| 1 |
On Mon, Jul 20, 2015 at 01:21:56PM +0200, Marc Joliet wrote |
| 2 |
|
| 3 |
> This choice came about because I switched from fcron to systemd-cron, |
| 4 |
> which runs its mail_on_failure script as user "nobody", which caused |
| 5 |
> my current "passwordeval" command ("cat somefile", somefile having |
| 6 |
> a mode mask of 0600) |
| 7 |
|
| 8 |
That is the wrong, wrong, wrong way to do it. |
| 9 |
|
| 10 |
> to fail due to insufficient access rights. I really didn't want to |
| 11 |
> deal with how to properly solve that, and I don't think it's possible |
| 12 |
> (at least not with msmtp). I mean, the problem statement is |
| 13 |
> basically "How do I securely give every user access to the password?". |
| 14 |
> Once stated that way, I think the difficulty with the problem becomes |
| 15 |
> fairly obvious. |
| 16 |
|
| 17 |
The correct question is "how do I allow user 'nobody' to execute a |
| 18 |
one-off command as another user. The solution is sudoers. Emerge sudo |
| 19 |
and set up a file in /etc/sudoers.d. I use /etc/sudoers.d/001 because |
| 20 |
I'm not creative with filenames. Here is an example entry... |
| 21 |
|
| 22 |
waltdnes d531 = (root) NOPASSWD: /usr/sbin/hibernate |
| 23 |
|
| 24 |
The explanation... |
| 25 |
|
| 26 |
waltdnes (the user being allowed to run the command) |
| 27 |
d531 (the machine name in /etc/hosts) |
| 28 |
(root) (the user privilege to run as) |
| 29 |
NOPASSWD: (password is not required; no ugly "cat somefile" hack) |
| 30 |
/usr/sbin/hibernate (the command to run) |
| 31 |
|
| 32 |
As regular user "waltdnes", I execute the command... |
| 33 |
|
| 34 |
sudo /usr/sbin/hibernate |
| 35 |
|
| 36 |
...and I get the system to hibernate, which normally requires root level |
| 37 |
privileges. I'm lazy, so I set up a script ~/bin/hb that runs the above |
| 38 |
command. I only have to execute "hb" to hibernate. This approach is |
| 39 |
very granular, because it can be set up to allow one user to execute one |
| 40 |
specifc command. If you wish, you can use wildcards, and the special |
| 41 |
"ALL" word to open up privileges more widely. |
| 42 |
|
| 43 |
-- |
| 44 |
Walter Dnes <waltdnes@××××××××.org> |
| 45 |
I don't run "desktop environments"; I run useful applications |
Archives