minimize use of root account

Polytropon freebsd at edvax.de
Fri Feb 19 11:14:41 UTC 2016 

On Fri, 19 Feb 2016 16:29:43 +1100, Yudi V wrote:
> Hi all,
> 
> currently I use the below script to load geli devices and import zpool. It
> needs to be run as root.
> how to run this script as normal user, is there a group that the user needs
> to be part of?

No, not for this task.

There are different ways to do it.

1. You can set the script itself to "run as root" (chmod +s) when
   the script is owned by root:root. Regular users may then execute it.

2. Temporarily become root by using "su -" or ("su -m" if preferred)
   and execute the script. See "man su" for details.

3. Use a tool like "sudo" or "super". This is probably the better
   approach: "sudo <scriptname>". You need to install the program
   from ports / packages, it's not part of the OS.

You could include the "sudo <something>" parts into the script as well,
but that's probably not good practice.

In order to "su root", your user needs to be part of the "wheel" group.
Regular users are not permitted this increase of power. :-)



> also when I have to shutdown/reboot, I need to run the command as root but
> instead would like for the normal user to be able to shutdown and reboot.

Make your user part of the "operator" group to be able to execute
the "shutdown -p" and "shutdown -r" commands. Note that the "reboot"
command may only be executed by root.



> I posted this first on the forums but did not receive any relevant  ans
> yet. https://forums.freebsd.org/threads/55166/
> 
> appreciate if someone can answer my questions.
> Code:
> 
> ###############
> #!/bin/csh -f

Why?!

There's a relevant article: "Csh Programming Considered Harmful" written
by Tom Christiansen.

https://www-uxsup.csx.cam.ac.uk/misc/csh.html

I have written one (!) csh script and I still regret it, maybe because
it still works. :-)

On FreeBSD, the default shell script interpreter is /bin/sh.



How about this?

#!/bin/sh

# attach geli containers
geli attach /dev/label/dataE0
if [ $? -eq 0 ]; then
	geli attach /dev/label/dataE1
	if [ $? -eq 0 ]; then
		# import zpool tank3 (on a 2-way mirror)
		zpool import tank3
		# mount zfs datasets from tank3
		zfs mount -a
		# start samba
		service samba_server restart
	else
		geli detach /dev/label/dataE0.eli
		echo "detached dataE0.eli"
		echo "failed to attach dataE1.eli, check your password."
	fi
else
	echo "failed to attach dataE0.eli, check your password."
fi

There are probably more pleasant ways for the "error checking cascade".
Indentation helps a lot. The "else" and "fi" appear in the same column
like the "if" where they belong to; the "conditioned commands" are
indented. Quotes around strings. Empty lines also increase readablilty.
Just in case you might want to debug the script at some time, maybe
10 years in the future... ;-)




-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list