# Command as user



## mururoa (Dec 24, 2016)

Hello,

How can I execute this pkg command as a user ?

`/usr/local/sbin/pkg check -da`

Because this is part of a zabbix probe it must run with user zabbix.
But all I get is 'pkg: Insufficient privileges'.
This is for `pkg check`. If I try `pkg info` or `pkg stats -l` it's ok.
So it's no pkg but some privileged pkg options.


----------



## mururoa (Dec 24, 2016)

Well, I played with sudo NOPASSD and the probe is ok.
But that's not very clean.


----------



## IPTRACE (Dec 25, 2016)

If you try to run a command as a particular user, please edit and update sudo file using command `visudo` as a superuser.
Entry can be something like this.

myuser ALL=(root) NOPASSWD: /usr/local/sbin/pkg - allow *myuser* to run command */usr/local/sbin/pkg *as *root* without typing password
`sudo /usr/local/sbin/pkg`

%mygroup ALL=(root) NOPASSWD: /usr/local/sbin/pkg - allow *mygroup* to run command */usr/local/sbin/pkg *as *root* without typing password
`sudo /usr/local/sbin/pkg`

You can enter more commands using commas.
/usr/local/sbin/pkg, /usr/bin/find


----------



## tobik@ (Dec 25, 2016)

mururoa said:


> How can I execute this pkg command as a user ?


Running `pkg check -da` fails as a normal user because it doesn't have write access to the local package database. I don't see a way around this. `pkg` also enforces the user:group of the package db to be root:wheel. In short: `pkg check -da` has to be run as root.



IPTRACE said:


> myuser ALL=(root) NOPASSWD: /usr/local/sbin/pkg - allow *myuser* to run command */usr/local/sbin/pkg *as *root* without typing password
> sudo /usr/local/sbin/pkg
> 
> %mygroup ALL=(root) NOPASSWD: /usr/local/sbin/pkg - allow *mygroup* to run command */usr/local/sbin/pkg *as *root* without typing password
> sudo /usr/local/sbin/pkg


These rules don't restrict much. Do not do this. It's very easy to get a root shell as myuser this way by just running `sudo pkg shell` then `.system /bin/csh`. Might as well just use

```
myuser ALL=(ALL) NOPASSWD: ALL
```
 at that point.

I think it would be safer to create a wrapper script (writable by root only) around `pkg check -da` and then use it instead of directly using /usr/local/sbin/pkg in the solution IPTRACE has suggested.


----------



## IPTRACE (Dec 25, 2016)

tobik, what do you prefer to use instead sudo? I mean not only pkg but others apps.
I don't want to add user to wheel group or log in as root.


----------



## tobik@ (Dec 29, 2016)

IPTRACE said:


> tobik, what do you prefer to use instead sudo? I mean not only pkg but others apps.
> I don't want to add user to wheel group or log in as root.


Why? What's your threat model? What other apps do you need sudo for?


----------



## IPTRACE (Dec 29, 2016)

Mainly I work as unprivileged user (no root or wheel group).
Sometime I have to run command with root privilages and don't want to log in as root exactly or add my user to wheel group.
That's my one of the security rule.

So I decided to use sudo with some apps (find, crontab, chmod etc.) which I can run as root.
I locked to log in as root except single user mode.


----------



## SirDice (Dec 29, 2016)

IPTRACE said:


> ```
> myuser ALL=(root) NOPASSWD: /usr/local/sbin/pkg
> ```





tobik said:


> These rules don't restrict much. Do not do this.



This would be much better:

```
myuser ALL=(root) NOPASSWD: /usr/local/sbin/pkg check -da
```

Be very careful with sudo(8). I've seen stupid things like this too:

```
myuser ALL=(root) NOPASSWD: /usr/bin/vi /etc/somefile.conf
```
vi(1) allows running a shell (:!/bin/sh) so you can effectively break out of the restriction. Same goes for commands like less(1) (also allows running a shell). 

If you need to allow editing of a file through sudo(8) use something like this:

```
myuser ALL=(root) NOPASSWD: sudoedit /etc/somefile.conf
```
This would allow you to edit the file safely with `sudo -e /etc/somefile.conf`.


----------



## IPTRACE (Dec 29, 2016)

Thanks.
So the problem is not with sudo but with app which allow to run exp. shell. Am I right?
Every app is potential exploiting of the system?


----------



## SirDice (Dec 29, 2016)

IPTRACE said:


> So the problem is not with sudo but with app which allow to run exp. shell. Am I right?


Yes, if you can break out of the process you're effectively root. 



IPTRACE said:


> Every app is potential exploiting of the system?


Yes, that's why you  need to be careful about what exactly you allow with sudo(8).


----------



## IPTRACE (Dec 29, 2016)

If I understand correctly, I can share the app with the specific options and these options will only work?
https://www.freebsd.org/doc/handbook/security-sudo.html


```
myuser ALL=(root) NOPASSWD: /usr/bin/find /home/user2/ -name *
```
I can allow myuser to search user2 home directory?


----------



## SirDice (Dec 29, 2016)

Careful with the * there. 

```
Wildcards in command line arguments should be used with care.
     Command line arguments are matched as a single, concatenated string.
     This mean a wildcard character such as `?' or `*' will match across word
     boundaries, which may be unexpected.  For example, while a sudoers entry
     like:

         %operator ALL = /bin/cat /var/log/messages*

     will allow command like:

         $ sudo cat /var/log/messages.1

     It will also allow:

         $ sudo cat /var/log/messages /etc/shadow

     which is probably not what was intended.  In most cases it is better to
     do command line processing outside of the sudoers file in a scripting
     language.
```

In this case it would also allow the -exec option of find(1).


----------



## IPTRACE (Dec 29, 2016)

Clear, thanks.


----------

