* [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent) @ 2005-07-20 17:29 Mark Knecht 2005-07-20 17:47 ` Richard Fish 2005-07-20 20:05 ` Rafer 0 siblings, 2 replies; 8+ messages in thread From: Mark Knecht @ 2005-07-20 17:29 UTC (permalink / raw To: gentoo-user Hi, I'm trying to get my mythfrontend box to allow a user to shut the machine down without the use of a keyboard. We are only using remote controls. suso doesn't seem to be an option because it requires a password. (AFAICT) Is there some other way that I could make this work? I took a look at the permissions on /sbin/shutdown itself. It seems to be executable by everyone and still doesn't allow anyone other than to run it. Is there a way to make that program executable by everyone so that sudo is not required? Or maybe there's some similar program to shutdown that I could emerge? There's only two accounts on this machine - root & mythtv - and it's within the mythtv account that I want to be able to shut the machine down using a remote control only. Thanks for any and all ideas. Cheers, Mark -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent) 2005-07-20 17:29 [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent) Mark Knecht @ 2005-07-20 17:47 ` Richard Fish 2005-07-20 18:06 ` Mark Knecht 2005-07-20 20:05 ` Rafer 1 sibling, 1 reply; 8+ messages in thread From: Richard Fish @ 2005-07-20 17:47 UTC (permalink / raw To: gentoo-user Mark Knecht wrote: >Hi, > I'm trying to get my mythfrontend box to allow a user to shut the >machine down without the use of a keyboard. We are only using remote >controls. suso doesn't seem to be an option because it requires a >password. (AFAICT) > > Is there some other way that I could make this work? > > > 2 options: 1. Sudo can be setup to allow some commands to be run without a password. I think this entry in /etc/sudoers should work: mythtv ALL = NOPASSWD: /sbin/shutdown I have not tested this, so if something goes wrong, you'll have to try and figure out "man sudoers". 2. Create a setuid (chmod 4711 /sbin/shutdown_by_anyone.sh) shell script that runs shutdown. Be sure to export the PATH, and unset LD_PRELOAD and LD_LIBRARY_PATH variables at the very beginning of the script. Also make sure the interpreter line is "/bin/bash --". This doesn't fix all of the security holes with setuid shell scripts, just the most common and easiest to fix... -Richard -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent) 2005-07-20 17:47 ` Richard Fish @ 2005-07-20 18:06 ` Mark Knecht 2005-07-20 19:16 ` Wade Brown ` (2 more replies) 0 siblings, 3 replies; 8+ messages in thread From: Mark Knecht @ 2005-07-20 18:06 UTC (permalink / raw To: gentoo-user On 7/20/05, Richard Fish <bigfish@asmallpond.org> wrote: > Mark Knecht wrote: > > >Hi, > > I'm trying to get my mythfrontend box to allow a user to shut the > >machine down without the use of a keyboard. We are only using remote > >controls. suso doesn't seem to be an option because it requires a > >password. (AFAICT) > > > > Is there some other way that I could make this work? > > > > > > > > 2 options: > > 1. Sudo can be setup to allow some commands to be run without a > password. I think this entry in /etc/sudoers should work: > > mythtv ALL = NOPASSWD: /sbin/shutdown Yes, I have this working. My problem with this solution was slightly deeper. To get MythTV to execute this command I have to put 'sudo shutdown -h now' in a setup screen within the setup portion of mythfrontend. In a general sense I don't know how to do that without a keyboard being attached to the machine. So far I haven't found where MythTV stores this information so that I could edit it from an ssh login. Granted I can attach a keyboard for a few minutes when the machine is here at my house, but I'm hesitant to use a solution that I cannot fix via ssh when the machine is remote at my folks house. > > I have not tested this, so if something goes wrong, you'll have to try > and figure out "man sudoers". > > 2. Create a setuid (chmod 4711 /sbin/shutdown_by_anyone.sh) shell script > that runs shutdown. Be sure to export the PATH, and unset LD_PRELOAD > and LD_LIBRARY_PATH variables at the very beginning of the script. Also > make sure the interpreter line is "/bin/bash --". This doesn't fix all > of the security holes with setuid shell scripts, just the most