Re: Putting a command/script as a user's shell
On 11/09/2006 16:39, backyard wrote: --- Karol Kwiatkowski [EMAIL PROTECTED] wrote: Good day everyone, I'm trying to make it possible to restart (as in 'shutdown -r now') a FreeBSD based router from LAN network as easy as possible so it can be used by non-technical people. I'm sure some will ask why would I need that - it's an USB modem connecting to ADSL line that locks up sometimes and all my attempts to make it restart itself have failed. I came up with this idea: - add another user to the system, let it be 'restart' - add 'restart' to group operator - let 'restart' to login through SSH from LAN with a key (passwords forbidden) - put a restart command as it's shell (so it automagically restarts the router) Does that sound reasonably? Security is not an issue, it's secure enough for me. OK, now for technical question. I realise I cannot put arguments to the command in the shell area in passwd file, so I wrote a short script: $ cat /home/restart/restart.sh #!/bin/sh /sbin/shutdown -r now $ ls -l /home/restart/restart.sh -rwx-- 1 restart restart 33 Sep 11 15:24 put that as restart's user shell: # grep restart /etc/master.passwd restart:*:1017:1017::0:0:restart:/home/restart:/home/restart/restart.sh and tried locally but it's not working: # su - restart su: /home/restart/restart.sh: Permission denied I'm not sure where 'Permission denied' come from. Setup looks to be OK, here's what I get with /usr/bin/id as a shell: # su - restart uid=1017(restart) gid=1017(restart) groups=1017(restart), 5(operator) I'm sure I'm missing something here. Anyone have some pointers? make the shell script group executable and make it group operator maybe try making it owned by root. I think what is happening is it is running under the priveledges of restart not operator because operators groups cannot execute the command only the restart user can due to the priveledges. And when the restart.sh passes its group priveledges to the sript callout to shutdown it fails because shutdown can only run as operator. That would be my guess -brian Hi brian, I tried to test it further together with Alex's suggestion to use -x in the script first line, only to discover I don't know why it won't work :) If anyone has some (possible) explanations I'll be glad to hear them. Meanwhile I moved to much cleaner and elegant solution based on what Kirk Strauser proposed in other email. For the record here's what I additionally tested: # chmod 4550 /home/restart/restart.sh # chown root:operator /home/restart/restart.sh # ls -l /home/restart/restart.sh -r-sr-x--- 1 root operator 36 Sep 11 16:46 /home/restart/restart.sh result from the same machine: # su - restart su: /home/restart/restart.sh: Permission denied and from other: # ssh -l restart -i restart_rsa router Last login: Tue Sep 12 12:47:02 2006 from blablabla [...] /home/restart/restart.sh: Permission denied Connection to orchid closed. Interestingly (or not ;) execution of the script (with default permissions) works if I log in as a user 'restart' (after giving him /bin/sh as shell). A suid binary seems to work: # cp -p /usr/bin/id /sbin/ # chown root:operator /sbin/id # chmod 4550 /sbin/id # vipw [ restart:*:1017:1017::0:0:restart:/home/restart:/sbin/id ] # su - restart uid=1017(restart) euid=0(root) gid=1017(restart) groups=1017(restart), 5(operator) # ssh -l restart -i restart_rsa router Last login: Tue Sep 12 13:11:10 2006 from blablabla [...] uid=1017(restart) euid=0(root) gid=1017(restart) groups=1017(restart), 5(operator) Connection to orchid closed. Looks like some suid issue which I don't really understand. Thanks for suggestions though! Karol -- Karol Kwiatkowski freebsd at orchid dot homeunix dot org OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc signature.asc Description: OpenPGP digital signature
Re: Putting a command/script as a user's shell
On 11/09/2006 16:56, Kirk Strauser wrote: On Monday 11 September 2006 09:20, Karol Kwiatkowski wrote: Good day everyone, I'm trying to make it possible to restart (as in 'shutdown -r now') a FreeBSD based router from LAN network as easy as possible so it can be used by non-technical people. First of all, it's easy enough to do this securely that you might as well do it. Install sudo, and use visudo to create a sudoers file with entries like: User_AliasREBOOTERS = username1,username2,username3 REBOOTERS ALL = (root) NOPASSWD: /sbin/reboot Next, create a reboot script for them: # cat /usr/local/sbin/reboot.sh sudo /sbin/reboot Finally, use OpenSSH's built-in options to run the script at login. From sshd(8): AUTHORIZED_KEYS FILE FORMAT [] command=command Specifies that the command is executed whenever this key is used for authentication. So, make each user's authorized_keys file look something like: ssh-rsa [long base64 string] [EMAIL PROTECTED] command=/usr/local/sbin/reboot.sh Alternatively, do all the above for one single account: your restart user. Use authorized_keys to limit which of your real users has access to reboot the machine, and use ssh -l restart balkyrouter.example.com to trigger it. You could even go so far as to add a clause to /etc/ssh/ssh_config (or ~/.ssh/config for each individual user) like: Host rebootrouter Hostname balkyrouter.example.com User restart so that your users just run ssh rebootrouter. So, to recap, when a user logs in, the reboot.sh script will be executed. It will use sudo to run the reboot command as root, without prompting the user to enter any password. It's easy, it works, and it doesn't require any setuid trickery or special accounts or anything else. Hi Kirk, I wasn't aware of 'command' option in authorized_keys file and that's exactly what I need :) The rest is more or less what I was thinking of with the exception I tried to avoid installing sudo just to do this. So here's what I ended up with: - user 'restart' in group 'operator' (I need another user because there are no 'normal' users on the router except me) - public/private key par for authorization - command=/sbin/shutdown -r now in /home/restart/.ssh/authorized_keys Works as expected even with windows/putty clients :) Thanks for your reply. Karol -- Karol Kwiatkowski freebsd at orchid dot homeunix dot org OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc signature.asc Description: OpenPGP digital signature
