Date: Tue, 12 Sep 2006 13:31:26 +0200 From: Karol Kwiatkowski <freebsd@orchid.homeunix.org> To: backyard1454-bsd@yahoo.com Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Putting a command/script as a user's shell Message-ID: <45069A8E.6020900@orchid.homeunix.org> In-Reply-To: <20060911143953.93027.qmail@web83101.mail.mud.yahoo.com> References: <20060911143953.93027.qmail@web83101.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig942981F5CC45C8665D4F0155 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 11/09/2006 16:39, backyard wrote: >=20 > --- Karol Kwiatkowski <freebsd@orchid.homeunix.org> > wrote: >=20 >> Good day everyone, >> >> I'm trying to make it possible to restart (as in >> 'shutdown -r now') a >> FreeBSD based router from LAN network as easy as >> possible so it can be >> used by non-technical people. >> >> I'm sure some will ask why would I need that - it's >> an USB modem >> connecting to ADSL line that locks up sometimes and >> all my attempts to >> make it restart itself have failed. >> >> I came up with this idea: >> >> - add another user to the system, let it be >> 'restart' >> - add 'restart' to group operator >> - let 'restart' to login through SSH from LAN with a >> key (passwords >> forbidden) >> - put a restart command as it's shell (so it >> automagically restarts >> the router) >> >> Does that sound reasonably? Security is not an >> issue, it's "secure >> enough" for me. >> >> >> OK, now for technical question. I realise I cannot >> put arguments to >> the command in the "shell area" in passwd file, so I >> wrote a short script: >> >> $ cat /home/restart/restart.sh >> #!/bin/sh >> /sbin/shutdown -r now >> $ ls -l /home/restart/restart.sh >> -rwx------ 1 restart restart 33 Sep 11 15:24 >> >> >> put that as restart's user shell: >> >> # grep restart /etc/master.passwd >> > restart:*:1017:1017::0:0:restart:/home/restart:/home/restart/restart.sh= >> >> and tried locally but it's not working: >> >> # su - restart >> su: /home/restart/restart.sh: Permission denied >> >> >> I'm not sure where 'Permission denied' come from. >> Setup looks to be >> OK, here's what I get with /usr/bin/id as a shell: >> >> # su - restart >> uid=3D1017(restart) gid=3D1017(restart) >> groups=3D1017(restart), 5(operator) >> >> >> I'm sure I'm missing something here. Anyone have >> some pointers? >> >=20 > make the shell script group executable and make it > group operator maybe try making it owned by root. I > think what is happening is it is running under the > priveledges of restart not operator because operators > groups cannot execute the command only the restart > user can due to the priveledges. And when the > restart.sh passes its group priveledges to the sript > callout to shutdown it fails because shutdown can only > run as operator. That would be my guess >=20 >=20 > -brian Hi brian, I tried to test it further together with Alex's suggestion to use "-x" in the script first line, only to discover I don't know why it won't work :) If anyone has some (possible) explanations I'll be glad to hear them. Meanwhile I moved to much cleaner and elegant solution based on what Kirk Strauser proposed in other email. For the record here's what I additionally tested: # chmod 4550 /home/restart/restart.sh # chown root:operator /home/restart/restart.sh # ls -l /home/restart/restart.sh -r-sr-x--- 1 root operator 36 Sep 11 16:46 /home/restart/restart.sh result from the same machine: # su - restart su: /home/restart/restart.sh: Permission denied and from other: # ssh -l restart -i restart_rsa router Last login: Tue Sep 12 12:47:02 2006 from blablabla [...] /home/restart/restart.sh: Permission denied Connection to orchid closed. Interestingly (or not ;) execution of the script (with default permissions) works if I log in as a user 'restart' (after giving him /bin/sh as shell). A suid binary seems to work: # cp -p /usr/bin/id /sbin/ # chown root:operator /sbin/id # chmod 4550 /sbin/id # vipw [ restart:*:1017:1017::0:0:restart:/home/restart:/sbin/id ] # su - restart uid=3D1017(restart) euid=3D0(root) gid=3D1017(restart) groups=3D1017(rest= art), 5(operator) # ssh -l restart -i restart_rsa router Last login: Tue Sep 12 13:11:10 2006 from blablabla [...] uid=3D1017(restart) euid=3D0(root) gid=3D1017(restart) groups=3D1017(rest= art), 5(operator) Connection to orchid closed. Looks like some suid issue which I don't really understand. Thanks for suggestions though! Karol --=20 Karol Kwiatkowski <freebsd at orchid dot homeunix dot org> OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc --------------enig942981F5CC45C8665D4F0155 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFBpqWezeoPAwGIYsRCEIuAJ9C0xJgYkwB8nYlh8JGdtw/kfpH2QCgiaTd RFkNt8g+PMicPNzOCGWPcUY= =/JBt -----END PGP SIGNATURE----- --------------enig942981F5CC45C8665D4F0155--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45069A8E.6020900>