On Mon, Jul 20, 2015 at 01:21:56PM +0200, Marc Joliet wrote
> This choice came about because I switched from fcron to systemd-cron,
> which runs its mail_on_failure script as user "nobody", which caused
> my current "passwordeval" command ("cat somefile", somefile having
> a mode mask of 0600)
That is the wrong, wrong, wrong way to do it.
> to fail due to insufficient access rights. I really didn't want to
> deal with how to properly solve that, and I don't think it's possible
> (at least not with msmtp). I mean, the problem statement is
> basically "How do I securely give every user access to the password?".
> Once stated that way, I think the difficulty with the problem becomes
> fairly obvious.
The correct question is "how do I allow user 'nobody' to execute a
one-off command as another user. The solution is sudoers. Emerge sudo
and set up a file in /etc/sudoers.d. I use /etc/sudoers.d/001 because
I'm not creative with filenames. Here is an example entry...
waltdnes d531 = (root) NOPASSWD: /usr/sbin/hibernate
The explanation...
waltdnes (the user being allowed to run the command)
d531 (the machine name in /etc/hosts)
(root) (the user privilege to run as)
NOPASSWD: (password is not required; no ugly "cat somefile" hack)
/usr/sbin/hibernate (the command to run)
As regular user "waltdnes", I execute the command...
sudo /usr/sbin/hibernate
...and I get the system to hibernate, which normally requires root level
privileges. I'm lazy, so I set up a script ~/bin/hb that runs the above
command. I only have to execute "hb" to hibernate. This approach is
very granular, because it can be set up to allow one user to execute one
specifc command. If you wish, you can use wildcards, and the special
"ALL" word to open up privileges more widely.
--
Walter Dnes <waltd...@waltdnes.org>
I don't run "desktop environments"; I run useful applications