Putting a command/script as a user's shell
Good day everyone, I'm trying to make it possible to restart (as in 'shutdown -r now') a FreeBSD based router from LAN network as easy as possible so it can be used by non-technical people. I'm sure some will ask why would I need that - it's an USB modem connecting to ADSL line that locks up sometimes and all my attempts to make it restart itself have failed. I came up with this idea: - add another user to the system, let it be 'restart' - add 'restart' to group operator - let 'restart' to login through SSH from LAN with a key (passwords forbidden) - put a restart command as it's shell (so it automagically restarts the router) Does that sound reasonably? Security is not an issue, it's secure enough for me. OK, now for technical question. I realise I cannot put arguments to the command in the shell area in passwd file, so I wrote a short script: $ cat /home/restart/restart.sh #!/bin/sh /sbin/shutdown -r now $ ls -l /home/restart/restart.sh -rwx-- 1 restart restart 33 Sep 11 15:24 put that as restart's user shell: # grep restart /etc/master.passwd restart:*:1017:1017::0:0:restart:/home/restart:/home/restart/restart.sh and tried locally but it's not working: # su - restart su: /home/restart/restart.sh: Permission denied I'm not sure where 'Permission denied' come from. Setup looks to be OK, here's what I get with /usr/bin/id as a shell: # su - restart uid=1017(restart) gid=1017(restart) groups=1017(restart), 5(operator) I'm sure I'm missing something here. Anyone have some pointers? Cheers, Karol -- Karol Kwiatkowski freebsd at orchid dot homeunix dot org OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc signature.asc Description: OpenPGP digital signature
Re: Putting a command/script as a user's shell
--- Karol Kwiatkowski [EMAIL PROTECTED] wrote: Good day everyone, I'm trying to make it possible to restart (as in 'shutdown -r now') a FreeBSD based router from LAN network as easy as possible so it can be used by non-technical people. I'm sure some will ask why would I need that - it's an USB modem connecting to ADSL line that locks up sometimes and all my attempts to make it restart itself have failed. I came up with this idea: - add another user to the system, let it be 'restart' - add 'restart' to group operator - let 'restart' to login through SSH from LAN with a key (passwords forbidden) - put a restart command as it's shell (so it automagically restarts the router) Does that sound reasonably? Security is not an issue, it's secure enough for me. OK, now for technical question. I realise I cannot put arguments to the command in the shell area in passwd file, so I wrote a short script: $ cat /home/restart/restart.sh #!/bin/sh /sbin/shutdown -r now $ ls -l /home/restart/restart.sh -rwx-- 1 restart restart 33 Sep 11 15:24 put that as restart's user shell: # grep restart /etc/master.passwd restart:*:1017:1017::0:0:restart:/home/restart:/home/restart/restart.sh and tried locally but it's not working: # su - restart su: /home/restart/restart.sh: Permission denied I'm not sure where 'Permission denied' come from. Setup looks to be OK, here's what I get with /usr/bin/id as a shell: # su - restart uid=1017(restart) gid=1017(restart) groups=1017(restart), 5(operator) I'm sure I'm missing something here. Anyone have some pointers? Cheers, Karol -- Karol Kwiatkowski freebsd at orchid dot homeunix dot org OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc make the shell script group executable and make it group operator maybe try making it owned by root. I think what is happening is it is running under the priveledges of restart not operator because operators groups cannot execute the command only the restart user can due to the priveledges. And when the restart.sh passes its group priveledges to the sript callout to shutdown it fails because shutdown can only run as operator. That would be my guess -brian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Putting a command/script as a user's shell
On Monday 11 September 2006 09:20, Karol Kwiatkowski wrote: Good day everyone, I'm trying to make it possible to restart (as in 'shutdown -r now') a FreeBSD based router from LAN network as easy as possible so it can be used by non-technical people. First of all, it's easy enough to do this securely that you might as well do it. Install sudo, and use visudo to create a sudoers file with entries like: User_AliasREBOOTERS = username1,username2,username3 REBOOTERS ALL = (root) NOPASSWD: /sbin/reboot Next, create a reboot script for them: # cat /usr/local/sbin/reboot.sh sudo /sbin/reboot Finally, use OpenSSH's built-in options to run the script at login. From sshd(8): AUTHORIZED_KEYS FILE FORMAT [] command=command Specifies that the command is executed whenever this key is used for authentication. So, make each user's authorized_keys file look something like: ssh-rsa [long base64 string] [EMAIL PROTECTED] command=/usr/local/sbin/reboot.sh Alternatively, do all the above for one single account: your restart user. Use authorized_keys to limit which of your real users has access to reboot the machine, and use ssh -l restart balkyrouter.example.com to trigger it. You could even go so far as to add a clause to /etc/ssh/ssh_config (or ~/.ssh/config for each individual user) like: Host rebootrouter Hostname balkyrouter.example.com User restart so that your users just run ssh rebootrouter. So, to recap, when a user logs in, the reboot.sh script will be executed. It will use sudo to run the reboot command as root, without prompting the user to enter any password. It's easy, it works, and it doesn't require any setuid trickery or special accounts or anything else. -- Kirk Strauser pgp6bWTuEAWYV.pgp Description: PGP signature
