[gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)
Hi, I'm trying to get my mythfrontend box to allow a user to shut the machine down without the use of a keyboard. We are only using remote controls. suso doesn't seem to be an option because it requires a password. (AFAICT) Is there some other way that I could make this work? I took a look at the permissions on /sbin/shutdown itself. It seems to be executable by everyone and still doesn't allow anyone other than to run it. Is there a way to make that program executable by everyone so that sudo is not required? Or maybe there's some similar program to shutdown that I could emerge? There's only two accounts on this machine - root mythtv - and it's within the mythtv account that I want to be able to shut the machine down using a remote control only. Thanks for any and all ideas. Cheers, Mark -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)
Mark Knecht wrote: Hi, I'm trying to get my mythfrontend box to allow a user to shut the machine down without the use of a keyboard. We are only using remote controls. suso doesn't seem to be an option because it requires a password. (AFAICT) Is there some other way that I could make this work? 2 options: 1. Sudo can be setup to allow some commands to be run without a password. I think this entry in /etc/sudoers should work: mythtv ALL = NOPASSWD: /sbin/shutdown I have not tested this, so if something goes wrong, you'll have to try and figure out man sudoers. 2. Create a setuid (chmod 4711 /sbin/shutdown_by_anyone.sh) shell script that runs shutdown. Be sure to export the PATH, and unset LD_PRELOAD and LD_LIBRARY_PATH variables at the very beginning of the script. Also make sure the interpreter line is /bin/bash --. This doesn't fix all of the security holes with setuid shell scripts, just the most common and easiest to fix... -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)
On 7/20/05, Richard Fish [EMAIL PROTECTED] wrote: Mark Knecht wrote: Hi, I'm trying to get my mythfrontend box to allow a user to shut the machine down without the use of a keyboard. We are only using remote controls. suso doesn't seem to be an option because it requires a password. (AFAICT) Is there some other way that I could make this work? 2 options: 1. Sudo can be setup to allow some commands to be run without a password. I think this entry in /etc/sudoers should work: mythtv ALL = NOPASSWD: /sbin/shutdown Yes, I have this working. My problem with this solution was slightly deeper. To get MythTV to execute this command I have to put 'sudo shutdown -h now' in a setup screen within the setup portion of mythfrontend. In a general sense I don't know how to do that without a keyboard being attached to the machine. So far I haven't found where MythTV stores this information so that I could edit it from an ssh login. Granted I can attach a keyboard for a few minutes when the machine is here at my house, but I'm hesitant to use a solution that I cannot fix via ssh when the machine is remote at my folks house. I have not tested this, so if something goes wrong, you'll have to try and figure out man sudoers. 2. Create a setuid (chmod 4711 /sbin/shutdown_by_anyone.sh) shell script that runs shutdown. Be sure to export the PATH, and unset LD_PRELOAD and LD_LIBRARY_PATH variables at the very beginning of the script. Also make sure the interpreter line is /bin/bash --. This doesn't fix all of the security holes with setuid shell scripts, just the most common and easiest to fix... I don't know how this is much of a security issue for me, but then again I don't know much about security, and I suppose it could be if someone plugs a keyboard in and wants to cause some harm. Shame on them, but good of you to consider it. Thanks, Mark -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)
I thought linux wouldn't allow suid shell scripts to work as suid. The reasoning is a shell script doesn't quite execute, it gets interpeted by the command on the first line. Just as a test I made a simple script modded root.root 4755 that consists of the /bin/bash line, and cat /etc/shadow. Root can run just fine obviously, but permissions don't exist for other users to do that. What may work a little better is either chmod s+x `which shutdown`, or writing a C wrapper and modding that s+x. On 7/20/05, Mark Knecht [EMAIL PROTECTED] wrote: On 7/20/05, Richard Fish [EMAIL PROTECTED] wrote: Mark Knecht wrote: Hi, I'm trying to get my mythfrontend box to allow a user to shut the machine down without the use of a keyboard. We are only using remote controls. suso doesn't seem to be an option because it requires a password. (AFAICT) Is there some other way that I could make this work? 2 options: 1. Sudo can be setup to allow some commands to be run without a password. I think this entry in /etc/sudoers should work: mythtv ALL = NOPASSWD: /sbin/shutdown Yes, I have this working. My problem with this solution was slightly deeper. To get MythTV to execute this command I have to put 'sudo shutdown -h now' in a setup screen within the setup portion of mythfrontend. In a general sense I don't know how to do that without a keyboard being attached to the machine. So far I haven't found where MythTV stores this information so that I could edit it from an ssh login. Granted I can attach a keyboard for a few minutes when the machine is here at my house, but I'm hesitant to use a solution that I cannot fix via ssh when the machine is remote at my folks house. I have not tested this, so if something goes wrong, you'll have to try and figure out man sudoers. 2. Create a setuid (chmod 4711 /sbin/shutdown_by_anyone.sh) shell script that runs shutdown. Be sure to export the PATH, and unset LD_PRELOAD and LD_LIBRARY_PATH variables at the very beginning of the script. Also make sure the interpreter line is /bin/bash --. This doesn't fix all of the security holes with setuid shell scripts, just the most common and easiest to fix... I don't know how this is much of a security issue for me, but then again I don't know much about security, and I suppose it could be if someone plugs a keyboard in and wants to cause some harm. Shame on them, but good of you to consider it. Thanks, Mark -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)
On Wednesday 20 July 2005 19:29, Mark Knecht wrote: Hi, I'm trying to get my mythfrontend box to allow a user to shut the machine down without the use of a keyboard. We are only using remote controls. suso doesn't seem to be an option because it requires a password. (AFAICT) Is there some other way that I could make this work? I took a look at the permissions on /sbin/shutdown itself. It seems to be executable by everyone and still doesn't allow anyone other than to run it. Is there a way to make that program executable by everyone so that sudo is not required? Or maybe there's some similar program to shutdown that I could emerge? There's only two accounts on this machine - root mythtv - and it's within the mythtv account that I want to be able to shut the machine down using a remote control only. Thanks for any and all ideas. Cheers, Mark Maybe with Console Aliases ? Like This -http://gentoo-wiki.com/TIP_Powerdown_on_shutdown_-h -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)
Wade Brown wrote: I thought linux wouldn't allow suid shell scripts to work as suid. The reasoning is a shell script doesn't quite execute, it gets interpeted by the command on the first line. Just as a test I made a simple script modded root.root 4755 that consists of the /bin/bash line, and cat /etc/shadow. Root can run just fine obviously, but permissions don't exist for other users to do that. Works fine on my machine. /opt/vmware/lib/vmware/bin/vmware-vmx is a setuid shell script that I wrote to startup vmware with the wrapper library to get vmware to work with arts. Also my permissions on that file are 4711, so maybe there is something special about the global read bit? Or possibly dependant upon what LSM modules you have loaded/enabled? What may work a little better is either chmod s+x `which shutdown`, or writing a C wrapper and modding that s+x. I agree that the C wrapper is definetly the most secure option. -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)
Mark Knecht wrote: I don't know how this is much of a security issue for me, but then again I don't know much about security, and I suppose it could be if someone plugs a keyboard in and wants to cause some harm. Shame on them, but good of you to consider it. It isn't. I mostly included the info so people wouldn't flame me for suggesting a setuid shell script in the first place... ;- Cheers, -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)
On Wed, 2005-07-20 at 11:06 -0700, Mark Knecht wrote: On 7/20/05, Richard Fish [EMAIL PROTECTED] wrote: Mark Knecht wrote: Hi, I'm trying to get my mythfrontend box to allow a user to shut the machine down without the use of a keyboard. We are only using remote controls. suso doesn't seem to be an option because it requires a password. (AFAICT) Is there some other way that I could make this work? 2 options: 1. Sudo can be setup to allow some commands to be run without a password. I think this entry in /etc/sudoers should work: mythtv ALL = NOPASSWD: /sbin/shutdown Yes, I have this working. My problem with this solution was slightly deeper. To get MythTV to execute this command I have to put 'sudo shutdown -h now' in a setup screen within the setup portion of mythfrontend. In a general sense I don't know how to do that without a keyboard being attached to the machine. So far I haven't found where MythTV stores this information so that I could edit it from an ssh login. even so, I think this is your best path to follow. Surely you can find out where mythfrontend stores these files. I don't have mythtv installed, but I would try, in order, the mythtv website / google; and then grep -ri (brute force approach!) starting from /etc. HTH, -- Iain Buchanan [EMAIL PROTECTED] -- gentoo-user@gentoo.org mailing list