geli not working under non root user (Norberto Meijome)

Norberto Meijome freebsd at meijome.net
Sat Jul 12 01:05:29 UTC 2008 

On Fri, 11 Jul 2008 16:42:46 -0000 (GMT)
"DSA - JCR" <juancr at dsa.es> wrote:

> On Fri, 11 Jul 2008 12:44:50 -0000 (GMT)
> "DSA - JCR" <juancr at dsa.es> wrote:
> 
> >> When I try to do
> >>
> >>    cat key 1 key2 | geli attach -k - /dev/da0
> >>
> >> I get the error:
> >>
> >>   Can__t lock memory: Operation not permited
> >>
> >>
> >> if I run under root user it work without problems.
> >>
> >> is there a solution for that? or is a problem of GELI?
> 
> >give the operators sudo access to geli ?
> >_________________________
> >{Beto|Norberto|Numard} Meijome
> 

Hola Juan,

please keep replying to the list (CC to me is fine too, but not just to me,
otherwise any information provided privately will not be available to others)

> I am maklng a script because they dont know nothing about UNIX (and
> computers ;D )
> 
> In ".profile" i call the script "Disk1" which is like:
> 
> trap CTRL-Keys,
> if (geli attach) then
>   if (fsck) then
>      if (mount USB disk) then
>         OK
> 
> All automatic for the user.
> 
> How can I give the operators sudo access to geli?

install security/sudo from ports

then 
man sudo 

and have a look at /usr/local/etc/sudoers . You edit it with visudo.

with sudo you can tell the system "allow these users, or this group of users,
to execute this command as if they were root, using their own password to
authenticate" . OR without a password.

IOW, you could make those users be able to run geli as root without a password.

> I dont use sudo for the script (must I?),

if you can get away with sudo for geli only, then just do  "sudo geli" in your
script. otherwise u can always do "sudo yourscript.sh", but you must ensure the
script is very secure - you wouldn't want someone changing the contents of that
script and running it as root!

also, when using sudo, ALWAYS use full paths , eg, /sbin/geli - the user could
create a script in their homedir called 'geli', change their PATH settings to
look in ./ first, and then you could be in a lot of trouble.

Buena suerte,
Beto
PS : Mi padre es gallego,cerca de  Coru__a ;)
_________________________
{Beto|Norberto|Numard} Meijome

"Discovery consists of looking at the same thing as everyone else does and
thinking something different." Albert Szent-Gyorgyi

I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.

More information about the freebsd-questions mailing list