Bug#804382: Please allow non-root usage

2015-11-25 Thread Pascal Volk 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2015-11-07 22:03, martin f krafft wrote:
> ambassador:/var/mail% /usr/sbin/vmm ld
> Error: You are not root.
> Good bye!
> 
> I see no reason for this. Anyone with access to the vmm
> configuration with the database data should be able to use vmm.
> 
> Even better would be if socket authentication was possible and
> I could control using pg_hba and pg_ident who can connect to the
> database.

The vmm package creates the group `vmm'. So you can add system users to
the vmm group.
Create a file, e.g. `vmm_sudoers'

,--[ vmm_sudoers ]--
| # vim: ft=sudoers
| Cmnd_AliasVMM_CMD = /usr/sbin/vmm
| %vmm  ALL = NOPASSWD: VMM_CMD
`--

Admins who want to allow the usage of vmm for members of the vmm group
can execute:

install -m 440 vmm_sudoers /etc/sudoers.d

Members of the group vmm will be able to execute vmm commands, e.g.:

sudo vmm ld

Lazy users can create an alias:

alias vmm='sudo /usr/sbin/vmm'

The vmm package then should suggest the sudo package.


Regards,
Pascal
- -- 
Ubuntu is an ancient African word meaning “I can’t install Debian.”
 -- unknown
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQGcBAEBCgAGBQJWVj5xAAoJEIgLCU7FETn+exkL/3Tuj9XlYuKtnfFLAF4SnRHz
M9yc+5L7vN06bYne5/M38aNaKIypvhwQuIJd6Fv+eEPWugAQoiNr+dtJRrinE8mn
vGW8OT/oQtwsPQzcDkJ65LinV3NJwA30C2vMghBbUMkZ37TR3c0z6+1g9XDF8jZ/
Zx/ss/i5DUeSurrtyuKI1iiUX5d7HQwKRuFd03oj1XqmsYbLIRoDB84E8QYufHre
xhMF8jk8+/12F8sa09t3M6Z9A3TTMgJl6BcHeab0GG3EwsgKyI7AJst8Fp7X203l
MzuPtObtkFBgt6yiIX+OgrENBwxWZ1rJuxXcmdzM+3jsmGHW2xhLpk5b3hyVWOuQ
AFpcyYEpcz8hFg2zRfbjuW2CpvmC9ArWKL4juUj+cAHDKV8RMjs9yun4NLkou5AR
bJCwkrv118vQ60II8WSAxapwHktNBxciI8BnCM+MyQqRPOFdUpk+1OZHarqsRm0x
BuSMBFYgtpaWyZpC9CjFxRR0L7clsmNOdQVHsx2YdA==
=XCY9
-END PGP SIGNATURE-

Bug#804382: Please allow non-root usage

2015-11-25 Thread martin f krafft 
I know about sudo, but I still wonder about the need for root rights
at all.

Access to the database credentials can be managed through filesystem
permissions.

So the next (and hopefully last) thing where we need root rights
seems to be the creation of domain directories, or even user
directories:

  Nov 26 02:55:21 ambassador dovecot: lmtp(20221): Error: user
  t...@pantsfullofunix.net: Initialization failed: Namespace '':
  mkdir(/srv/vmm/6/7/7/Maildir) failed: Permission denied
  (euid=7(test%pantsfullofunix.net)
  egid=7(pantsfullofunix.net) missing +w perm: /srv/vmm/6/7,
  dir owned by 0:7 mode=0750)

I can't seem to find a way to tell lmtp to drop privileges only
after it verified existence of the target directories, and we don't
want to go the pam_session route.

If we can agree that it's best to run as little code as possible as
root, then maybe it would be best to factor out just the domain/user
directory creation to a script and letting vmm invoke that script,
either as setuid or with sudo, while the rest of vmm runs with user
privileges.

-- 
 .''`.   martin f. krafft  @martinkrafft
: :'  :  proud Debian developer
`. `'`   http://people.debian.org/~madduck
  `-  Debian - when you have better things to do than fixing systems
 
"it takes more keystrokes to enter a windows license key
 than it takes to do a complete debian desktop install!"
-- joey hess


digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)

Bug#804382: Please allow non-root usage

2015-11-07 Thread martin f krafft 
Package: vmm
Version: 0.6.2-1
Severity: wishlist

ambassador:/var/mail% /usr/sbin/vmm ld
Error: You are not root.
Good bye!

I see no reason for this. Anyone with access to the vmm
configuration with the database data should be able to use vmm.

Even better would be if socket authentication was possible and
I could control using pg_hba and pg_ident who can connect to the
database.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
 .''`.   martin f. krafft  @martinkrafft
: :'  :  proud Debian developer
`. `'`   http://people.debian.org/~madduck
  `-  Debian - when you have better things to do than fixing systems


digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)