On 20 September 2015 at 14:51, Theo Buehler <[email protected]> wrote:
> On Sat, Sep 19, 2015 at 02:19:19PM +0100, Toby Slight wrote:
> > I'm trying to let my user shutdown, reboot and suspend the computer
> without
> > entering a password. This is my doas.conf:
> >
> > permit keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
> > permit nopass toby as root cmd /sbin/shutdown
> > permit nopass toby as root cmd /sbin/reboot
> > permit nopass toby as root cmd /usr/sbin/zzz
> >
> > I can suspend successfully, but attempting to shutdown or reboot,
> returns:
> >
> > ksh: shutdown: cannot execute - Permission denied
>
> tedu already answered your question. Nevertheless let me add two
> points:
>
Yeah - I replied a couple of times in haste from gmail, and thus the rest
of the conversation accidentally just got send to Tedu and not the list
(gmail defaults to reply to only the author of the last message). Doh!
>
> 1. It looks like your user toby belongs to the group wheel, so you can
> communicate to /var/run/apmdev and hence you don't need further
> special privileges to run apm(8) or zzz(8).
>
> 2. If you add your user to the 'operator' group, you can run
> shutdown(8) without entering a password as well, so
> $ shutdown -r now
> will reboot your box and you can halt with `-ph' instead of `-r'.
>
> Thus, the only `doas nopass' rule that is actually needed is the
> /sbin/reboot one, should you still want it in view of point 2.
>
Many thanks for the extra tips. I've learn so much from this thread :-)
For reference here is the bit that I forgot to cc the list on:
On 19 September 2015 at 15:50, Ted Unangst <[email protected]> wrote:
>
>
> you have to run the doas command. it's not part of the shell.
>
> doas /sbin/shutdown
>
How come for zzz, I can run it as my user without pre-pending doas, and it
executes without asking for my password? Do executable in /sbin require
doas pre-pended but /usr/sbin don't? Also, even when I run doas shutdown,
it still asks for my password....
Toby Slight wrote:
> On 19 September 2015 at 15:50, Ted Unangst <[email protected]> wrote:
> >
> >
> > you have to run the doas command. it's not part of the shell.
> >
> > doas /sbin/shutdown
> >
>
> How come for zzz, I can run it as my user without pre-pending doas, and it
> executes without asking for my password? Do executable in /sbin require
> doas pre-pended but /usr/sbin don't? Also, even when I run doas shutdown,
> it still asks for my password....
anybody can run zzz. most things in /sbin are normal too, but shutdown is
special. if your doas.conf file says only /sbin/shutdown has no password,
then you have to type the path. or change the config to remove the path.
On 19 September 2015 at 17:58, Ted Unangst <[email protected]> wrote:
>
>
> anybody can run zzz. most things in /sbin are normal too, but shutdown is
> special. if your doas.conf file says only /sbin/shutdown has no password,
> then you have to type the path. or change the config to remove the path.
>
Ha - no way! I had no idea! All this time I assumed it required privilege
escalation. Did it used to? Perhaps just a hangover assumption from my
Linux days...
So it's the giving it the full path, or removing it from doas.conf that
does the trick, eh? Nice one - I shall give it whirl when I get home :-)
Thanks for the prompt responses and help.
I'm still somewhat curious though - how and why is shutdown special? What
about reboot? Also, is there a way to specify multiple commands in a single
line, or does every cmd need a separate line?
Toby Slight wrote:
> I'm still somewhat curious though - how and why is shutdown special? What
> about reboot? Also, is there a way to specify multiple commands in a
single
> line, or does every cmd need a separate line?
shutdown is setuid. just look at ls -l /sbin.
it has to be one command per line in doas.conf.
--
0x2b || !0x2b
