From: W. Trevor King Date: Sun, 27 Nov 2011 18:54:48 +0000 (-0500) Subject: Add kinit-mpd.sh script, and mention it in the Kerberos post. X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=15e943613134ff6a2ecd792d5575ab0b9f0f64a8;p=blog.git Add kinit-mpd.sh script, and mention it in the Kerberos post. --- diff --git a/posts/Kerberos.mdwn b/posts/Kerberos.mdwn index 9cac9a3..a06f294 100644 --- a/posts/Kerberos.mdwn +++ b/posts/Kerberos.mdwn @@ -311,6 +311,10 @@ There's also [suite of Kerberos-aware utilities][apps] in `kftp`). I don't use the non-Kerberized versions, so I haven't tried any of these. +If you're using [[MPD]] on an NFS-mounted music repository, you might +be interested in my [[kinit-mpd.sh]] script for granting the `mpd` +user access to the NFS-mounted music as the `nobody` principal. + [Kerberos]: http://web.mit.edu/kerberos/ [install]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html [DNS]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-admin.html#Using%20DNS diff --git a/posts/Kerberos/kinit-mpd.sh b/posts/Kerberos/kinit-mpd.sh new file mode 100755 index 0000000..1acd2d0 --- /dev/null +++ b/posts/Kerberos/kinit-mpd.sh @@ -0,0 +1,32 @@ +#!/bin/bash +# +# Copyright (C) 2011 W. Trevor King +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this program. If not, see +# . + +# usage: kinit-mpd.sh +# +# Uses root permissions to assume `nobody` credentials from a central +# keytab, and then transfers ownership of the resulting ticket to the +# `mpd` user. + +ROOT_UID=$(id --user root) +MPD_UID=$(id --user mpd) +NOBODY_KEYTAB=/etc/krb5.nobody.keytab +NOBODY_USER=nobody + +sudo kinit -k -t "${NOBODY_KEYTAB}" "${NOBODY_USER}" +sudo mv "/tmp/krb5cc_${ROOT_UID}" "/tmp/krb5cc_${MPD_UID}" +sudo chown mpd.audio "/tmp/krb5cc_${MPD_UID}"