[gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)

[gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)

[Mark Knecht]

Hi,
   I'm trying to get my mythfrontend box to allow a user to shut the
machine down without the use of a keyboard. We are only using remote
controls. suso doesn't seem to be an option because it requires a
password. (AFAICT)

   Is there some other way that I could make this work? 

   I took a look at the permissions on /sbin/shutdown itself. It seems
to be executable by everyone and still doesn't allow anyone other than
to run it. Is there a way to make that program executable by everyone
so that sudo is not required? Or maybe there's some similar program to
shutdown that I could emerge?

   There's only two accounts on this machine - root & mythtv - and
it's within the mythtv account that I want to be able to shut the
machine down using a remote control only.

   Thanks for any and all ideas.

Cheers,
Mark

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)

[Richard Fish]

Mark Knecht wrote:

>Hi,
>   I'm trying to get my mythfrontend box to allow a user to shut the
>machine down without the use of a keyboard. We are only using remote
>controls. suso doesn't seem to be an option because it requires a
>password. (AFAICT)
>
>   Is there some other way that I could make this work? 
>
>  
>

2 options:

1. Sudo can be setup to allow some commands to be run without a 
password.  I think this entry in /etc/sudoers should work:

mythtv ALL = NOPASSWD: /sbin/shutdown

I have not tested this, so if something goes wrong, you'll have to try 
and figure out "man sudoers".

2. Create a setuid (chmod 4711 /sbin/shutdown_by_anyone.sh) shell script 
that runs shutdown.  Be sure to export the PATH, and unset LD_PRELOAD 
and LD_LIBRARY_PATH variables at the very beginning of the script.  Also 
make sure the interpreter line is "/bin/bash --".  This doesn't fix all 
of the security holes with setuid shell scripts, just the most common 
and easiest to fix...

-Richard

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)

[Mark Knecht]

On 7/20/05, Richard Fish <bigfish@asmallpond.org> wrote:
> Mark Knecht wrote:
> 
> >Hi,
> >   I'm trying to get my mythfrontend box to allow a user to shut the
> >machine down without the use of a keyboard. We are only using remote
> >controls. suso doesn't seem to be an option because it requires a
> >password. (AFAICT)
> >
> >   Is there some other way that I could make this work?
> >
> >
> >
> 
> 2 options:
> 
> 1. Sudo can be setup to allow some commands to be run without a
> password.  I think this entry in /etc/sudoers should work:
> 
> mythtv ALL = NOPASSWD: /sbin/shutdown

Yes, I have this working. My problem with this solution was slightly
deeper. To get MythTV to execute this command I have to put 'sudo
shutdown -h now' in a setup screen within the setup portion of
mythfrontend. In a general sense I don't know how to do that without a
keyboard being attached to the machine. So far I haven't found where
MythTV stores this information so that I could edit it from an ssh
login.

Granted I can attach a keyboard for a few minutes when the machine is
here at my house, but I'm hesitant to use a solution that I cannot fix
via ssh when the machine is remote at my folks house.

> 
> I have not tested this, so if something goes wrong, you'll have to try
> and figure out "man sudoers".
> 
> 2. Create a setuid (chmod 4711 /sbin/shutdown_by_anyone.sh) shell script
> that runs shutdown.  Be sure to export the PATH, and unset LD_PRELOAD
> and LD_LIBRARY_PATH variables at the very beginning of the script.  Also
> make sure the interpreter line is "/bin/bash --".  This doesn't fix all
> of the security holes with setuid shell scripts, just the most common
> and easiest to fix...

I don't know how this is much of a security issue for me, but then
again I don't know much about security, and I suppose it could be if
someone plugs a keyboard in and wants to cause some harm. Shame on
them, but good of you to consider it.

Thanks,
Mark

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)

[Wade Brown]

I thought linux wouldn't allow suid shell scripts to work as suid. 
The reasoning is a shell script doesn't quite execute, it gets
interpeted by the command on the first line.  Just as a test I made a
simple script modded root.root 4755 that consists of the /bin/bash
line, and cat /etc/shadow.  Root can run just fine obviously, but
permissions don't exist for other users to do that.

What may work a little better is either chmod s+x `which shutdown`, or
writing a C wrapper and modding that s+x.

