Re: Zpool scrub and not-root users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 05/24/2010 15:04, Jeremy Chadwick wrote:
On Mon, May 24, 2010 at 05:00:03PM +0200, Mikkel Skaerris wrote:
Im wondering if there is a way of allowing non-root users to perform a disk
scrub using zpool scrub pool. I've been messing around with permissions,
but no luck so far. Anyone got a clue?
One question: why? Followed by one answer: sudo. :-)
He does not need to add another layer of insecurity to his system such
as sudo. Not saying that this is bad but it feels like a little overkill
for something as simple as this.
This can be done old-school.
pw groupadd _zfsadm
pw groupmod _zfsadm -m {username}
chmod u+s,o-rx /sbin/zpool
chown :_zfsadm /sbin/zpool
Repeat command line 2 for every user you want to have root type access
to /sbin/zpool.
Of course you do not need the zfsadm group to do this. You could just
use the wheel group which in turn gives any member of that group su(1)
access to the root user, so you commands would turn into...
pw groupmod wheel -m {username}
chmod u+s,o-rx /sbin/zpool
Because this binary is already installed group wheel there is no need to
chown it. And this is a little more implicit that you trust anyone with
access to the zpool command will also be having access to su(1)
Pick one, and Ill leave the how to keep these permissions through
upgrades/updates of world up to you.
Good luck regards,
- --
jhell
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (FreeBSD)
iQEcBAEBAgAGBQJL/CNUAAoJEJBXh4mJ2FR+HwcH/0vuGlIP8mU1p6FI0XiEl9K/
tpDLxED+4cd8htBTQyh0mDWrRz8dOagjggaENC2JvNpUO8Vhxx0mJNZY6pvzmAys
5VHevdYKvY6doEjoQD9muktECXruCOXgQtxeI34r+ZLJz9fUhVJIlcNDBBrhOAG5
/P6XYy5LIKEuxBBRNqosW+JVTcU4sOJhGU1YZUlUpn0z41ObM87vjD77XP6sWfhZ
Sw5dDPhNBHmmOuCEeuTnpItu1ykHUrr5jDkrtFWyIFP7ijPl7Fbd3VIRaP5nlWDU
yNd06479yKS1uqOwFeEXt3DOr8nws+uY/6WtXzlsmLdhsqwy2FQN35r7PlXaY0k=
=c/NP
-END PGP SIGNATURE-
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Zpool scrub and not-root users
On May 25, 2010, at 12:21 PM, jhell wrote:
He does not need to add another layer of insecurity to his system such
as sudo. Not saying that this is bad but it feels like a little overkill
for something as simple as this.
This can be done old-school.
pw groupadd _zfsadm
pw groupmod _zfsadm -m {username}
chmod u+s,o-rx /sbin/zpool
chown :_zfsadm /sbin/zpool
Repeat command line 2 for every user you want to have root type access to
/sbin/zpool.
This is providing them with the ability to run any zpool command, not
restricted to zpool scrub only. zpool offline or zpool destroy could
wreak havoc upon the system if misused
Regards,
--
-Chuck
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Zpool scrub and not-root users
On Tue, May 25, 2010 at 03:21:56PM -0400, jhell wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 05/24/2010 15:04, Jeremy Chadwick wrote:
On Mon, May 24, 2010 at 05:00:03PM +0200, Mikkel Skaerris wrote:
Im wondering if there is a way of allowing non-root users to perform a disk
scrub using zpool scrub pool. I've been messing around with permissions,
but no luck so far. Anyone got a clue?
One question: why? Followed by one answer: sudo. :-)
He does not need to add another layer of insecurity to his system such
as sudo. Not saying that this is bad but it feels like a little overkill
for something as simple as this.
This can be done old-school.
pw groupadd _zfsadm
pw groupmod _zfsadm -m {username}
chmod u+s,o-rx /sbin/zpool
chown :_zfsadm /sbin/zpool
Repeat command line 2 for every user you want to have root type access
to /sbin/zpool.
Of course you do not need the zfsadm group to do this. You could just
use the wheel group which in turn gives any member of that group su(1)
access to the root user, so you commands would turn into...
pw groupmod wheel -m {username}
chmod u+s,o-rx /sbin/zpool
Because this binary is already installed group wheel there is no need to
chown it. And this is a little more implicit that you trust anyone with
access to the zpool command will also be having access to su(1)
Pick one, and Ill leave the how to keep these permissions through
upgrades/updates of world up to you.
If I'm misunderstanding what the OP wants, then I welcome correction. I
read the Op to want users to be able to run zpool scrub, so I took
that literally -- /sbin/zpool scrub pool and nothing more.
sudo offers the ability for the OP to provide root-level access to
defined users and ONLY the ability to run /sbin/zpool scrub {pool} and
nothing more (e.g. not /sbin/zpool remove or similar). It could also
be used to define certain users to scrub only certain pools.
Your first and second solutions allow any user added to _zfsadm and
group wheel, respectively, the ability to use /sbin/zpool. I hear
zpool destroy -f is a fun command to run while the system
administrator isn't looking. :-)
--
| Jeremy Chadwick j...@parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Zpool scrub and not-root users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 25/05/2010 20:37:34, Chuck Swiger wrote:
On May 25, 2010, at 12:21 PM, jhell wrote:
He does not need to add another layer of insecurity to his system such
as sudo. Not saying that this is bad but it feels like a little overkill
for something as simple as this.
This can be done old-school.
pw groupadd _zfsadm
pw groupmod _zfsadm -m {username}
chmod u+s,o-rx /sbin/zpool
chown :_zfsadm /sbin/zpool
Repeat command line 2 for every user you want to have root type
access to /sbin/zpool.
