From 15e943613134ff6a2ecd792d5575ab0b9f0f64a8 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Sun, 27 Nov 2011 13:54:48 -0500 Subject: [PATCH] Add kinit-mpd.sh script, and mention it in the Kerberos post. --- posts/Kerberos.mdwn | 4 ++++ posts/Kerberos/kinit-mpd.sh | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100755 posts/Kerberos/kinit-mpd.sh diff --git a/posts/Kerberos.mdwn b/posts/Kerberos.mdwn index 9cac9a3..a06f294 100644 --- a/posts/Kerberos.mdwn +++ b/posts/Kerberos.mdwn @@ -311,6 +311,10 @@ There's also [suite of Kerberos-aware utilities][apps] in `kftp`). I don't use the non-Kerberized versions, so I haven't tried any of these. +If you're using [[MPD]] on an NFS-mounted music repository, you might +be interested in my [[kinit-mpd.sh]] script for granting the `mpd` +user access to the NFS-mounted music as the `nobody` principal. + [Kerberos]: http://web.mit.edu/kerberos/ [install]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html [DNS]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-admin.html#Using%20DNS diff --git a/posts/Kerberos/kinit-mpd.sh b/posts/Kerberos/kinit-mpd.sh new file mode 100755 index 0000000..1acd2d0 --- /dev/null +++ b/posts/Kerberos/kinit-mpd.sh @@ -0,0 +1,32 @@ +#!/bin/bash +# +# Copyright (C) 2011 W. Trevor King +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this program. If not, see +# . + +# usage: kinit-mpd.sh +# +# Uses root permissions to assume `nobody` credentials from a central +# keytab, and then transfers ownership of the resulting ticket to the +# `mpd` user. + +ROOT_UID=$(id --user root) +MPD_UID=$(id --user mpd) +NOBODY_KEYTAB=/etc/krb5.nobody.keytab +NOBODY_USER=nobody + +sudo kinit -k -t "${NOBODY_KEYTAB}" "${NOBODY_USER}" +sudo mv "/tmp/krb5cc_${ROOT_UID}" "/tmp/krb5cc_${MPD_UID}" +sudo chown mpd.audio "/tmp/krb5cc_${MPD_UID}" -- 2.26.2