Bug#804382: Please allow non-root usage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2015-11-07 22:03, martin f krafft wrote: > ambassador:/var/mail% /usr/sbin/vmm ld > Error: You are not root. > Good bye! > > I see no reason for this. Anyone with access to the vmm > configuration with the database data should be able to use vmm. > > Even better would be if socket authentication was possible and > I could control using pg_hba and pg_ident who can connect to the > database. The vmm package creates the group `vmm'. So you can add system users to the vmm group. Create a file, e.g. `vmm_sudoers' ,--[ vmm_sudoers ]-- | # vim: ft=sudoers | Cmnd_AliasVMM_CMD = /usr/sbin/vmm | %vmm ALL = NOPASSWD: VMM_CMD `-- Admins who want to allow the usage of vmm for members of the vmm group can execute: install -m 440 vmm_sudoers /etc/sudoers.d Members of the group vmm will be able to execute vmm commands, e.g.: sudo vmm ld Lazy users can create an alias: alias vmm='sudo /usr/sbin/vmm' The vmm package then should suggest the sudo package. Regards, Pascal - -- Ubuntu is an ancient African word meaning “I can’t install Debian.” -- unknown -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQGcBAEBCgAGBQJWVj5xAAoJEIgLCU7FETn+exkL/3Tuj9XlYuKtnfFLAF4SnRHz M9yc+5L7vN06bYne5/M38aNaKIypvhwQuIJd6Fv+eEPWugAQoiNr+dtJRrinE8mn vGW8OT/oQtwsPQzcDkJ65LinV3NJwA30C2vMghBbUMkZ37TR3c0z6+1g9XDF8jZ/ Zx/ss/i5DUeSurrtyuKI1iiUX5d7HQwKRuFd03oj1XqmsYbLIRoDB84E8QYufHre xhMF8jk8+/12F8sa09t3M6Z9A3TTMgJl6BcHeab0GG3EwsgKyI7AJst8Fp7X203l MzuPtObtkFBgt6yiIX+OgrENBwxWZ1rJuxXcmdzM+3jsmGHW2xhLpk5b3hyVWOuQ AFpcyYEpcz8hFg2zRfbjuW2CpvmC9ArWKL4juUj+cAHDKV8RMjs9yun4NLkou5AR bJCwkrv118vQ60II8WSAxapwHktNBxciI8BnCM+MyQqRPOFdUpk+1OZHarqsRm0x BuSMBFYgtpaWyZpC9CjFxRR0L7clsmNOdQVHsx2YdA== =XCY9 -END PGP SIGNATURE-
Bug#804382: Please allow non-root usage
I know about sudo, but I still wonder about the need for root rights at all. Access to the database credentials can be managed through filesystem permissions. So the next (and hopefully last) thing where we need root rights seems to be the creation of domain directories, or even user directories: Nov 26 02:55:21 ambassador dovecot: lmtp(20221): Error: user t...@pantsfullofunix.net: Initialization failed: Namespace '': mkdir(/srv/vmm/6/7/7/Maildir) failed: Permission denied (euid=7(test%pantsfullofunix.net) egid=7(pantsfullofunix.net) missing +w perm: /srv/vmm/6/7, dir owned by 0:7 mode=0750) I can't seem to find a way to tell lmtp to drop privileges only after it verified existence of the target directories, and we don't want to go the pam_session route. If we can agree that it's best to run as little code as possible as root, then maybe it would be best to factor out just the domain/user directory creation to a script and letting vmm invoke that script, either as setuid or with sudo, while the rest of vmm runs with user privileges. -- .''`. martin f. krafft@martinkrafft : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems "it takes more keystrokes to enter a windows license key than it takes to do a complete debian desktop install!" -- joey hess digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
Bug#804382: Please allow non-root usage
Package: vmm Version: 0.6.2-1 Severity: wishlist ambassador:/var/mail% /usr/sbin/vmm ld Error: You are not root. Good bye! I see no reason for this. Anyone with access to the vmm configuration with the database data should be able to use vmm. Even better would be if socket authentication was possible and I could control using pg_hba and pg_ident who can connect to the database. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- .''`. martin f. krafft@martinkrafft : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)