Unlocking (remote/local), was Re: Help with suid (bash)
On Tue 10 May 2022 at 08:21:00 (-0600), Charles Curley wrote:
> On Tue, 10 May 2022 07:50:18 -0400 rhkramer@gmail.com wrote:
>
> > Background: 8 years ago I wrote a set of scripts to help me mount and
> > unmount LUKS encrypted partitions as needed and as myself
> > (<myuserid>) rather than as root.
>
> Why the aversion to doing things as root? Why not just run your scripts
> as root? This is exactly the sort of thing that is reserved to root for
> reasons of security.
That complicates unlocking partitions remotely because, even if you
can log in as root, you normally can't log in remotely as root.
I use a special user called unlock, whose home directory is on
/var/local/, to unlock my /home partitions:
$ cat /var/local/home/unlock/.profile
[[ $- = *i* ]] && printf '%s\n' "(This is $HOME/.profile 2022 March 02 on $HOSTNAME, $(sed -e 's/.* \([^ ]\+\) *$/\1/;q' /etc/apt/sources.list) on $(findmnt -n -o SOURCE,LABEL -M /))"
[ ! -f /home/0 ] && printf '\n%s\n\n' "/home is mounted already" && sleep 1 && exit 9
for j in /dev/disk/by-partlabel/*-Home; do
printf 'Unlocking %s\n' "$j"
sudo udisksctl unlock --block-device "$j"
done
printf 'Checking partition\n' # in case there's a pause
mount /home
sleep 1
if [ ! -f /home/0 ]; then
printf '%s\n' "/home is now mounted" && exit 0
else
printf '\n%s\n\n' "/home is NOT mounted" && sleep 1 && exit 99
fi
#
$
So after introducing itself (note: my sources.list is doctored),
it checks that /home is not already mounted (note: there's an
empty file called 0 in the /home directory on the rootfs), and
then unlocks any partition whose PARTLABEL ends with -Home.
It then mounts the one that matches the entry in fstab.
Here's how I call it remotely:
$ type unlock-acer
unlock-acer is a function
unlock-acer ()
{
ping -c 1 -W 1 acer | grep 'bytes from';
date && ssh -X acer -l unlock
}
$
And, of course, that would normally follow a call to wake-acer
(assuming it's not a laptop):
$ type wake-acer
wake-acer is a function
wake-acer ()
{
wakeonlan 22:44:66:88:aa:cc
}
$
If you're not in group sudo (I have a root password), you'd
require lines like these in /etc/sudoers.d/foo:
User_Alias LOCKER = unlock
Host_Alias MYHOSTS = …, acer, …
Cmnd_Alias UNLOCKING = /usr/bin/udisksctl unlock --block-device /dev/disk/*/*
Cmnd_Alias LOCKING = /usr/bin/udisksctl lock --block-device /dev/disk/*/*
Defaults:LOCKER !authenticate
LOCKER MYHOSTS = UNLOCKING, LOCKING
Note that all this is running on a home LAN. I would do things
differently in a more open environment.
As for setuid scripts, they haven't been allowed since I started using
Debian in Sept 1996, which was on Debian's first release, buzz, running
2.0 kernels. Allegedly there was a Perl method of doing it that I never
tried out. It was meant to create a Chinese wall between anything that
originated from outside and the rest of the program.
Cheers,
David.
Reply to: