From nobody Mon Jun 17 17:52:53 2024
X-Original-To: freebsd-virtualization@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W2yCj57cyz5PKC1
	for <freebsd-virtualization@mlmmj.nyi.freebsd.org>; Mon, 17 Jun 2024 17:53:05 +0000 (UTC)
	(envelope-from mp@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4W2yCj4jKkz47Hb
	for <freebsd-virtualization@freebsd.org>; Mon, 17 Jun 2024 17:53:05 +0000 (UTC)
	(envelope-from mp@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1718646785;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=YuhWkEGDMt5ERQ4nUb2KNC+cklYjUloDf7Xl6KBT4uQ=;
	b=jdgRvlPIFq9ARJlZiFFlvL9hVEgMnnaOQ1iGz56UMTqImm+kXQHicSh/sqbqBk5enUhbbm
	kHbqB8LlLFPDfKxP7xZWCCQYwsWiAdsV3SFnsxymrMqegPQcEHxvMlFx3wxeMsdT7fQLs6
	6sUmrAPFxC+e4dxoGXytyy88UDWlEmTaBQUG1cjOrVCJ9W/NCHERFEKf6T22VrgB9PO2ql
	trdjQaBMPqoS6JNEQA93w4ooV2Osh04oC7Rpgo3KVlcLNPsUzd8U0lbWGQ6s0gBFcGQl+j
	6Ro1lahQMtW8vI7hggNUpZfcXvNrlK2WpX3BUZKw9yQSidjmqm5ZclyP3K9I3A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1718646785; a=rsa-sha256; cv=none;
	b=XkfOdwMh8tf9u/31F1oeoSZZcpgkErn49sAALKxpJ9XzHN2g/EXjmpqbM7L/ON7L8wWyGU
	fyOTsykzqqUR4KqRRxmO21kJia9KIrLC8z6OjLNDa6Tcsa7RqH/xtt+/GSamvQQ38uaxUW
	l3VeEo4GwOy4LwmV2SfhiWTJj8VA5KPggRarg2IcFYVeIWjobGk/I6YMzkiWDFDl9lSXBy
	tjAeph9vOHkXbyp79LsvloFnCD31m1A78nWnIpCeos/8XIOzdP7zN3hZFK5jG/Jt/SIm4v
	Hn5s6SQZj2wJB/hkJXlfYvcSIEh2fWYbQK5FMMMSKNSEga4DZ4gfaRe4MJTaeg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1718646785;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=YuhWkEGDMt5ERQ4nUb2KNC+cklYjUloDf7Xl6KBT4uQ=;
	b=QbzOXiW0JWD0xBqI0YbCkOhKm3SX/qPJLAcRXehea3kCU8T1cef+1eWWY9dM+rEB//Q50c
	BoaM1mpNq41UlXf9hio2Ta8NL2IIAZdlF74IoVnI9XFgXUeVz+qXm/tMBg8g0TjIqREVdD
	ADq5XL+ycRUBnHUa2J4SlpoR6M3QBE9NKERQBz6LvRUSixiXkhZKn9jSEsmW+KdTkKlH5b
	Z7cUWrqBRHNzleH8E7/uYo6r7IIjxCGiyr/kIk32tC1iDsYfLWeH3ZYNR8Q5iGnT90oYmd
	KNYiqgtUP/xuCfSqQl2g/VnOIYVIteB/CYV+Ky5rHyC92lNkR8FPa3F3WdhM+g==
Received: from mail-yb1-f180.google.com (mail-yb1-f180.google.com [209.85.219.180])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	(Authenticated sender: mp)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4W2yCj3z3BzVVq
	for <freebsd-virtualization@freebsd.org>; Mon, 17 Jun 2024 17:53:05 +0000 (UTC)
	(envelope-from mp@freebsd.org)
Received: by mail-yb1-f180.google.com with SMTP id 3f1490d57ef6-dff302847a8so2175405276.0
        for <freebsd-virtualization@freebsd.org>; Mon, 17 Jun 2024 10:53:05 -0700 (PDT)
X-Forwarded-Encrypted: i=1; AJvYcCUjJPn6LcUs9kH4MB8QJkRRtsH67I01fYPjeKS7C9KsC85997hb9bxKaISKZNUCZKNNLxcKDDMGbFUA6cHVGl8Jok1U/6+rnOOtgGujqb5/NpHM
X-Gm-Message-State: AOJu0YxOPQF/CcNDW7HWwAki/CzXQm+/1eoCRFNKm8U9ESvtORu0D5ZD
	4FGgSusCw/rIgk9pSV2LnrxbiDq9buqvs8p6YL7Cwv0ZqNActSD+dEO/Sz7bV4YZgag/Hu7iV0k
	qVXTlAQk7OrKLnLDLdmiXqQSVVzlZd8pAEOfz3A==
X-Google-Smtp-Source: AGHT+IFDwLIpyyHM8OiaEe1Ru+bn0409UXAaJAtJqXHSAti8MSMLwgGE1XUETegOMQVGvgvldFcc5Yf58QLMn46GVmY=
X-Received: by 2002:a25:2fc6:0:b0:dcc:d694:b4a6 with SMTP id
 3f1490d57ef6-dff153827b8mr9324692276.15.1718646784411; Mon, 17 Jun 2024
 10:53:04 -0700 (PDT)
List-Id: Discussion <freebsd-virtualization.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization
List-Help: <mailto:virtualization+help@freebsd.org>
List-Post: <mailto:virtualization@freebsd.org>
List-Subscribe: <mailto:virtualization+subscribe@freebsd.org>
List-Unsubscribe: <mailto:virtualization+unsubscribe@freebsd.org>
X-BeenThere: freebsd-virtualization@freebsd.org
Sender: owner-freebsd-virtualization@FreeBSD.org
MIME-Version: 1.0
References: <CA+1FSiimo=-0s80QeGMuLnJAzxi53-V6s303YuW36UkYnqfB-g@mail.gmail.com>
 <CAAdA2WPrtG_VaLuE8UfBwxanyfNzgLqeBCvpJMvRETdcUSmMEg@mail.gmail.com>
 <CA+1FSijLiq0WMdCvJfQC+vtBxXc6iSMD6WQAMavGpg+smCuTFg@mail.gmail.com>
 <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> <CA+1FSighjAkOAtzyX3HBy4h0ZnTVckjF9adnWMpAR3m=xW0dUA@mail.gmail.com>
In-Reply-To: <CA+1FSighjAkOAtzyX3HBy4h0ZnTVckjF9adnWMpAR3m=xW0dUA@mail.gmail.com>
From: Mark Peek <mp@freebsd.org>
Date: Mon, 17 Jun 2024 10:52:53 -0700
X-Gmail-Original-Message-ID: <CAGGgMJfoAHFv2uJBzz+cJ-pe0tUX=BVaCxM3y5SU-cUxGHcs9A@mail.gmail.com>
Message-ID: <CAGGgMJfoAHFv2uJBzz+cJ-pe0tUX=BVaCxM3y5SU-cUxGHcs9A@mail.gmail.com>
Subject: Re: How to launch a bhyve vm as normal user,without being root
To: Mario Marietto <marietto2008@gmail.com>
Cc: Dave Cottlehuber <dch@skunkwerks.at>, Odhiambo Washington <odhiambo@gmail.com>, 
	freebsd-virtualization <freebsd-virtualization@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Likely need to add this as it is what you are passing to doas as the
command to execute:

permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12

Mark

On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto <marietto2008@gmail=
.com> wrote:
>
> [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin
>
> [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12
>
> #!/bin/sh
>
> bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
> -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
> -s 0,hostbridge \
> -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D1 \
> -s 2,ahci-hd,/dev/$vmdisk5 \
> -s 8:0,passthru,2/0/0 \
> -s 8:1,passthru,2/0/1 \
> -s 8:2,passthru,2/0/2 \
> -s 8:3,passthru,2/0/3 \
> -s 13,virtio-net,tap12 \
> -s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \
> -s 30,xhci,tablet \
> -s 31,lpc \
> -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \
> vm0:12 < /dev/null & sleep 2 && vncviewer 0:12
>
> [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/12-Win-11-vm1=
2
>
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf
>
> permit nopass :wheel as root cmd /usr/sbin/bhyve-win
> permit nopass :wheel as root cmd /usr/sbin/bhyve-lin
>
> [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12
> doas: Operation not permitted
>
> BUT :
>
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo
>
> #!/bin/sh
> echo hallo $USER
>
> [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo
>
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf
>
> permit nopass :wheel as root cmd hallo
>
> [marietto@marietto /bhyve]=3D=3D> doas hallo
>
> BOOM ! it works :
>
> hallo root
>
> On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber <dch@skunkwerks.=
at> wrote:
>>
>> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:
>> > Nice idea,but it does not work :
>> >
>> > nano /home/marietto/.zshrc
>> >
>> > # ~/.zshrc
>>
>> Hi Mario, I think your zsh stuff is getting in the way
>> here. Your zshrc function is not visible to the root user,
>> as doas cleans up all the env and so your function is unknown.
>>
>> So start off with something without bhyve, make sure you are in
>> wheel group, and add a shell script called
>> /usr/local/bin/hallo:
>>
>> ```
>> #!/bin/sh
>> echo hallo $USER
>> ```
>>
>> chmod 0755 /usr/local/bin/hallo
>>
>> ```
>> # /usr/local/etc/doas.conf (per doas.conf manpage)
>> permit nopass :wheel as root cmd /usr/local/bin/hallo
>> ```
>>
>> $ doas /usr/local/bin/hallo
>> hallo root
>>
>> then replace your bhyve commands in the hallo script.
>>
>> Off the top of my head there's no reason for bhyve to need
>> anything different to hallo script.
>> A+
>> Dave
>
>
>
> --
> Mario.