Putting a command/script as a user's shell

Kirk Strauser kirk at strauser.com
Mon Sep 11 07:58:17 PDT 2006 

On Monday 11 September 2006 09:20, Karol Kwiatkowski wrote:
> Good day everyone,
>
> I'm trying to make it possible to restart (as in 'shutdown -r now') a
> FreeBSD based router from LAN network as easy as possible so it can be
> used by non-technical people.

First of all, it's easy enough to do this securely that you might as well do 
it.  Install sudo, and use "visudo" to create a sudoers file with entries 
like:

   User_Alias    REBOOTERS = username1,username2,username3
   REBOOTERS     ALL = (root) NOPASSWD: /sbin/reboot

Next, create a reboot script for them:

   # cat /usr/local/sbin/reboot.sh
   sudo /sbin/reboot

Finally, use OpenSSH's built-in options to run the script at login.  From 
sshd(8):

AUTHORIZED_KEYS FILE FORMAT

     [....]

     command="command"
             Specifies that the command is executed whenever this key is used
             for authentication.

So, make each user's authorized_keys file look something like:

ssh-rsa [long base64 string] username1 at example.com 
command="/usr/local/sbin/reboot.sh"

Alternatively, do all the above for one single account: your "restart" user.  
Use authorized_keys to limit which of your real users has access to reboot 
the machine, and use "ssh -l restart balkyrouter.example.com" to trigger it.  
You could even go so far as to add a clause to /etc/ssh/ssh_config (or 
~/.ssh/config for each individual user) like:

Host rebootrouter
    Hostname balkyrouter.example.com
    User restart

so that your users just run "ssh rebootrouter".

So, to recap, when a user logs in, the reboot.sh script will be executed.  It 
will use sudo to run the reboot command as root, without prompting the user 
to enter any password.  It's easy, it works, and it doesn't require any 
setuid trickery or special accounts or anything else.
-- 
Kirk Strauser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060911/2d01b7ff/attachment.pgp

More information about the freebsd-questions mailing list