19 Nov
2022
19 Nov
'22
4:32 p.m.
Hi Folks,
This should be easy ... And I'm sure I've done it before. But either Fedora has
changed or I have, and I'm not committing either way. (-:
I have a script to bounce the web-server and php-fpm with systemd and I'd like to be
able to do this without "sudo" or a terminal tab permanently logged on as root.
Seems like I should be able to set the script "setuid" and anybody should be
able to run it. I can't seem to make it work.
In the alternative, it seems like I should be able to delegate certain services to user
control with systemd, like "systemctrl restart httpd", but the discussions
I've found on that are hideously complex, and I'm not really interested in going
down any of those rabbit holes. It can't be this difficult ... I mean, wasn't this
one of the original justification for systemd?
Thanks for the help,
--
Chris.
V:916.799.9461
F:916.974.0428
20 Nov
20 Nov
6:50 p.m.
On 11/19/22 08:32, Chris Miller wrote:
Hi Folks,
This should be easy ... And I'm sure I've done it before. But either
Fedora has changed or I have, and I'm not committing either way. (-:
I have a script to bounce the web-server and php-fpm with systemd and
I'd like to be able to do this without "sudo" or a terminal tab
permanently logged on as root. Seems like I should be able to set the
script "setuid" and anybody should be able to run it. I can't seem to
make it work.
In the alternative, it seems like I should be able to delegate certain
services to user control with systemd, like "systemctrl restart
httpd", but the discussions I've found on that are hideously complex,
and I'm not really interested in going down any of those rabbit holes.
It can't be this difficult ... I mean, wasn't this one of the original
justification for systemd?
Why can't bash scripts be SUID?
https://www.vidarholen.net/contents/blog/?p=30
Why is SUID disabled for shell scripts but not for binaries?
https://security.stackexchange.com/questions/194166/why-is-suid-disabled-fo…
9:40 p.m.
Help, bash is defending itself somehow!!
Try the python os object? Don't think it cares, completely avoiding sudo is
rather suicidal though but you can setup a group for NOPASSWD.
import os
os.system("sudo systemctl restart php-fm")
On Sun, Nov 20, 2022 at 11:51 AM Charles Polisher <chas(a)chasmo.org> wrote:
On 11/19/22 08:32, Chris Miller wrote:
Hi Folks,
This should be easy ... And I'm sure I've done it before. But either
Fedora has changed or I have, and I'm not committing either way. (-:
I have a script to bounce the web-server and php-fpm with systemd and I'd
like to be able to do this without "sudo" or a terminal tab permanently
logged on as root. Seems like I should be able to set the script "setuid"
and anybody should be able to run it. I can't seem to make it work.
In the alternative, it seems like I should be able to delegate certain
services to user control with systemd, like "systemctrl restart httpd", but
the discussions I've found on that are hideously complex, and I'm not
really interested in going down any of those rabbit holes. It can't be this
difficult ... I mean, wasn't this one of the original justification for
systemd?
Why can't bash scripts be SUID?https://www.vidarholen.net/contents/blog/?p=30
Why is SUID disabled for shell scripts but not for
binaries?https://security.stackexchange.com/questions/194166/why-is-suid-di…
_______________________________________________
Lug-nuts mailing list -- lug-nuts(a)bigbrie.com
To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com
21 Nov
21 Nov
2:43 a.m.
OK. I'm lazy, I'm tired, I run shell scripts all the time without a shebang
line.
Why do we need SUID? I think it is a conspiracy :)
-Gary
On Sun, Nov 20, 2022 at 10:50:43AM -0800, Charles Polisher wrote:
On 11/19/22 08:32, Chris Miller wrote:
Hi Folks,
This should be easy ... And I'm sure I've done it before. But either
Fedora has changed or I have, and I'm not committing either way. (-:
I have a script to bounce the web-server and php-fpm with systemd and
I'd like to be able to do this without "sudo" or a terminal tab
permanently logged on as root. Seems like I should be able to set the
script "setuid" and anybody should be able to run it. I can't seem to
make it work.
In the alternative, it seems like I should be able to delegate certain
services to user control with systemd, like "systemctrl restart httpd",
but the discussions I've found on that are hideously complex, and I'm
not really interested in going down any of those rabbit holes. It can't
be this difficult ... I mean, wasn't this one of the original
justification for systemd?
Why can't bash scripts be SUID?
https://www.vidarholen.net/contents/blog/?p=30
Why is SUID disabled for shell scripts but not for binaries?
https://security.stackexchange.com/questions/194166/why-is-suid-disabled-fo…
_______________________________________________
Lug-nuts mailing list -- lug-nuts(a)bigbrie.com
To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com
4:11 p.m.
Hi Folks,
I must conclude that I was not as attentive to "publishing dates" as I should
have been and that I was reading old posts, or posts from "helpful" idiots that
will gladly advise you to do the wrong thing -- they know a way, but don't know a good
way. It turns out, as I should have known all along, that there is a very simple way to
delegate various authorities to control various systemd services to non-root users .
Since I'm playing with "apache" owned files, in group "root", and
I can't log in as "apache" (well, I could, but I choose to make as few
"permanent" changes as I can possibly survive.), I develop as "www", a
member of the "apache" group.
Create or modify:
/etc/systemd/system/57-manage-daemon-name.rules
//
// Allow user "www" to restart various web development services
//
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
if (subject.user == "www") {
if ((action.lookup("unit") == "httpd.service") ||
(action.lookup("unit") ==
"php-fpm.service")) {
var verb = action.lookup("verb");
if ((verb == "start") || (verb == "restart") || (verb ==
"stop")) {
return polkit.Result.YES;
}
}
}
}
});
After creation or modification, "systemctl restart polkit" followed by
"systemctl status polkit" you can determine if your new rule has been
"accepted", and if it has, then it magically works! It is not clear to me that
the qualification of "verb" is necessary, but I have it and it works, so
"If it ain't broke, don't fix it."
There are version restrictions on both polkit and systemd. Debian and Debian derivatives
(Ubuntu) are not current. Apparently you must have systemd version 226 or greater and
polkit 1.06 or greater. Fedora works in this regard.
And finally, this is apparently JavaScript, and JavaScript is finicky about format,
meaning continued lines must end with the opening brace, which is in conflict with my
religious preferences, but I am bound by their mandatory practices when I visit their
temple. This is actually not a JavaScript requirement, but a browser requirement, and as
the most prevalent and dominant use of JavaScript has become indistinguishable from
JavaScript requirements. So, I don't fight it ... Well, not in JavaScript.
--
Chris.
V:916.799.9461
F:916.974.0428
A: Because we read from top to bottom, left to right.
Q: > Why should I start my reply below the quoted text?
774
days inactive
776
days old
4 comments
4 participants
participants (4)
-
Charles Polisher -
Chris Miller -
Gary -
Linus Sphinx