Date: Wed, 29 Jan 2014 17:08:12 -0500 From: Aryeh Friedman <aryeh.friedman@gmail.com> To: =?ISO-8859-2?Q?=A3ukasz_W=B1sikowski?= <lukasz@wasikowski.net> Cc: "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org> Subject: Re: best way to add www to wheel Message-ID: <CAGBxaXno5Qg=6p5jA%2BAkGJ3S9Cm=%2BYOov=3hUim0h03p0iioLA@mail.gmail.com> In-Reply-To: <CAGBxaXnhh4uTbEUYFwCDdsoqdBBHc%2B6w8-dC9Emfbk_D%2BwHJHw@mail.gmail.com> References: <CAGBxaX=ks3kAfDT6rvzgJcDj8Bs7DPvSRcjJWMoa%2BF9U1qx7tw@mail.gmail.com> <52E9713F.9040508@callfortesting.org> <CAGBxaX=-bh22QfT5ww-Z%2BQ7rkisjiG60H%2BBu64Oh50uQ1DqNTQ@mail.gmail.com> <52E9757F.4050506@wasikowski.net> <CAGBxaXnhh4uTbEUYFwCDdsoqdBBHc%2B6w8-dC9Emfbk_D%2BwHJHw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Forgot to mention there are more then just those commands but the idea is still valid (about 6 commands currently need to be setuid but the list may grow) On Wed, Jan 29, 2014 at 5:05 PM, Aryeh Friedman <aryeh.friedman@gmail.com>w= rote: > Only issue with that is when I asked a few months ago how to -ports@ how > to make the port edit sudoers the idea was universally shot down (then it > was to add it to do it for the default %WHEEL NOPASSWD entry and it was > before petitecloud was password protected [it is this criticism that lead > to the password protection in the first place) > > > On Wed, Jan 29, 2014 at 4:41 PM, =C5=81ukasz W=C4=85sikowski <lukasz@wasi= kowski.net>wrote: > >> W dniu 2014-01-29 22:26, Aryeh Friedman pisze: >> >> > Cross post on purpose because people on -virtualization@ are likely >> more >> > familur with bhyve and it's requirements as well knowing what >> petitecloud >> > is and what it needs to do (the whole issue is without adding www to >> wheel >> > start/stop do not work from the webui) >> >> Use security/sudo, maybe with config similar to this this: >> >> Cmnd_Alias PETITECLOUD =3D /usr/sbin/service petitecloud stop, >> /usr/sbin/service petitecloud start, /usr/sbin/service petitecloud resta= rt >> www ALL=3D(ALL) NOPASSWD: PETITECLOUD >> >> This way user www can run sudo /usr/sbin/service petitecloud >> (stop|start|restart) as root (and only those exact commands with those >> exact parameters). It's a "little" bit safer than your approach which is >> huge security hole. >> >> -- >> best regards, >> Lukasz Wasikowski >> > > > > -- > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org > --=20 Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGBxaXno5Qg=6p5jA%2BAkGJ3S9Cm=%2BYOov=3hUim0h03p0iioLA>