in group sudo (I have a root password), you'd require lines like these in /etc/sudoers.d/foo: User_Alias LOCKER = unlock Host_Alias MYHOSTS = …, acer, … Cmnd_Alias UNLOCKING = /usr/bin/udisksctl unlock --block-device /dev/disk/*/* Cmnd_Alias LOCKING = /usr/bin/udisksctl lock --block-device /dev/disk/*/* Defaults:LOCKER !authenticate LOCKER MYHOSTS = UNLOCKING, LOCKING Note that all this is running on a home LAN. I would do things differently in a more open environment. As for setuid scripts, they haven't been allowed since I started using Debian in Sept 1996, which was on Debian's first release, buzz, running 2.0 kernels. Allegedly there was a Perl method of doing it that I never tried out. It was meant to create a Chinese wall between anything that originated from outside and the rest of the program. Cheers, David.