Solved Running a root command off of Tint2 button.

tmpdmp

Member

Reaction score: 2
Messages: 57

I added a button to my Tint2 taskbar where if I left click it, it will disable (change the ethernet to down) it and if I right click, it will change the network to UP.

The command for the button I am using is this:


xterm -title "re0 DOWN" -e su root -c "ifconfig re0 down"

xterm -title "re0 UP" -hold -e su root -c "ifconfig re0 up"


Basically I am launching xterm to run SU and upon succesful password then change network to up or down. Is the code above good? So far it works, but is there better code? ifconfig command can only be run as root? (I am using a realtek ethernet hence re0).
 

scottro

Daemon

Reaction score: 910
Messages: 2,061

You could add a sudo or doas entry to allow a particular user to execute the desired command without password. For example, in a doas.conf if your username is tmpdmp
Code:
permit nopass tmpdmp cmd /sbin/ifconfig
 

Menelkir

Well-Known Member

Reaction score: 365
Messages: 320

Also, I think you can use x11/zenity if you want a more graphical-ish thing instead of xterm. Also, x11/zenity have an option to input password so you don't need to give a nopasswd option for doas or sudo.
 

Alain De Vos

Son of Beastie

Reaction score: 800
Messages: 2,605

There are 3 tread-offs.
1. Ease of use
2. Security
3. Do you want explicit password question.
I don't know how to compare doas vs sudo.

PS: zenity is a nice and easy tool.
 

scottro

Daemon

Reaction score: 910
Messages: 2,061

Re doas and sudo, doas is from OpenBSD and newer. However its persist function doesn't work on FreeBSD, only Open (meaning that when you use it, you have to retype a password every time, unless you do the nopass option).

Doas is smaller though on most modern machines, I doubt it makes a difference. Its syntax seems slightly more logical to me, but that's definitely personal taste. To compare, as I said, the doas version is
Code:
permit nopass tmpdmp cmd /sbin/ifconfig
The sudo version which can be added to either /usr/local/etc/sudoers or /usr/local/etc/sudoers.d/01tmpdmp or some similar name for the file inside suders.d it would be
Code:
tmpdmp ALL=(ALL) /sbin/ifconfig

So, neither one is terribly complex, I think doas is supposed to be more secure, but I don't remember why.
I have no knowledge of zenity, so can't add anything there.
 
OP
T

tmpdmp

Member

Reaction score: 2
Messages: 57

Thank you everyone for your input. I have one last problem with doas. It now allows me to run ifconfig not as root but I can't set the re0 network to down or up. It says "permission denied". What am I missing?
 

Alain De Vos

Son of Beastie

Reaction score: 800
Messages: 2,605

ifconfig: ioctl (SIOCDIFADDR): permission denied , means you don't have elevated permissions, it is you run it as a regular user.
 
OP
T

tmpdmp

Member

Reaction score: 2
Messages: 57

You could add a sudo or doas entry to allow a particular user to execute the desired command without password. For example, in a doas.conf if your username is tmpdmp
Code:
permit nopass tmpdmp cmd /sbin/ifconfig
ifconfig alone works as regular user now but if I do
Code:
ifconfig re0 down
it says permission denied. Is there another line I must add to doas.conf to make it work?
 

scottro

Daemon

Reaction score: 910
Messages: 2,061

Hrm, don't have time to test tonight, but did you log out and log in? (Not sure if that's necessary with doas, but it is with sudo).
 
OP
T

tmpdmp

Member

Reaction score: 2
Messages: 57

Hrm, don't have time to test tonight, but did you log out and log in? (Not sure if that's necessary with doas, but it is with sudo).
Not sure I follow? I did doas -C /usr/local/etc/doas.conf first, then ifconfig worked as non root user but setting a network to down or up i don't have permissions.
 

scottro

Daemon

Reaction score: 910
Messages: 2,061

Ok, I just tested, and doas doesn't work, I'm not sure why.

However creating /usr/local/etc/sudoers.d/01scottro and having that file read
Code:
scottro ALL=(ALL) NOPASSWD: /sbin/ifconfig
logging out and logging back in, did work.

So not sure what I'm missing with doas, it's probably something simple I'm overlooking. Anyway, try sudo and see if that one works. When I made that entry, then logged out and logged in, I was able to run ifconfig commands such as bringing an interface up and down, without a password.
 

bakul

Active Member

Reaction score: 80
Messages: 150

[Separate from the permission issue] IMHO, instead of ifconfig you should use service netif <cmd> re0 where <cmd> is start or stop so that any associated changes such as DHCP will be handled right.
 

T-Daemon

Daemon

Reaction score: 942
Messages: 1,836

ifconfig alone works as regular user now ...
There is no permission restriction to execute as user ifconfig(8) alone:
Code:
% ls -l /sbin/ifconfig
-r-xr-xr-x   1  root   wheel   227688 Apr    9 08:19 /sbin/ifconfig
but if I do
Code:
ifconfig re0 down
it says permission denied.
Whe using security/doas it is invoked doas <options> command <arguments>
Code:
% doas ifconfig em0 down
Is there another line I must add to doas.conf to make it work?
See post # 14
 
Top