From owner-freebsd-virtualization@FreeBSD.ORG Wed Jan 29 22:05:59 2014 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 052E9FA6 for ; Wed, 29 Jan 2014 22:05:59 +0000 (UTC) Received: from mail-pb0-x235.google.com (mail-pb0-x235.google.com [IPv6:2607:f8b0:400e:c01::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CA9F31A6A for ; Wed, 29 Jan 2014 22:05:58 +0000 (UTC) Received: by mail-pb0-f53.google.com with SMTP id md12so2301368pbc.12 for ; Wed, 29 Jan 2014 14:05:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5xWmiY2RhJ8Xr1RO3Apte/6K13aVgUeYGAjnIwmSNGA=; b=ameUZYYJfI/SC5kvFZ0c1e1+4bB3TeM15mWyyCcd6ewi1mehmt0iV4QJhw4tsA7nYQ D3TNvmcvkV6d84MxxEeTDoZZ0ClwFbYzNtWuxiSd5tmS+ZDLEzYRP0ogOF2KGCDe/ksv 4yEZ1+q1pqOZvA4rixuwFmH9nv69Os2Hw+psnX5jj09lHY6rlEQiUSE5zBPAOxX51rgG 5Xa1v2+Tw/phRQMB7nq1PF/edigFnTnLl4oFl3S0TGY06oqiqH85JXNdwbxMhJQqQHcg lmQjoFD2xVpc5nrsahxLWNxFS2jbkfLwrhE5+TjpPfYWvn2IDsUJXCFXgFJKhah3OxeM 3HLg== MIME-Version: 1.0 X-Received: by 10.68.139.73 with SMTP id qw9mr10434928pbb.121.1391033158453; Wed, 29 Jan 2014 14:05:58 -0800 (PST) Received: by 10.68.155.38 with HTTP; Wed, 29 Jan 2014 14:05:58 -0800 (PST) In-Reply-To: <52E9757F.4050506@wasikowski.net> References: <52E9713F.9040508@callfortesting.org> <52E9757F.4050506@wasikowski.net> Date: Wed, 29 Jan 2014 17:05:58 -0500 Message-ID: Subject: Re: best way to add www to wheel From: Aryeh Friedman To: =?ISO-8859-2?Q?=A3ukasz_W=B1sikowski?= Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: "freebsd-virtualization@freebsd.org" X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jan 2014 22:05:59 -0000 Only issue with that is when I asked a few months ago how to -ports@ how to make the port edit sudoers the idea was universally shot down (then it was to add it to do it for the default %WHEEL NOPASSWD entry and it was before petitecloud was password protected [it is this criticism that lead to the password protection in the first place) On Wed, Jan 29, 2014 at 4:41 PM, =A3ukasz W=B1sikowski wrote: > W dniu 2014-01-29 22:26, Aryeh Friedman pisze: > > > Cross post on purpose because people on -virtualization@ are likely mor= e > > familur with bhyve and it's requirements as well knowing what petiteclo= ud > > is and what it needs to do (the whole issue is without adding www to > wheel > > start/stop do not work from the webui) > > Use security/sudo, maybe with config similar to this this: > > Cmnd_Alias PETITECLOUD =3D /usr/sbin/service petitecloud stop, > /usr/sbin/service petitecloud start, /usr/sbin/service petitecloud restar= t > www ALL=3D(ALL) NOPASSWD: PETITECLOUD > > This way user www can run sudo /usr/sbin/service petitecloud > (stop|start|restart) as root (and only those exact commands with those > exact parameters). It's a "little" bit safer than your approach which is > huge security hole. > > -- > best regards, > Lukasz Wasikowski > --=20 Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org