From owner-freebsd-stable@FreeBSD.ORG Tue May 25 20:26:11 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7EE71065673 for ; Tue, 25 May 2010 20:26:11 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 3A0408FC13 for ; Tue, 25 May 2010 20:26:11 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o4PKQ383045976 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 25 May 2010 21:26:04 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4BFC325B.8020704@infracaninophile.co.uk> Date: Tue, 25 May 2010 21:26:03 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: Chuck Swiger References: <20100524190433.GA36301@icarus.home.lan> <4BFC2354.5040104@dataix.net> <148119B8-AE3E-471E-A9A2-D93B70843305@mac.com> In-Reply-To: <148119B8-AE3E-471E-A9A2-D93B70843305@mac.com> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=2.0 required=5.0 tests=DKIM_ADSP_ALL,SPF_FAIL autolearn=no version=3.3.1 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Cc: jhell , freebsd-stable@freebsd.org Subject: Re: Zpool scrub and not-root users X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 May 2010 20:26:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 25/05/2010 20:37:34, Chuck Swiger wrote: > On May 25, 2010, at 12:21 PM, jhell wrote: >> He does not need to add another layer of insecurity to his system such >> as sudo. Not saying that this is bad but it feels like a little overkill >> for something as simple as this. >> >> This can be done old-school. >> >> pw groupadd _zfsadm >> pw groupmod _zfsadm -m {username} >> chmod u+s,o-rx /sbin/zpool >> chown :_zfsadm /sbin/zpool >> >> Repeat command line 2 for every user you want to have root type >> access to /sbin/zpool. > This is providing them with the ability to run any zpool command, not > restricted to "zpool scrub" only. "zpool offline" or "zpool destroy" > could wreak havoc upon the system if misused.... > Turning on the SUID bit on a program which wasn't designed from the ground up to be run like that is pretty much asking for trouble too. For instance SUID programs generally know they have enhanced privs. and give them up right after they've done whatever they need the privileges for. Without that level of attention to detail, SUID programs are a root compromise waiting to happen. sudo(8) would be my choice solution for this. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkv8MlsACgkQ8Mjk52CukIwNYgCcCAIghZlNICwwooE5R8z/3SfQ AGwAnRcwBWkeKNBSHz4sgmm9rLZZWaKf =g6be -----END PGP SIGNATURE-----