Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 May 2010 21:26:03 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Chuck Swiger <cswiger@mac.com>
Cc:        jhell <jhell@DataIX.net>, freebsd-stable@freebsd.org
Subject:   Re: Zpool scrub and not-root users
Message-ID:  <4BFC325B.8020704@infracaninophile.co.uk>
In-Reply-To: <148119B8-AE3E-471E-A9A2-D93B70843305@mac.com>
References:  <AANLkTik61-R3JXS3uSurZo6dqEBNkfL_WDh0TzSzLcTn@mail.gmail.com>	<20100524190433.GA36301@icarus.home.lan> <4BFC2354.5040104@dataix.net> <148119B8-AE3E-471E-A9A2-D93B70843305@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 25/05/2010 20:37:34, Chuck Swiger wrote:
> On May 25, 2010, at 12:21 PM, jhell wrote:
>> He does not need to add another layer of insecurity to his system such
>> as sudo. Not saying that this is bad but it feels like a little overkill
>> for something as simple as this.
>>
>> This can be done old-school.
>>
>> pw groupadd _zfsadm
>> pw groupmod _zfsadm -m {username}
>> chmod u+s,o-rx /sbin/zpool
>> chown :_zfsadm /sbin/zpool
>> 

>> Repeat command line 2 for every user you want to have root type
>> access to /sbin/zpool.

> This is providing them with the ability to run any zpool command, not
> restricted to "zpool scrub" only.  "zpool offline" or "zpool destroy"
> could wreak havoc upon the system if misused....
> 

Turning on the SUID bit on a program which wasn't designed from the
ground up to be run like that is pretty much asking for trouble too.
For instance SUID programs generally know they have enhanced privs. and
give them up right after they've done whatever they need the privileges
for.  Without that level of attention to detail, SUID programs are a
root compromise waiting to happen.

sudo(8) would be my choice solution for this.

	Cheers,

	Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkv8MlsACgkQ8Mjk52CukIwNYgCcCAIghZlNICwwooE5R8z/3SfQ
AGwAnRcwBWkeKNBSHz4sgmm9rLZZWaKf
=g6be
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BFC325B.8020704>