From owner-freebsd-ports@FreeBSD.ORG Fri Sep 6 07:10:58 2013 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 1AB2C4BB for ; Fri, 6 Sep 2013 07:10:58 +0000 (UTC) (envelope-from perryh@pluto.rain.com) Received: from agora.rdrop.com (agora.rdrop.com [IPv6:2607:f678:1010::34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E0FAF2EF2 for ; Fri, 6 Sep 2013 07:10:57 +0000 (UTC) Received: from agora.rdrop.com (66@localhost [127.0.0.1]) by agora.rdrop.com (8.13.1/8.12.7) with ESMTP id r867Auon021479 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 6 Sep 2013 00:10:56 -0700 (PDT) (envelope-from perryh@pluto.rain.com) Received: (from uucp@localhost) by agora.rdrop.com (8.13.1/8.14.2/Submit) with UUCP id r867AuQ0021478; Fri, 6 Sep 2013 00:10:56 -0700 (PDT) (envelope-from perryh@pluto.rain.com) Received: from fbsd81 ([192.168.200.81]) by pluto.rain.com (4.1/SMI-4.1-pluto-M2060407) id AA09839; Fri, 6 Sep 13 00:00:18 PDT Date: Thu, 05 Sep 2013 23:59:35 -0700 From: perryh@pluto.rain.com (Perry Hutchison) To: aryeh.friedman@gmail.com Subject: Re: setting the password of a automatically created account Message-Id: <52297d57.Whho/gkKVituAp6m%perryh@pluto.rain.com> References: <52294561.R3v3YVxoTsoMnIfV%perryh@pluto.rain.com> In-Reply-To: User-Agent: nail 11.25 7/29/05 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Sep 2013 07:10:58 -0000 Aryeh Friedman wrote: > 1. How do I add the user to wheel (has it's own group but needs > to be in wheel for reason number #2)? > 2. How do I modify (in the safest possible way) an other port's > installed config file(s) (namely I need to in the case of this > port modify /usr/local/etc/sudoers to allow the no password > option for wheel members)? Others may disagree, but I would be very hesitant to make this a requirement for the port. Whether all wheel-group members (not just this port) should have no-password access to sudo is very much a policy decision, and a port -- like the rest of the system -- should provide mechanism rather than dictating policy. What are you trying to accomplish? Could you, for example, provide no-password sudo privilege to this port's unique user or group, instead of changing a global policy? As far as how to go about modifying sudoers, perhaps the sudo port docs have some suggestions? > Since the account's shell that is created is a custom shell for > the port there is no security wholes we know about.. even so what > kind of (if any) security warnings should we put on the port? For it to require no-password sudo privilege is a huge red flag. If that's truly necessary, it should be noted very prominently.