common > and easiest to fix... I don't know how this is much of a security issue for me, but then again I don't know much about security, and I suppose it could be if someone plugs a keyboard in and wants to cause some harm. Shame on them, but good of you to consider it. Thanks, Mark -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent) 2005-07-20 18:06 ` Mark Knecht @ 2005-07-20 19:16 ` Wade Brown 2005-07-20 21:15 ` Richard Fish 2005-07-20 21:17 ` Richard Fish 2005-07-21 1:49 ` Iain Buchanan 2 siblings, 1 reply; 8+ messages in thread From: Wade Brown @ 2005-07-20 19:16 UTC (permalink / raw To: gentoo-user I thought linux wouldn't allow suid shell scripts to work as suid. The reasoning is a shell script doesn't quite execute, it gets interpeted by the command on the first line. Just as a test I made a simple script modded root.root 4755 that consists of the /bin/bash line, and cat /etc/shadow. Root can run just fine obviously, but permissions don't exist for other users to do that. What may work a little better is either chmod s+x `which shutdown`, or writing a C wrapper and modding that s+x. On 7/20/05, Mark Knecht <markknecht@gmail.com> wrote: > On 7/20/05, Richard Fish <bigfish@asmallpond.org> wrote: > > Mark Knecht wrote: > > > > >Hi, > > > I'm trying to get my mythfrontend box to allow a user to shut the > > >machine down without the use of a keyboard. We are only using remote > > >controls. suso doesn't seem to be an option because it requires a > > >password. (AFAICT) > > > > > > Is there some other way that I could make this work? > > > > > > > > > > > > > 2 options: > > > > 1. Sudo can be setup to allow some commands to be run without a > > password. I think this entry in /etc/sudoers should work: > > > > mythtv ALL = NOPASSWD: /sbin/shutdown > > Yes, I have this working. My problem with this solution was slightly > deeper. To get MythTV to execute this command I have to put 'sudo > shutdown -h now' in a setup screen within the setup portion of > mythfrontend. In a general sense I don't know how to do that without a > keyboard being attached to the machine. So far I haven't found where > MythTV stores this information so that I could edit it from an ssh > login. > > Granted I can attach a keyboard for a few minutes when the machine is > here at my house, but I'm hesitant to use a solution that I cannot fix > via ssh when the machine is remote at my folks house. > > > > > I have not tested this, so if something goes wrong, you'll have to try > > and figure out "man sudoers". > > > > 2. Create a setuid (chmod 4711 /sbin/shutdown_by_anyone.sh) shell script > > that runs shutdown. Be sure to export the PATH, and unset LD_PRELOAD > > and LD_LIBRARY_PATH variables at the very beginning of the script. Also > > make sure the interpreter line is "/bin/bash --". This doesn't fix all > > of the security holes with setuid shell scripts, just the most common > > and easiest to fix... > > I don't know how this is much of a security issue for me, but then > again I don't know much about security, and I suppose it could be if > someone plugs a keyboard in and wants to cause some harm. Shame on > them, but good of you to consider it. > > Thanks, > Mark > > -- > gentoo-user@gentoo.org mailing list > > -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent) 2005-07-20 19:16 ` Wade Brown @ 2005-07-20 21:15 ` Richard Fish 0 siblings, 0 replies; 8+ messages in thread From: Richard Fish @ 2005-07-20 21:15 UTC (permalink / raw To: gentoo-user Wade Brown wrote: >I thought linux wouldn't allow suid shell scripts to work as suid. >The reasoning is a shell script doesn't quite execute, it gets >interpeted by the command on the first line. Just as a test I made a >simple script modded root.root 4755 that consists of the /bin/bash >line, and cat /etc/shadow. Root can run just fine obviously, but >permissions don't exist for other users to do that. > > > Works fine on my machine. /opt/vmware/lib/vmware/bin/vmware-vmx is a setuid shell script that I wrote to startup vmware with the wrapper library to get vmware to work with arts. Also my permissions on that file are 4711, so maybe there is something special about the global read bit? Or possibly dependant upon what LSM modules you have loaded/enabled? >What may work a little better is either chmod s+x `which shutdown`, or >writing a C wrapper and modding that s+x. > > I agree that the C wrapper is definetly the most secure option. -Richard -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent) 2005-07-20 18:06 ` Mark Knecht 2005-07-20 19:16 ` Wade Brown @ 2005-07-20 21:17 ` Richard Fish 2005-07-21 1:49 ` Iain Buchanan 2 siblings, 0 replies; 8+ messages in thread From: Richard Fish @ 2005-07-20 21:17 UTC (permalink / raw To: gentoo-user Mark Knecht wrote: >I don't know how this is much of a security issue for me, but then >again I don't know much about security, and I suppose it could be if >someone plugs a keyboard in and wants to cause some harm. Shame on >them, but good of you to consider it. > > It isn't. I mostly included the info so people wouldn't flame me for suggesting a setuid shell script in the first place... ;-> Cheers, -Richard -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent) 2005-07-20 18:06 ` Mark Knecht 2005-07-20 19:16 ` Wade Brown 2005-07-20 21:17 ` Richard Fish @ 2005-07-21 1:49 ` Iain Buchanan 2 siblings, 0 replies; 8+ messages in thread From: Iain Buchanan @ 2005-07-21 1:49 UTC (permalink / raw To: gentoo-user On Wed, 2005-07-20 at 11:06 -0700, Mark Knecht wrote: > On 7/20/05, Richard Fish <bigfish@asmallpond.org> wrote: > > Mark Knecht wrote: > > > > >Hi, > > > I'm trying to get my mythfrontend box to allow a user to shut the > > >machine down without the use of a keyboard. We are only using remote > > >controls. suso doesn't seem to be an option because it requires a > > >password. (AFAICT) > > > > > > Is there some other way that I could make this work? > > > > 2 options: > > > > 1. Sudo can be setup to allow some commands to be run without a > > password. I think this entry in /etc/sudoers should work: > > > > mythtv ALL = NOPASSWD: /sbin/shutdown > > Yes, I have this working. My problem with this solution was slightly > deeper. To get MythTV to execute this command I have to put 'sudo > shutdown -h now' in a setup screen within the setup portion of > mythfrontend. In a general sense I don't know how to do that without a > keyboard being attached to the machine. So far I haven't found where > MythTV stores this information so that I could edit it from an ssh > login. even so, I think this is your best path to follow. Surely you can find out where mythfrontend stores these files. I don't have mythtv installed, but I would try, in order, the mythtv website / google; and then "grep -ri" (brute force approach!) starting from /etc. HTH, -- Iain Buchanan <iaindb@netspace.net.au> -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent) 2005-07-20 17:29 [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent) Mark Knecht 2005-07-20 17:47 ` Richard Fish @ 2005-07-20 20:05 ` Rafer 1 sibling, 0 replies; 8+ messages in thread From: Rafer @ 2005-07-20 20:05 UTC (permalink / raw To: gentoo-user On Wednesday 20 July 2005 19:29, Mark Knecht wrote: > Hi, > I'm trying to get my mythfrontend box to allow a user to shut the > machine down without the use of a keyboard. We are only using remote > controls. suso doesn't seem to be an option because it requires a > password. (AFAICT) > > Is there some other way that I could make this work? > > I took a look at the permissions on /sbin/shutdown itself. It seems > to be executable by everyone and still doesn't allow anyone other than > to run it. Is there a way to make that program executable by everyone > so that sudo is not required? Or maybe there's some similar program to > shutdown that I could emerge? > > There's only two accounts on this machine - root & mythtv - and > it's within the mythtv account that I want to be able to shut the > machine down using a remote control only. > > Thanks for any and all ideas. > > Cheers, > Mark Maybe with Console Aliases ? Like This ->http://gentoo-wiki.com/TIP_Powerdown_on_shutdown_-h -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2005-07-21 1:51 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-07-20 17:29 [gentoo-user] non-sudo way for user to run shutdown -h now? (or any equivalent) Mark Knecht 2005-07-20 17:47 ` Richard Fish 2005-07-20 18:06 ` Mark Knecht 2005-07-20 19:16 ` Wade Brown 2005-07-20 21:15 ` Richard Fish 2005-07-20 21:17 ` Richard Fish 2005-07-21 1:49 ` Iain Buchanan 2005-07-20 20:05 ` Rafer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox