权限管理器(SimplePermissionManager)是Jim大佬开发的一款群晖授权管理工具,只需要此套件本身启动激活一次,其它套件通过调用即可永久获得root权限(之前ssh提权仅当次安装有效)。
调用spm-exec运行有两种授权模式:
1、签名需要运行的程序或脚本,可以自动root提权
2、未签名程序或脚本,需要权限管理器里面手动勾选来root提权
开源项目地址:SimplePermissionManager,支持x86_64、armv8的DSM7.x系统。
矿神群晖SPK套件源内安装
矿神群晖SPK套件源 提供各类国内常用的DSM6、DSM7套件,目前上架DSM7套件:Aria2、ffmpeg、Jellyfin、qBittorrent、Syncthing、Transmission等等,持续更新....
套件截图
使用须知
安装后要勾选激活才能生效,矿神群晖SPK套件源其它需要root运行的套件即可调用启动。
套件如果一直激活失败,可以使用SSH连接手动激活:
sudo rm -f /usr/local/bin/spm-exec
sudo cp /var/packages/SimplePermissionManager/target/bin/spm-exec /usr/local/bin/spm-exec
sudo chown root:root /usr/local/bin/spm-exec
sudo chmod 6755 /usr/local/bin/spm-exec开发须知Devloper Guide(转载自github)
Auto Approve Guide
Generate Middle Public Key Signature
Prepare gpg key before the following steps
1、 Export middle public key
gpg --output public.pgp --export 'Hello World <hello@world.com>'2、 Send public key to Jim to sign by root key
gpg --output public.pgp.sig --detach-sign public.pgp3、 Save middle public key signature
Save public.pgp and public.pgp.sig
Generate Binary Signature
1、 Sign by middle key
gpg --output hello-world.sh.gpg.sig --detach-sign hello-world.sh2、 Save binary signature
File name: hello-world.sh.sig
{
"version": 1,
"signature": "<base64 format read binary signature>",
"publicKeys": [
{
"publicKey": "<base64 format middle public key>",
"signature": "<base64 format middle public signature>"
}
]
}Sign Script
file=hello-world.sh
pub_key=$(base64 -w 0 public.pgp)
pub_sig=$(base64 -w 0 public.pgp.sig)
sha256=$(sha256sum $file | awk '{print $1}')
gpg --output "$file".gpg.sig --detach-sign "$file"
sig=$(base64 -w 0 "$file".gpg.sig)
rm -f "$file".gpg.sig
cat << EOF > "$file".sig
{
"version": 1,
"sha256": "${sha256}",
"signature": "${sig}",
"publicKeys": [
{
"publicKey": "${pub_key}",
"signature": "${pub_sig}"
}
]
}
EOFRun Command in Packages
## check permission first
if [ ! -e /usr/local/bin/spm-exec ]; then
echo "ERROR: /usr/local/bin/spm-exec not found. Please install SimplePermissionManager package and active it."
exit 1
fi
st=$(stat -c "%U %G %a" /usr/local/bin/spm-exec)
if [ ! "$st" = "root root 6755" ]; then
echo "ERROR: /usr/local/bin/spm-exec permission is not ready. Please active SimplePermissionManager."
exit 1
fi
## 1. execute target command
/usr/local/bin/spm-exec /path/to/hello-world.sh
## 2. execute target command and store pid
## if need check status with pid, please ensure parent script is root
## or also call spm-exec to check status,
## like: spm-exec kill -0 $pid, or proxy all script to spm-exec, eg:
## for start-stop-status, we can call spm-exec like this:
## start-stop-status -> spm-exec real-start-stop-status > real-start-stop-status
/usr/local/bin/spm-exec -pid /path/to/pid /path/to/hello-world.sh矿神群晖SPK套件源套件处理示例(初始版本,仅供参考!!!)
1、将套件 scripts 里面的 start-stop-status 重命名为 real-start-stop-status 并签名,增加权限提示
if [[ `id -u` -eq 0 ]]; then
echo -e "⚠️本套件将以root权限运行!This package will run with root privileges!" | tee -a $SYNOPKG_TEMP_LOGFILE
else
echo -e "需要root权限启动:请安装SimplePermissionManager(授权管理器)套件并激活它。<br>Need root:Please install SimplePermissionManager package and activate it.<br><br>或SSH修复权限,仅对本次安装有效(Or SSH repair permission,valid only now):<br>sudo sed -i 's/package/root/g' /var/packages/${SYNOPKG_PKGNAME}/conf/privilege" | tee -a $SYNOPKG_TEMP_LOGFILE
exit 0
fi2、新建 start-stop-status 转发处理脚本
#!/bin/bash
# 定义实际执行的脚本路径
REAL_SCRIPT="/var/packages/${SYNOPKG_PKGNAME}/scripts/real-start-stop-status"
if [ ! -d "/var/packages/SimplePermissionManager" ] || [ ! -e /usr/local/bin/spm-exec ] || [ "$(stat -c "%U %G %a" /usr/local/bin/spm-exec 2>/dev/null)" != "root root 6755" ]; then
# 如果SimplePermissionManager文件夹不存在,spm-exec不存在,或者spm-exec权限不正确,执行REAL_SCRIPT脚本
$REAL_SCRIPT $@
exit $?
fi
# 如果所有检查都通过,使用spm-exec提权执行real-start-stop-status脚本,并传递所有参数
/usr/local/bin/spm-exec $REAL_SCRIPT $@
# 获取执行结果,并退出
exit $?目前矿神群晖SPK套件源的相关root启动套件还在测试优化中。。。欢迎测试反馈
原创文章,作者:ERROR204,本文章内容未经书面许可禁止一切形式的转载:https://imnks.com/10514.html
