Re: best way to add www to wheel
So something like this in pkg-install? cat - EOF /usr/local/etc/sudoers.d/petitecloud Cmnd_Alias PETITECLOUD = /usr/sbin/service petitecloud stop, /usr/sbin/service petitecloud start, /usr/sbin/service petitecloud restart www ALL=(ALL) NOPASSWD: PETITECLOUD EOF note this will be 0.2.4 which I am planning some other changes for also like making the petitecloud account and /usr/local/etc/rc.d optoinal and will need to ask (on the right list this time ;-)) how to do that best On Thu, Jan 30, 2014 at 5:00 AM, Lars Engels lars.eng...@0x20.net wrote: Am 2014-01-29 23:05, schrieb Aryeh Friedman: Only issue with that is when I asked a few months ago how to -ports@ how to make the port edit sudoers the idea was universally shot down (then it was to add it to do it for the default %WHEEL NOPASSWD entry and it was before petitecloud was password protected [it is this criticism that lead to the password protection in the first place) You can add a new file in /usr/local/etc/sudoers.d/ No need to edit sudoers itself. ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to freebsd-virtualization- unsubscr...@freebsd.org -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to freebsd-virtualization-unsubscr...@freebsd.org
Re: best way to add www to wheel
Am 2014-01-30 11:21, schrieb Aryeh Friedman: So something like this in pkg-install? cat - EOF /usr/local/etc/sudoers.d/petitecloud Cmnd_Alias PETITECLOUD = /usr/sbin/service petitecloud stop, /usr/sbin/service petitecloud start, /usr/sbin/service petitecloud restart www ALL=(ALL) NOPASSWD: PETITECLOUD EOF note this will be 0.2.4 which I am planning some other changes for also like making the petitecloud account and /usr/local/etc/rc.d optoinal and will need to ask (on the right list this time ;-)) how to do that best I'd rather create the file as files/petitecloud.in and manually install it with the post-install: target. ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to freebsd-virtualization-unsubscr...@freebsd.org
Re: best way to add www to wheel
It was my understanding with staging that doing stuff like that was officially discouraged On Thu, Jan 30, 2014 at 5:40 AM, Lars Engels lars.eng...@0x20.net wrote: Am 2014-01-30 11:21, schrieb Aryeh Friedman: So something like this in pkg-install? cat - EOF /usr/local/etc/sudoers.d/petitecloud Cmnd_Alias PETITECLOUD = /usr/sbin/service petitecloud stop, /usr/sbin/service petitecloud start, /usr/sbin/service petitecloud restart www ALL=(ALL) NOPASSWD: PETITECLOUD EOF note this will be 0.2.4 which I am planning some other changes for also like making the petitecloud account and /usr/local/etc/rc.d optoinal and will need to ask (on the right list this time ;-)) how to do that best I'd rather create the file as files/petitecloud.in and manually install it with the post-install: target. -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to freebsd-virtualization-unsubscr...@freebsd.org
Re: best way to add www to wheel
Speaking of stuff being officially discouraged I want to move most of whats in pkg-install back to where it should belong (pkg-plist) but don't know enough plist syntax to do it On Thu, Jan 30, 2014 at 6:04 AM, Aryeh Friedman aryeh.fried...@gmail.comwrote: It was my understanding with staging that doing stuff like that was officially discouraged On Thu, Jan 30, 2014 at 5:40 AM, Lars Engels lars.eng...@0x20.net wrote: Am 2014-01-30 11:21, schrieb Aryeh Friedman: So something like this in pkg-install? cat - EOF /usr/local/etc/sudoers.d/petitecloud Cmnd_Alias PETITECLOUD = /usr/sbin/service petitecloud stop, /usr/sbin/service petitecloud start, /usr/sbin/service petitecloud restart www ALL=(ALL) NOPASSWD: PETITECLOUD EOF note this will be 0.2.4 which I am planning some other changes for also like making the petitecloud account and /usr/local/etc/rc.d optoinal and will need to ask (on the right list this time ;-)) how to do that best I'd rather create the file as files/petitecloud.in and manually install it with the post-install: target. -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to freebsd-virtualization-unsubscr...@freebsd.org
best way to add www to wheel
I have the following line in my pkg-install: pw groupmod wheel -m www The reason is I have files that are created by a user account that also gets made but are modified using it or tomcat... these particular files are shell scripts that must run as root (they are for controlling bhyve and other hyperv's as well as other rootly things like setting up and tarring down nic's) keep in mind also since almost all user level commands (including those that trigger rootly actions) are run via the web and that the data (except actual web content) should not be owned by www My gut says that the above while it works is almost certainly not the right way to do it. -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to freebsd-virtualization-unsubscr...@freebsd.org
Re: best way to add www to wheel
