1 |
Am Mon, 20 Jul 2015 10:23:30 -0400 |
2 |
schrieb "Walter Dnes" <waltdnes@××××××××.org>: |
3 |
|
4 |
> On Mon, Jul 20, 2015 at 01:21:56PM +0200, Marc Joliet wrote |
5 |
> |
6 |
> > This choice came about because I switched from fcron to systemd-cron, |
7 |
> > which runs its mail_on_failure script as user "nobody", which caused |
8 |
> > my current "passwordeval" command ("cat somefile", somefile having |
9 |
> > a mode mask of 0600) |
10 |
> |
11 |
> That is the wrong, wrong, wrong way to do it. |
12 |
|
13 |
I know, it somewhat defeats the purpose. In my defense, it was supposed to be |
14 |
temporary so that I could get msmtp working quickly until I was sure that I |
15 |
wanted to keep it. |
16 |
|
17 |
> > to fail due to insufficient access rights. I really didn't want to |
18 |
> > deal with how to properly solve that, and I don't think it's possible |
19 |
> > (at least not with msmtp). I mean, the problem statement is |
20 |
> > basically "How do I securely give every user access to the password?". |
21 |
> > Once stated that way, I think the difficulty with the problem becomes |
22 |
> > fairly obvious. |
23 |
> |
24 |
> The correct question is "how do I allow user 'nobody' to execute a |
25 |
> one-off command as another user. |
26 |
|
27 |
My thought was admittedly somewhat academic: I didn't want to assume that only |
28 |
root and nobody wanted to send emails. However, I notice that the only |
29 |
software I have installed that needs to be able to send email is (insofar that |
30 |
there aren't any packages missing a dependency on virtual/mta or virtual/mailx): |
31 |
|
32 |
- portage (though only if you configure it appropriately) |
33 |
- smartd (via the "mail" program instead of sendmail) |
34 |
- *cron |
35 |
- sudo (though I don't know under what circumstances and as what user, though I |
36 |
expect it to send emails as root) |
37 |
|
38 |
All run as root except for *cron, which in the case of systemd-cron sends mails |
39 |
as "nobody" (I don't remember how fcron or any of the other implementations do |
40 |
it). |
41 |
|
42 |
So from a practical point of view, you are right that the problem was limited |
43 |
to dealing with user "nobody". Though who knows what will happen after an |
44 |
upgrade or package migration? Despite being a Gentoo user, I'm not interested |
45 |
in micromanaging *every* aspect of my system (only the fun parts). |
46 |
|
47 |
> The solution is sudoers. Emerge sudo |
48 |
> and set up a file in /etc/sudoers.d. I use /etc/sudoers.d/001 because |
49 |
> I'm not creative with filenames. Here is an example entry... |
50 |
> |
51 |
> waltdnes d531 = (root) NOPASSWD: /usr/sbin/hibernate |
52 |
> |
53 |
> The explanation... |
54 |
> |
55 |
> waltdnes (the user being allowed to run the command) |
56 |
> d531 (the machine name in /etc/hosts) |
57 |
> (root) (the user privilege to run as) |
58 |
> NOPASSWD: (password is not required; no ugly "cat somefile" hack) |
59 |
> /usr/sbin/hibernate (the command to run) |
60 |
> |
61 |
> As regular user "waltdnes", I execute the command... |
62 |
> |
63 |
> sudo /usr/sbin/hibernate |
64 |
> |
65 |
> ...and I get the system to hibernate, which normally requires root level |
66 |
> privileges. I'm lazy, so I set up a script ~/bin/hb that runs the above |
67 |
> command. I only have to execute "hb" to hibernate. This approach is |
68 |
> very granular, because it can be set up to allow one user to execute one |
69 |
> specifc command. If you wish, you can use wildcards, and the special |
70 |
> "ALL" word to open up privileges more widely. |
71 |
|
72 |
I actually know about this and have a wildcard rule for cpupower. I agree with |
73 |
Mick's point, though, which partially ties into *my* point: I want to limit |
74 |
access to the password (file) to as few users as possible, and "nobody" is used |
75 |
as a catch-all, so I wouldn't fully know *what* exactly I'm giving access to my |
76 |
email account password. |
77 |
|
78 |
I just didn't see any sane way to handle this with msmtp, which to me seems |
79 |
more and more like it's primarily designed for use by regular users as |
80 |
opposed to system services (various hints point to this, such as that the |
81 |
system-wide example [0] only defines a default account without a password, or |
82 |
the Gentoo package description I mentioned before). |
83 |
|
84 |
Anyway, I'm happy with nullmailer right now. |
85 |
|
86 |
[0] http://msmtp.sourceforge.net/doc/msmtp.html#A-system-wide-configuration-file |
87 |
-- |
88 |
Marc Joliet |
89 |
-- |
90 |
"People who think they know everything really annoy those of us who know we |
91 |
don't" - Bjarne Stroustrup |