From owner-freebsd-questions@FreeBSD.ORG Mon Sep 11 14:58:17 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF7A016A407 for ; Mon, 11 Sep 2006 14:58:16 +0000 (UTC) (envelope-from kirk@strauser.com) Received: from kanga.honeypot.net (kanga.honeypot.net [208.162.254.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C68C43DEB for ; Mon, 11 Sep 2006 14:57:02 +0000 (GMT) (envelope-from kirk@strauser.com) Received: from localhost (localhost [127.0.0.1]) by kanga.honeypot.net (Postfix) with ESMTP id 5ACD1958A4 for ; Mon, 11 Sep 2006 09:56:56 -0500 (CDT) X-Virus-Scanned: amavisd-new at honeypot.net Received: from kanga.honeypot.net ([127.0.0.1]) by localhost (kanga.honeypot.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f+GHNeWDnKc0 for ; Mon, 11 Sep 2006 09:56:52 -0500 (CDT) Received: from kanga.honeypot.net (kanga.honeypot.net [IPv6:2001:470:1f01:224:1::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by kanga.honeypot.net (Postfix) with ESMTP id 345779583E for ; Mon, 11 Sep 2006 09:56:52 -0500 (CDT) From: Kirk Strauser To: freebsd-questions@freebsd.org Date: Mon, 11 Sep 2006 09:56:42 -0500 User-Agent: KMail/1.9.3 References: <450570AA.6050505@orchid.homeunix.org> In-Reply-To: <450570AA.6050505@orchid.homeunix.org> X-Face: &'; cS03F?rr_w2Qce.d2f7xmwXfcJWDs>}CkpDw.c]ZJJ_)i0Nx Subject: Re: Putting a command/script as a user's shell X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Sep 2006 14:58:17 -0000 --nextPart6429757.WcAX7cHnOU Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 11 September 2006 09:20, Karol Kwiatkowski wrote: > Good day everyone, > > I'm trying to make it possible to restart (as in 'shutdown -r now') a > FreeBSD based router from LAN network as easy as possible so it can be > used by non-technical people. =46irst of all, it's easy enough to do this securely that you might as well= do=20 it. Install sudo, and use "visudo" to create a sudoers file with entries=20 like: User_Alias REBOOTERS =3D username1,username2,username3 REBOOTERS ALL =3D (root) NOPASSWD: /sbin/reboot Next, create a reboot script for them: # cat /usr/local/sbin/reboot.sh sudo /sbin/reboot =46inally, use OpenSSH's built-in options to run the script at login. From= =20 sshd(8): AUTHORIZED_KEYS FILE FORMAT [....] command=3D"command" Specifies that the command is executed whenever this key is us= ed for authentication. So, make each user's authorized_keys file look something like: ssh-rsa [long base64 string] username1@example.com=20 command=3D"/usr/local/sbin/reboot.sh" Alternatively, do all the above for one single account: your "restart" user= =2E =20 Use authorized_keys to limit which of your real users has access to reboot= =20 the machine, and use "ssh -l restart balkyrouter.example.com" to trigger it= =2E =20 You could even go so far as to add a clause to /etc/ssh/ssh_config (or=20 ~/.ssh/config for each individual user) like: Host rebootrouter Hostname balkyrouter.example.com User restart so that your users just run "ssh rebootrouter". So, to recap, when a user logs in, the reboot.sh script will be executed. = It=20 will use sudo to run the reboot command as root, without prompting the user= =20 to enter any password. It's easy, it works, and it doesn't require any=20 setuid trickery or special accounts or anything else. =2D-=20 Kirk Strauser --nextPart6429757.WcAX7cHnOU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFBXky5sRg+Y0CpvERAgeaAKCKJ2L5EFaKXttXn2/h7jVeGPvSXQCgo6zS SYyDW6/xLVWMe9EF5vT3gfI= =ee7a -----END PGP SIGNATURE----- --nextPart6429757.WcAX7cHnOU--