Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Which commands should iobroker be allowed to execute as `sudo`? #96

Open
AlCalzone opened this Issue Jan 10, 2019 · 17 comments

Comments

Projects
None yet
7 participants
@AlCalzone
Copy link
Collaborator

AlCalzone commented Jan 10, 2019

I want to allow the user iobroker to execute sudo passwordless. This would fix some problems with the current installation (e.g. zwave can be installed over the admin again). But we should limit the commands iobroker is allowed to execute (at least by default). I need your input to find all of them.

And how do we handle javascript exec? We cannot know in advance which commands users want to execute. Maybe add a flag somewhere (should NOT be accessible via the admin for security reasons) to allow all commands.

Commands:

  • apt
  • apt-get
  • arp-scan
  • fping
  • make
  • ping
  • setcap

@AlCalzone AlCalzone self-assigned this Jan 10, 2019

@AlCalzone

This comment has been minimized.

Copy link
Collaborator Author

AlCalzone commented Jan 10, 2019

From zwave:

  • apt-get install -> Or should we start handling this from inside js-controller?
  • make
@Apollon77

This comment has been minimized.

Copy link
Contributor

Apollon77 commented Jan 10, 2019

if you allow make then apt-getinstall is the same :-)
I would add functions like ping, fping, arp-scan and such that needs root to work

@AlCalzone

This comment has been minimized.

Copy link
Collaborator Author

AlCalzone commented Jan 11, 2019

Allow Blutooth access: setcap

@AlCalzone

This comment has been minimized.

Copy link
Collaborator Author

AlCalzone commented Jan 13, 2019

Btw, we need the full executable path

@Apollon77

This comment has been minimized.

Copy link
Contributor

Apollon77 commented Jan 13, 2019

von dem einen Forum Thread: moun umount, vllt noch setfacl

@simatec

This comment has been minimized.

Copy link
Contributor

simatec commented Jan 16, 2019

Für backitup benötige ich folgende Befehle:

  • mount
  • umount
  • iobroker start
  • iobroker stop
  • systemctl start iobroker
  • systemctl stop iobroker
@AlCalzone

This comment has been minimized.

Copy link
Collaborator Author

AlCalzone commented Jan 16, 2019

iobroker sollte nach Update des Installers nicht mehr als Root ausgeführt werden. systemctl ist ok, mount/umount ist schon eingebaut

@simatec

This comment has been minimized.

Copy link
Contributor

simatec commented Jan 16, 2019

Für backitup wäre wie ich gerade festgestellt habe auch noch "touch" und/oder "echo" gut

@AlCalzone

This comment has been minimized.

Copy link
Collaborator Author

AlCalzone commented Jan 16, 2019

Es geht hier nur um die befehle die sudo benötigen. Echo wird definitiv kein sudo benötigen. Was ist mit touch?

@simatec

This comment has been minimized.

Copy link
Contributor

simatec commented Jan 17, 2019

Mit touch schreibt backitup beim stoppen aktuell eine temporäre Datei, die defininiert, wie gestoppt wurde, damit beim Neustart wieder die gleiche Methode verwendet wird. Im Prinzip bräuchte touch dafür kein sudo, da in das Verzeichnis von backitup geschrieben wird und dort der User iobroker ja alle Rechte hat

@ltsalvatore

This comment has been minimized.

Copy link

ltsalvatore commented Jan 18, 2019

regarding amazon-dash installation:
https://forum.iobroker.net/viewtopic.php?p=221120#p221120

@grimneko

This comment has been minimized.

Copy link

grimneko commented Jan 25, 2019

If you work with a unpriviliged user on FreeBSD, add to the list "pkg" (the counterpart to apt/apt-get on linux).

@frankjoke

This comment has been minimized.

Copy link

frankjoke commented Jan 26, 2019

On top of the mentioned ones I use in my adapters the following tools which require root access:
dhcpdump, kill, l2ping, hcitool.

Some npm packages require also root, will find out on testing which ones I may need!
p.s.: Is a flag planned in the admin-instances to or in the config-json to run individual adapter completely in root?

@grimneko

This comment has been minimized.

Copy link

grimneko commented Jan 26, 2019

I think the sudoers list should be updated as needed. Also we need to find a way to deal with the tools required by plugins. Just installing a "default" bunch through installer.sh isn't a proper way, besides there is the issue of them being around on every OS. They might can installed directly by a package manager (apt/pkg), might need to be build from the sources (Homebrew/BSD ports/MacPorts) or installed by setup program (windows).

One way could be to install a dialog at the end of the adapter installation/update that states any tools required, and maybe hint to the user how to obtain them while a postinstall script add them to the suoders list.

I do expect the user to have a rudimentary control of her/his/it os, so he should be able to obtain/update packages. The only case where preinstallation should be considered is when a lightweight container is going to be used like Docker where installing things later on pose trouble due the nature of the construct.

@AlCalzone

This comment has been minimized.

Copy link
Collaborator Author

AlCalzone commented Mar 11, 2019

Is a flag planned in the admin-instances to or in the config-json to run individual adapter completely in root?

We're thinking about it. Also configuring the commands on a per-adapter basis would make sense.

@schniddsel

This comment has been minimized.

Copy link

schniddsel commented Mar 19, 2019

Would it be possible that iobroker is allowed to open port 80? Newer Alexas just listen on port 80 detecting devices. I tried some workarounds on developing my adapter, but nothing seems to work. I switched from OpenHab to iobroker, because I'm not in the mood to learn Java... But sadly not being able to emulate a full compatible hue bridge, just because I have no Access to port 80 let me think about switching back again. I know i can build this up for me using iptables e.g. But i want to make the adapter accessable for everyone. And some endusers may not now how to set up port 80.

Is a flag planned in the admin-instances to or in the config-json to run individual adapter completely in root?

So this would be a solution for that.

@AlCalzone

This comment has been minimized.

Copy link
Collaborator Author

AlCalzone commented Mar 19, 2019

I think it is already allowed (if your installation was made with one of the newer installers and/or fixer scripts).
==> https://github.com/ioBroker/ioBroker/blob/master/installer.sh#L359
cap_net_bind_service allows binding ports < 1024.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.