From owner-freebsd-virtualization@FreeBSD.ORG Wed Jan 29 22:08:13 2014 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7FC131CD for ; Wed, 29 Jan 2014 22:08:13 +0000 (UTC) Received: from mail-pa0-x229.google.com (mail-pa0-x229.google.com [IPv6:2607:f8b0:400e:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 50B101A7E for ; Wed, 29 Jan 2014 22:08:13 +0000 (UTC) Received: by mail-pa0-f41.google.com with SMTP id fa1so2328924pad.28 for ; Wed, 29 Jan 2014 14:08:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=hdUXtLrEESOF1fAGKZqy8K5QN8RjUYuPxNKb5+OgBao=; b=vd31ke8qTUTb9HxOYHXJeSbWhiiGU4l4CwiL8HA5URuNDcAWHyewOQD60HOH3/CsQ8 FnRb48xNJdDpNJz3mza9QfyJTwf4y8bGqKSsZjbQZca8recqHfejvyFIha9WTILq/BO2 lDIogKMOlR2e2dQRNqar6TlL61phoUAw035Vm04kZAje6eDvdeKvXlyUk6X9Te2VCS5U yCc1lOKUjj1p3Z0Hpez4ijpUKsXrhTtP8De7yzOo0A1Mt2/NrAbicLxdMb/cUQyToEEV z4d+SsXkqUBXCsO2Rz/qJFzYsHbguQGpzDrS88rpVoxF4BTK44S6pR6W8eevNADwkUrW tyEw== MIME-Version: 1.0 X-Received: by 10.66.221.199 with SMTP id qg7mr10730570pac.88.1391033292533; Wed, 29 Jan 2014 14:08:12 -0800 (PST) Received: by 10.68.155.38 with HTTP; Wed, 29 Jan 2014 14:08:12 -0800 (PST) In-Reply-To: References: <52E9713F.9040508@callfortesting.org> <52E9757F.4050506@wasikowski.net> Date: Wed, 29 Jan 2014 17:08:12 -0500 Message-ID: Subject: Re: best way to add www to wheel From: Aryeh Friedman To: =?ISO-8859-2?Q?=A3ukasz_W=B1sikowski?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: "freebsd-virtualization@freebsd.org" X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jan 2014 22:08:13 -0000 Forgot to mention there are more then just those commands but the idea is still valid (about 6 commands currently need to be setuid but the list may grow) On Wed, Jan 29, 2014 at 5:05 PM, Aryeh Friedman w= rote: > Only issue with that is when I asked a few months ago how to -ports@ how > to make the port edit sudoers the idea was universally shot down (then it > was to add it to do it for the default %WHEEL NOPASSWD entry and it was > before petitecloud was password protected [it is this criticism that lead > to the password protection in the first place) > > > On Wed, Jan 29, 2014 at 4:41 PM, =C5=81ukasz W=C4=85sikowski wrote: > >> W dniu 2014-01-29 22:26, Aryeh Friedman pisze: >> >> > Cross post on purpose because people on -virtualization@ are likely >> more >> > familur with bhyve and it's requirements as well knowing what >> petitecloud >> > is and what it needs to do (the whole issue is without adding www to >> wheel >> > start/stop do not work from the webui) >> >> Use security/sudo, maybe with config similar to this this: >> >> Cmnd_Alias PETITECLOUD =3D /usr/sbin/service petitecloud stop, >> /usr/sbin/service petitecloud start, /usr/sbin/service petitecloud resta= rt >> www ALL=3D(ALL) NOPASSWD: PETITECLOUD >> >> This way user www can run sudo /usr/sbin/service petitecloud >> (stop|start|restart) as root (and only those exact commands with those >> exact parameters). It's a "little" bit safer than your approach which is >> huge security hole. >> >> -- >> best regards, >> Lukasz Wasikowski >> > > > > -- > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org > --=20 Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org