fehlende Berechtigung admin-user für shutdown

[dennis-BLN]

Hallo @arteck,

damit man den Fehler und spätere Lösung unter einem passenden Titel wiederfinden kann, mache ich ein neues issue auf #153:

Fehlerbild: shutdown der DS mit dem synology-adapter funktioniert nicht

Auszug Log: 2022-07-01 20:38:11.204 - debug: synology.0 (1062269) state synology.0.commands.shutdown changed: true (ack = false) 2022-07-01 20:38:11.304 - debug: synology.0 (1062269) *** ERROR : src: SSH Error: code: undefined message: 2022-07-01 20:38:14.925 - debug: synology.0 (1062269) *** ERROR : src: SSH Error: code: undefined message: Sorry, try again. 2022-07-01 20:38:14.926 - debug: synology.0 (1062269) *** ERROR : src: SSH Error: code: undefined message: sudo: no password was provided 2022-07-01 20:38:14.926 - debug: synology.0 (1062269) *** ERROR : src: SSH Error: code: undefined message: sudo: 1 incorrect password attempt 2022-07-01 20:38:14.928 - warn: synology.0 (1062269) System shutdown

Vermutung: der verwendete user braucht über die sudoers noch ein Recht auf init oder shutdown

user: über die Oberfläche eingerichtet

user in gängigen files: $ sudo grep mein-admin-konto-iob /etc/passwd /etc/group /etc/sudoers /etc/passwd:mein-admin-konto-iob:x:1036:100::/var/services/homes/mein-admin-konto-iob:/bin/sh /etc/group:administrators:x:101:admin,mein-admin-konto-persönlich,mein-admin-konto-iob $

Test mit dem user auf der Konsole: mein-admin-konto-iob@dsdk02:~$ shutdown Must be root. mein-admin-konto-iob@dsdk02:~$ init 0 Failed to execute operation: Access denied Must be root. mein-admin-konto-iob@dsdk02:~$

[Apollon77]

@arteck Any idea?

[arteck]

2fa maybe

[mcm1957]

I'll try to track this down. @dennis-BLN: (dennis-BLN DDoes your password contain any non alphanumeric characters? Shutdown / reboot does not work for me either. I think it is caused by the $sign in my password. The adapter code seems to miss escaping bash (shell) special characters (or better use single qutes for the commandline).

I'll try to verify this - but if you are still reading here, please respond whether your password contains any other character than [A-Za-z0-9]

@arteck: 2FA is not used when logging in with ssh, so ssh should not be involved.

[mcm1957]

should be fixed in fork mcm1957/ioBroker.synology. PR follows after testing completed

[dennis-BLN]

I'll try to track this down. @dennis-BLN: (dennis-BLN DDoes your password contain any non alphanumeric characters? Shutdown / reboot does not work for me either. I think it is caused by the $sign in my password. The adapter code seems to miss escaping bash (shell) special characters (or better use single qutes for the commandline).

I'll try to verify this - but if you are still reading here, please respond whether your password contains any other character than [A-Za-z0-9]

@arteck: 2FA is not used when logging in with ssh, so ssh should not be involved.

yes, there are non alphanumeric characters in it

[mcm1957]

should be fixed with release 2.1.11

[mcm1957]

For later evidence: Tests have been done with the following Password:

*azAZ09!"§$%&/()=?+#ÄÖÜ;:_,.-@°^'x'**

Und no - its NOT my productive Pwd :-)

[mcm1957]

@dennis-BLN Hi Denis, If possible please evaluate the release 2.1.11 for lates repository to check if this change fixes your problem.

[dennis-BLN]

Hi,

it works... but: 2022-10-26 12:38:07.902 - debug: synology.0 (3756914) SSH:echo 'password-in-pliantext'|sudo -S shutdown -h now

How about using a better authentication method then using command in plain text and writing it to the log? https://www.ssh.com/academy/ssh/keygen

best regards, Dennis

[Apollon77]

When the new method is proofed working e shoukld remove the logline

[mcm1957]

Ok i'll disable it But the message should be visible with DEBUG enabled only which isnt a realitic scenario due to the big amount of data logged.

Anyway,I will change it with next release

The usage of sudo itself cannot be changed as long as no other way is supported by synology.but removing the log or masking the pwd will prohibit the password to be stored in logfile without explicit knowledge of user.

[mcm1957]

a) fixed with 2.1.12 Password is now masked and no longer logged in clear text.

b) Using ssh key usage might be considered as a feature request. BUT this would only affect to ssh connect ion itself. The sudo setup still require the password. Adapting the sudo environment at the synology is no method supported by synology and as far as I know synology is know to revert any changes to system setup (i.e. sudo files) with updates. So this would likely cause other problems especially for users not familar with root / admin operation.

In summary: Currently no thange from password to keys is planned. As long as the password is needed for non ssh operation, changing the ssh connection to keys would (in my oppinion) not raise the security at all.

But feel free to raise an feature issue although I currently do not think that it will be implemnted in the near future.

[mcm1957]

fixed with 2.1.13