This is providing them with the ability to run any zpool command, not
restricted to zpool scrub only. zpool offline or zpool destroy
could wreak havoc upon the system if misused
Turning on the SUID bit on a program which wasn't designed from the
ground up to be run like that is pretty much asking for trouble too.
For instance SUID programs generally know they have enhanced privs. and
give them up right after they've done whatever they need the privileges
for. Without that level of attention to detail, SUID programs are a
root compromise waiting to happen.
sudo(8) would be my choice solution for this.
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkv8MlsACgkQ8Mjk52CukIwNYgCcCAIghZlNICwwooE5R8z/3SfQ
AGwAnRcwBWkeKNBSHz4sgmm9rLZZWaKf
=g6be
-END PGP SIGNATURE-
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Zpool scrub and not-root users
On Tue, 25 May 2010 16:13, Jeremy Chadwick wrote:
In Message-Id: 20100525201315.ga20...@icarus.home.lan
On Tue, May 25, 2010 at 03:21:56PM -0400, jhell wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 05/24/2010 15:04, Jeremy Chadwick wrote:
On Mon, May 24, 2010 at 05:00:03PM +0200, Mikkel Skaerris wrote:
Im wondering if there is a way of allowing non-root users to perform a disk
scrub using zpool scrub pool. I've been messing around with permissions,
but no luck so far. Anyone got a clue?
One question: why? Followed by one answer: sudo. :-)
Don't get me wrong I'm not shooting down sudo below.
: He does not need to add another layer of insecurity to his system such
: as sudo. Not saying that this is bad but it feels like a little overkill
: for something as simple as this.
This can be done old-school.
pw groupadd _zfsadm
pw groupmod _zfsadm -m {username}
chmod u+s,o-rx /sbin/zpool
chown :_zfsadm /sbin/zpool
: Repeat command line 2 for every user you want to have root type access
: to /sbin/zpool.
I thought I said root type access to /sbin/zpool.
Of course you do not need the zfsadm group to do this. You could just
use the wheel group which in turn gives any member of that group su(1)
access to the root user, so you commands would turn into...
pw groupmod wheel -m {username}
chmod u+s,o-rx /sbin/zpool
Because this binary is already installed group wheel there is no need to
chown it. And this is a little more implicit that you trust anyone with
access to the zpool command will also be having access to su(1)
Pick one, and Ill leave the how to keep these permissions through
upgrades/updates of world up to you.
If I'm misunderstanding what the OP wants, then I welcome correction. I
read the Op to want users to be able to run zpool scrub, so I took
that literally -- /sbin/zpool scrub pool and nothing more.
No you are not misunderstanding but I am also taking into account that the
admin said I've been messing around with permissions most notably I
thought that he has tried the access control methods that are administered
through the use of zfs allow which also might be a possibility if the
admin has world/base on a zfsroot. Second thought that came to mind while
leaving the possibility open to him was your standard Unix file perms.
While thinking about the scenario in a quick sense, If this is disk
activity that the admin wants to grant to a user in the form of scrub on a
pool then the admin already must trust whoever he is planning to give
these rights and has taken into account the possibility of misuse which
has lead him here asking for advice.
sudo offers the ability for the OP to provide root-level access to
defined users and ONLY the ability to run /sbin/zpool scrub {pool} and
nothing more (e.g. not /sbin/zpool remove or similar). It could also
be used to define certain users to scrub only certain pools.
I hope so at least that's what it was designed for. Yes very well noted
just leaving the possibility open to the admin to use something other than
a third party package in case it is his policy to not have something like
that installed. It happens.
Your first and second solutions allow any user added to _zfsadm and
group wheel, respectively, the ability to use /sbin/zpool. I hear
zpool destroy -f is a fun command to run while the system
administrator isn't looking. :-)
Good thing in most cases you can recover a destroyed pool or at least
that's the way it was designed the last time I accidentally did that (-D).
Backups are also a good thing in the case of a angry over driven highly
motivated administrator or staff.
;)
--
jhell
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Zpool scrub and not-root users
Hello everyone Im wondering if there is a way of allowing non-root users to perform a disk scrub using zpool scrub pool. I've been messing around with permissions, but no luck so far. Anyone got a clue? Skaerris ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Zpool scrub and not-root users
Hi-- On May 24, 2010, at 8:00 AM, Mikkel Skaerris wrote: Im wondering if there is a way of allowing non-root users to perform a disk scrub using zpool scrub pool. I've been messing around with permissions, but no luck so far. Anyone got a clue? You can use the security/sudo port to allow non-root users to run specific commands. I'd imagine that running zpool scrub as root once a week via cron at some quiet time around Sat or Sun midnight would be a better idea then letting arbitrary users run this anytime... Regards, -- -Chuck ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Zpool scrub and not-root users
On 05/24/2010 06:00 PM, Mikkel Skaerris wrote: Hello everyone Im wondering if there is a way of allowing non-root users to perform a disk scrub using zpool scrub pool. I've been messing around with permissions, but no luck so far. Anyone got a clue? Skaerris i'm not sure, but my guess is that there isn't. scrubbing a pool can put a stress to your system. Especially if there is resilvering to be done. So even if there is a way, I'd suggest against it as a security measure. just my .02$ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Zpool scrub and not-root users
On Mon, May 24, 2010 at 05:00:03PM +0200, Mikkel Skaerris wrote: Im wondering if there is a way of allowing non-root users to perform a disk scrub using zpool scrub pool. I've been messing around with permissions, but no luck so far. Anyone got a clue? One question: why? Followed by one answer: sudo. :-) -- | Jeremy Chadwick j...@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
