cmh
Explorer
- Joined
- Jan 7, 2013
- Messages
- 75
Have done a bunch of searching but most of the hits I've found seem to pertain to older versions of FreeNAS, prior to the ZFS root volume of 9.3, many posts talking about the old "mount -rw /" commands you had to use to muck around with the filesystem. Searched the bugs, found a couple which were closed. Searched here, not much luck, searched the documentation, not much there either.
I know how to grant sudo access to a user via the GUI, that's easy. What I want to do is grant a much finer grained level of control to a user. Specific use case is a monitoring user. I have it configured where the user is running a restricted shell and only has one directory of scripts that can be run, with command options and such hardcoded into these scripts that the user cannot modify. These are called via SSH from the monitoring server, and this works fine.
What I want to do is set up an event handler so the restricted monitoring user can issue a command to restart a service if necessary, but this opens up the ability of the user to run commands via sudo. I could grant the user unrestricted sudo via the GUI, but this is not the best approach because I know exactly the commands needed, and sudo supports this. I also need the commands to be run without prompting for a password and without the requirement for an active TTY. Therefore, the sudoers entry would look like this:
Defaults:monitor !requiretty
monitor ALL=(root) NOPASSWD: /path/to/event-handler-script
All of this is pretty basic stuff, but after my searching, I see no way to enable this level of sudo access. I see that there is a sudoers.d directory in /conf/base/etc/local/ - but the sudoers file does not call the necessary #include statement to make it look there. Can I just add the include line to the sudoers file, or will it get removed on the next rebuild of the sudoers file? Any persistent way to get this config to take - and stay put?
Thanks!
I know how to grant sudo access to a user via the GUI, that's easy. What I want to do is grant a much finer grained level of control to a user. Specific use case is a monitoring user. I have it configured where the user is running a restricted shell and only has one directory of scripts that can be run, with command options and such hardcoded into these scripts that the user cannot modify. These are called via SSH from the monitoring server, and this works fine.
What I want to do is set up an event handler so the restricted monitoring user can issue a command to restart a service if necessary, but this opens up the ability of the user to run commands via sudo. I could grant the user unrestricted sudo via the GUI, but this is not the best approach because I know exactly the commands needed, and sudo supports this. I also need the commands to be run without prompting for a password and without the requirement for an active TTY. Therefore, the sudoers entry would look like this:
Defaults:monitor !requiretty
monitor ALL=(root) NOPASSWD: /path/to/event-handler-script
All of this is pretty basic stuff, but after my searching, I see no way to enable this level of sudo access. I see that there is a sudoers.d directory in /conf/base/etc/local/ - but the sudoers file does not call the necessary #include statement to make it look there. Can I just add the include line to the sudoers file, or will it get removed on the next rebuild of the sudoers file? Any persistent way to get this config to take - and stay put?
Thanks!