Wrong mailing list? Michael On 1/29/14 1:20 PM, Aryeh Friedman wrote: I have the following line in my pkg-install: pw groupmod wheel -m www The reason is I have files that are created by a user account that also gets made but are modified using it or tomcat... these particular files are shell scripts that must run as root (they are for controlling bhyve and other hyperv's as well as other rootly things like setting up and tarring down nic's) keep in mind also since almost all user level commands (including those that trigger rootly actions) are run via the web and that the data (except actual web content) should not be owned by www My gut says that the above while it works is almost certainly not the right way to do it. ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to freebsd-virtualization-unsubscr...@freebsd.org
Re: best way to add www to wheel
Cross post on purpose because people on -virtualization@ are likely more familur with bhyve and it's requirements as well knowing what petitecloud is and what it needs to do (the whole issue is without adding www to wheel start/stop do not work from the webui) On Wed, Jan 29, 2014 at 4:23 PM, Michael Dexter edi...@callfortesting.orgwrote: Wrong mailing list? Michael On 1/29/14 1:20 PM, Aryeh Friedman wrote: I have the following line in my pkg-install: pw groupmod wheel -m www The reason is I have files that are created by a user account that also gets made but are modified using it or tomcat... these particular files are shell scripts that must run as root (they are for controlling bhyve and other hyperv's as well as other rootly things like setting up and tarring down nic's) keep in mind also since almost all user level commands (including those that trigger rootly actions) are run via the web and that the data (except actual web content) should not be owned by www My gut says that the above while it works is almost certainly not the right way to do it. ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to freebsd-virtualization-unsubscr...@freebsd.org -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to freebsd-virtualization-unsubscr...@freebsd.org
Re: best way to add www to wheel
Only issue with that is when I asked a few months ago how to -ports@ how to make the port edit sudoers the idea was universally shot down (then it was to add it to do it for the default %WHEEL NOPASSWD entry and it was before petitecloud was password protected [it is this criticism that lead to the password protection in the first place) On Wed, Jan 29, 2014 at 4:41 PM, Łukasz Wąsikowski luk...@wasikowski.netwrote: W dniu 2014-01-29 22:26, Aryeh Friedman pisze: Cross post on purpose because people on -virtualization@ are likely more familur with bhyve and it's requirements as well knowing what petitecloud is and what it needs to do (the whole issue is without adding www to wheel start/stop do not work from the webui) Use security/sudo, maybe with config similar to this this: Cmnd_Alias PETITECLOUD = /usr/sbin/service petitecloud stop, /usr/sbin/service petitecloud start, /usr/sbin/service petitecloud restart www ALL=(ALL) NOPASSWD: PETITECLOUD This way user www can run sudo /usr/sbin/service petitecloud (stop|start|restart) as root (and only those exact commands with those exact parameters). It's a little bit safer than your approach which is huge security hole. -- best regards, Lukasz Wasikowski -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to freebsd-virtualization-unsubscr...@freebsd.org
Re: best way to add www to wheel
Forgot to mention there are more then just those commands but the idea is still valid (about 6 commands currently need to be setuid but the list may grow) On Wed, Jan 29, 2014 at 5:05 PM, Aryeh Friedman aryeh.fried...@gmail.comwrote: Only issue with that is when I asked a few months ago how to -ports@ how to make the port edit sudoers the idea was universally shot down (then it was to add it to do it for the default %WHEEL NOPASSWD entry and it was before petitecloud was password protected [it is this criticism that lead to the password protection in the first place) On Wed, Jan 29, 2014 at 4:41 PM, Łukasz Wąsikowski luk...@wasikowski.netwrote: W dniu 2014-01-29 22:26, Aryeh Friedman pisze: Cross post on purpose because people on -virtualization@ are likely more familur with bhyve and it's requirements as well knowing what petitecloud is and what it needs to do (the whole issue is without adding www to wheel start/stop do not work from the webui) Use security/sudo, maybe with config similar to this this: Cmnd_Alias PETITECLOUD = /usr/sbin/service petitecloud stop, /usr/sbin/service petitecloud start, /usr/sbin/service petitecloud restart www ALL=(ALL) NOPASSWD: PETITECLOUD This way user www can run sudo /usr/sbin/service petitecloud (stop|start|restart) as root (and only those exact commands with those exact parameters). It's a little bit safer than your approach which is huge security hole. -- best regards, Lukasz Wasikowski -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to freebsd-virtualization-unsubscr...@freebsd.org