On 7/20/05, Mark Knecht <markknecht@gmail.com> wrote:
> On 7/20/05, Richard Fish <bigfish@asmallpond.org> wrote:
> > Mark Knecht wrote:
> >
> > >Hi,
> > >   I'm trying to get my mythfrontend box to allow a user to shut the
> > >machine down without the use of a keyboard. We are only using remote
> > >controls. suso doesn't seem to be an option because it requires a
> > >password. (AFAICT)
> > >
> > >   Is there some other way that I could make this work?
> > >
> > >
> > >
> >
> > 2 options:
> >
> > 1. Sudo can be setup to allow some commands to be run without a
> > password.  I think this entry in /etc/sudoers should work:
> >
> > mythtv ALL = NOPASSWD: /sbin/shutdown
> 
> Yes, I have this working. My problem with this solution was slightly
> deeper. To get MythTV to execute this command I have to put 'sudo
> shutdown -h now' in a setup screen within the setup portion of
> mythfrontend. In a general sense I don't know how to do that without a
> keyboard being attached to the machine. So far I haven't found where
> MythTV stores this information so that I could edit it from an ssh
> login.
> 
> Granted I can attach a keyboard for a few minutes when the machine is
> here at my house, but I'm hesitant to use a solution that I cannot fix
> via ssh when the machine is remote at my folks house.
> 
> >
> > I have not tested this, so if something goes wrong, you'll have to try
> > and figure out "man sudoers".
> >
> > 2. Create a setuid (chmod 4711 /sbin/shutdown_by_anyone.sh) shell script
> > that runs shutdown.  Be sure to export the PATH, and unset LD_PRELOAD
> > and LD_LIBRARY_PATH variables at the very beginning of the script.  Also
> > make sure the interpreter line is "/bin/bash --".  This doesn't fix all
> > of the security holes with setuid shell scripts, just the most common
> > and easiest to fix...
> 
> I don't know how this is much of a security issue for me, but then
> again I don't know much about security, and I suppose it could be if
> someone plugs a keyboard in and wants to cause some harm. Shame on
> them, but good of you to consider it.
> 
> Thanks,
> Mark
> 
> --
> gentoo-user@gentoo.org mailing list
> 
>

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)

[Rafer]

On Wednesday 20 July 2005 19:29, Mark Knecht wrote:
> Hi,
>    I'm trying to get my mythfrontend box to allow a user to shut the
> machine down without the use of a keyboard. We are only using remote
> controls. suso doesn't seem to be an option because it requires a
> password. (AFAICT)
>
>    Is there some other way that I could make this work?
>
>    I took a look at the permissions on /sbin/shutdown itself. It seems
> to be executable by everyone and still doesn't allow anyone other than
> to run it. Is there a way to make that program executable by everyone
> so that sudo is not required? Or maybe there's some similar program to
> shutdown that I could emerge?
>
>    There's only two accounts on this machine - root & mythtv - and
> it's within the mythtv account that I want to be able to shut the
> machine down using a remote control only.
>
>    Thanks for any and all ideas.
>
> Cheers,
> Mark

Maybe with Console Aliases ? 

Like This ->http://gentoo-wiki.com/TIP_Powerdown_on_shutdown_-h




-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)

[Richard Fish]

Wade Brown wrote:

>I thought linux wouldn't allow suid shell scripts to work as suid. 
>The reasoning is a shell script doesn't quite execute, it gets
>interpeted by the command on the first line.  Just as a test I made a
>simple script modded root.root 4755 that consists of the /bin/bash
>line, and cat /etc/shadow.  Root can run just fine obviously, but
>permissions don't exist for other users to do that.
>
>  
>

Works fine on my machine.  /opt/vmware/lib/vmware/bin/vmware-vmx is a 
setuid shell script that I wrote to startup vmware with the wrapper 
library to get vmware to work with arts.  Also my permissions on that 
file are 4711, so maybe there is something special about the global read 
bit?  Or possibly dependant upon what LSM modules you have loaded/enabled?

>What may work a little better is either chmod s+x `which shutdown`, or
>writing a C wrapper and modding that s+x.
>  
>

I agree that the C wrapper is definetly the most secure option.

-Richard

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)

[Richard Fish]

Mark Knecht wrote:

>I don't know how this is much of a security issue for me, but then
>again I don't know much about security, and I suppose it could be if
>someone plugs a keyboard in and wants to cause some harm. Shame on
>them, but good of you to consider it.
>  
>

It isn't.  I mostly included the info so people wouldn't flame me for 
suggesting a setuid shell script in the first place... ;->

Cheers,

-Richard

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent)

[Iain Buchanan]

On Wed, 2005-07-20 at 11:06 -0700, Mark Knecht wrote:
> On 7/20/05, Richard Fish <bigfish@asmallpond.org> wrote:
> > Mark Knecht wrote:
> > 
> > >Hi,
> > >   I'm trying to get my mythfrontend box to allow a user to shut the
> > >machine down without the use of a keyboard. We are only using remote
> > >controls. suso doesn't seem to be an option because it requires a
> > >password. (AFAICT)
> > >
> > >   Is there some other way that I could make this work?
> > 
> > 2 options:
> > 
> > 1. Sudo can be setup to allow some commands to be run without a
> > password.  I think this entry in /etc/sudoers should work:
> > 
> > mythtv ALL = NOPASSWD: /sbin/shutdown
> 
> Yes, I have this working. My problem with this solution was slightly
> deeper. To get MythTV to execute this command I have to put 'sudo
> shutdown -h now' in a setup screen within the setup portion of
> mythfrontend. In a general sense I don't know how to do that without a
> keyboard being attached to the machine. So far I haven't found where
> MythTV stores this information so that I could edit it from an ssh
> login.

even so, I think this is your best path to follow.  Surely you can find
out where mythfrontend stores these files.  I don't have mythtv
installed, but I would try, in order, the mythtv website / google; and
then "grep -ri" (brute force approach!) starting from /etc.

HTH,
-- 
Iain Buchanan <iaindb@netspace.net.au>

-- 
gentoo-user@gentoo.org mailing list