Vadim Zhukov wrote:
> But anyway, root-only requirement for listing available syspatches
> seems a bit silly.
as Antoine has replied, this is so the file retrieval occurs as a
privsep user, so that a bug in that tooling is very much more difficult
to exploit. Undoing that privsep feels unhealth
сб, 14 дек. 2019 г. в 14:35, Antoine Jacoutot :
>
> On Sat, Dec 14, 2019 at 10:12:36AM +0300, Vadim Zhukov wrote:
> > Hello all (long time no see!)
> >
> > TL;DR: Allow syspatch -c run under non-priviledged user.
> >
> > Reasoning: instead of putting syspatch -c in crontab, I've implemented
> > a Z
On Sat, Dec 14, 2019 at 10:12:36AM +0300, Vadim Zhukov wrote:
> Hello all (long time no see!)
>
> TL;DR: Allow syspatch -c run under non-priviledged user.
>
> Reasoning: instead of putting syspatch -c in crontab, I've implemented
> a Zabbix trigger. Since the Zabbix agent runs as unpriviledged us
Hello all (long time no see!)
TL;DR: Allow syspatch -c run under non-priviledged user.
Reasoning: instead of putting syspatch -c in crontab, I've implemented
a Zabbix trigger. Since the Zabbix agent runs as unpriviledged user,
I had to add _zabbix line to doas.conf, allowing it to run syspatch -c