I'm trying to implement a local daemon that can be called via ubus through
rpcd. My goal is to have this daemon run all the tasks needed to be run as
root (e.g. activate new config or reboot or sysupgrade...) but all the rest
should be run as a nopriviliged user that doesn't even have shell access (like
curl calls..):
example user:
testuser:x:1000:1000:testuser:/var:/bin/false
This works fine as long as I call ubus with root privs.
/usr/libexec/rpcd/example
#!/bin/sh
# The RPCd interfaces with commands via two methods: list and call.
case "$1" in
list)
# List method must return the list of methods and parameters that the daemon will accept. Only methods listed here will available to call.
echo '{ "show": { } }'
;;
call)
# The way rpcd calls the methods is by calling your script like this: <script-name> call <method-name> << <json-input>
# So, in order to retrieve the called method, you need to read $2
case "$2" in
show)
echo -n '{ "content": "hello world" }'
;;
esac
;;
esac
root@97bf8f21ef32:/etc/init.d# sudo -u root /bin/ubus -v list example
'example' @089e4ba9
"show":{}
But for nonroot user testuser this doesn't work. Ubus is silent or fails.
root@97bf8f21ef32:/etc/init.d# sudo -u testuser /bin/ubus -v list example
root@97bf8f21ef32:/etc/init.d# sudo -u testuser /bin/ubus call banner show
Command failed: Not found
is there a way to locally allow user testuser to make specific calls via ubus.
I don't want an service like uhttpd involved so the remote ubus method is not
an option for me. I would also like to prevent writing a excessive sudoers file
to allow all kinds of calls for the user. Is there any other good mothod to
implement this kind of privsep in openwrt?
thanks 1000x,
Mischa