fehlende Berechtigung admin-user für shutdown

Question

fehlende Berechtigung admin-user für shutdown

dennis-BLN opened this issue 2 years ago · comments

damit man den Fehler und spätere Lösung unter einem passenden Titel wiederfinden kann, mache ich ein neues issue auf #153:

Fehlerbild:
shutdown der DS mit dem synology-adapter funktioniert nicht

Auszug Log:
2022-07-01 20:38:11.204 - debug: synology.0 (1062269) state synology.0.commands.shutdown changed: true (ack = false)
2022-07-01 20:38:11.304 - debug: synology.0 (1062269) *** ERROR : src: SSH Error: code: undefined message:
2022-07-01 20:38:14.925 - debug: synology.0 (1062269) *** ERROR : src: SSH Error: code: undefined message: Sorry, try again.
2022-07-01 20:38:14.926 - debug: synology.0 (1062269) *** ERROR : src: SSH Error: code: undefined message: sudo: no password was provided
2022-07-01 20:38:14.926 - debug: synology.0 (1062269) *** ERROR : src: SSH Error: code: undefined message: sudo: 1 incorrect password attempt
2022-07-01 20:38:14.928 - warn: synology.0 (1062269) System shutdown

Vermutung: der verwendete user braucht über die sudoers noch ein Recht auf init oder shutdown

user: über die Oberfläche eingerichtet

user in gängigen files:
$ sudo grep mein-admin-konto-iob /etc/passwd /etc/group /etc/sudoers
/etc/passwd:mein-admin-konto-iob:x:1036:100::/var/services/homes/mein-admin-konto-iob:/bin/sh
/etc/group:administrators:x:101:admin,mein-admin-konto-persönlich,mein-admin-konto-iob
$

Test mit dem user auf der Konsole:
mein-admin-konto-iob@dsdk02:~$ shutdown
Must be root.
mein-admin-konto-iob@dsdk02:~$ init 0
Failed to execute operation: Access denied
Must be root.
mein-admin-konto-iob@dsdk02:~$

arteck commented 2 years ago

2fa maybe

Ingo Fischer · Answer 1 · Sun Jul 03 2022 21:27:23 GMT+0800 (China Standard Time)

@arteck Any idea?

Martin M. · Answer 2 · Sat Oct 01 2022 01:18:32 GMT+0800 (China Standard Time)

I'll try to track this down.
@dennis-BLN: (dennis-BLN
DDoes your password contain any non alphanumeric characters? Shutdown / reboot does not work for me either. I think it is caused by the $sign in my password. The adapter code seems to miss escaping bash (shell) special characters (or better use single qutes for the commandline).

I'll try to verify this - but if you are still reading here, please respond whether your password contains any other character than [A-Za-z0-9]

@arteck:
2FA is not used when logging in with ssh, so ssh should not be involved.

Martin M. · Answer 3 · Sat Oct 01 2022 21:51:58 GMT+0800 (China Standard Time)

should be fixed in fork mcm1957/ioBroker.synology.
PR follows after testing completed

dennis-BLN · Answer 4 · Sun Oct 16 2022 21:22:00 GMT+0800 (China Standard Time)

I'll try to track this down. @dennis-BLN: (dennis-BLN DDoes your password contain any non alphanumeric characters? Shutdown / reboot does not work for me either. I think it is caused by the $sign in my password. The adapter code seems to miss escaping bash (shell) special characters (or better use single qutes for the commandline).

I'll try to verify this - but if you are still reading here, please respond whether your password contains any other character than [A-Za-z0-9]

@arteck: 2FA is not used when logging in with ssh, so ssh should not be involved.

yes, there are non alphanumeric characters in it

Martin M. · Answer 5 · Mon Oct 24 2022 02:19:15 GMT+0800 (China Standard Time)

should be fixed with release 2.1.11

Martin M. · Answer 6 · Mon Oct 24 2022 19:23:44 GMT+0800 (China Standard Time)

For later evidence:
Tests have been done with the following Password:

azAZ09!"§$%&/()=?*+#ÄÖÜ;:_,.-@°^'x'

Und no - its NOT my productive Pwd :-)

Martin M. · Answer 7 · Wed Oct 26 2022 16:36:14 GMT+0800 (China Standard Time)

@dennis-BLN
Hi Denis,
If possible please evaluate the release 2.1.11 for lates repository to check if this change fixes your problem.

dennis-BLN · Answer 8 · Wed Oct 26 2022 18:51:57 GMT+0800 (China Standard Time)

Hi,

it works... but:
2022-10-26 12:38:07.902 - �[34mdebug�[39m: synology.0 (3756914) SSH:echo 'password-in-pliantext'|sudo -S shutdown -h now

How about using a better authentication method then using command in plain text and writing it to the log?
https://www.ssh.com/academy/ssh/keygen

best regards, Dennis

Ingo Fischer · Answer 9 · Wed Oct 26 2022 18:53:31 GMT+0800 (China Standard Time)

When the new method is proofed working e shoukld remove the logline

Martin M. · Answer 10 · Thu Oct 27 2022 00:48:54 GMT+0800 (China Standard Time)

Ok i'll disable it
But the message should be visible with DEBUG enabled only which isnt a realitic scenario due to the big amount of data logged.

Anyway,I will change it with next release

The usage of sudo itself cannot be changed as long as no other way is supported by synology.but removing the log or masking the pwd will prohibit the password to be stored in logfile without explicit knowledge of user.

Martin M. · Answer 11 · Thu Oct 27 2022 01:49:00 GMT+0800 (China Standard Time)

a) fixed with 2.1.12
Password is now masked and no longer logged in clear text.

b) Using ssh key usage might be considered as a feature request. BUT this would only affect to ssh connect ion itself. The sudo setup still require the password. Adapting the sudo environment at the synology is no method supported by synology and as far as I know synology is know to revert any changes to system setup (i.e. sudo files) with updates. So this would likely cause other problems especially for users not familar with root / admin operation.

In summary:
Currently no thange from password to keys is planned.
As long as the password is needed for non ssh operation, changing the ssh connection to keys would (in my oppinion) not raise the security at all.

But feel free to raise an feature issue although I currently do not think that it will be implemnted in the near future.

Martin M. · Answer 12 · Sat Nov 19 2022 18:47:31 GMT+0800 (China Standard Time)

fixed with 2.1.13