统计
  • 文章总数:260 篇
  • 评论总数:0 条
  • 分类总数:14 个
  • 最后更新:昨天 16:02
原创套件教程

群晖新套件:权限管理器(SimplePermissionManager)简介

本文阅读 2 分钟
首页 套件教程 正文

权限管理器(SimplePermissionManager)是Jim大佬开发的一款群晖授权管理工具,只需要此套件本身启动激活一次,其它套件通过调用即可永久获得root权限(之前ssh提权仅当次安装有效)。

调用spm-exec运行有两种授权模式:

1、签名需要运行的程序或脚本,可以自动root提权
2、未签名程序或脚本,需要权限管理器里面手动勾选来root提权

开源项目地址:SimplePermissionManager,支持x86_64、armv8的DSM7.x系统。

矿神群晖SPK套件源内安装

矿神群晖SPK套件源 上线啦!支持DSM7.x

矿神群晖SPK套件源 提供各类国内常用的DSM6、DSM7套件,目前上架DSM7套件:Aria2、ffmpeg、Jellyfin、qBittorrent、Syncthing、Transmission等等,持续更新....

套件截图

3520476197.png

使用须知

安装后要勾选激活才能生效,矿神群晖SPK套件源其它需要root运行的套件即可调用启动。

1628529694.png

套件如果一直激活失败,可以使用SSH连接手动激活:

sudo rm -f /usr/local/bin/spm-exec
sudo cp /var/packages/SimplePermissionManager/target/bin/spm-exec /usr/local/bin/spm-exec
sudo chown root:root /usr/local/bin/spm-exec
sudo chmod 6755 /usr/local/bin/spm-exec

开发须知Devloper Guide(转载自github)

Auto Approve Guide

Generate Middle Public Key Signature

Prepare gpg key before the following steps

1、 Export middle public key

gpg --output public.pgp --export 'Hello World <hello@world.com>'

2、 Send public key to Jim to sign by root key

gpg --output public.pgp.sig --detach-sign public.pgp

3、 Save middle public key signature

Save public.pgp and public.pgp.sig

Generate Binary Signature

1、 Sign by middle key

gpg --output hello-world.sh.gpg.sig --detach-sign hello-world.sh

2、 Save binary signature

File name: hello-world.sh.sig

{
    "version": 1,
    "signature": "<base64 format read binary signature>",
    "publicKeys": [
        {
            "publicKey": "<base64 format middle public key>",
            "signature": "<base64 format middle public signature>"
        }
    ]
}

Sign Script

file=hello-world.sh
pub_key=$(base64 -w 0 public.pgp)
pub_sig=$(base64 -w 0 public.pgp.sig)

sha256=$(sha256sum $file | awk '{print $1}')
gpg --output "$file".gpg.sig --detach-sign "$file"
sig=$(base64 -w 0 "$file".gpg.sig)
rm -f "$file".gpg.sig

cat << EOF > "$file".sig
{
    "version": 1,
    "sha256": "${sha256}",
    "signature": "${sig}",
    "publicKeys": [
        {
            "publicKey": "${pub_key}",
            "signature": "${pub_sig}"
        }
    ]
}
EOF

Run Command in Packages

## check permission first
if [ ! -e /usr/local/bin/spm-exec ]; then
    echo "ERROR: /usr/local/bin/spm-exec not found. Please install SimplePermissionManager package and active it."
    exit 1
fi

st=$(stat -c "%U %G %a" /usr/local/bin/spm-exec)
if [ ! "$st" = "root root 6755" ]; then
    echo "ERROR: /usr/local/bin/spm-exec permission is not ready. Please active SimplePermissionManager."
    exit 1
fi
## 1. execute target command
/usr/local/bin/spm-exec /path/to/hello-world.sh

## 2. execute target command and store pid
## if need check status with pid, please ensure parent script is root
## or also call spm-exec to check status,
## like: spm-exec kill -0 $pid, or proxy all script to spm-exec, eg:
## for start-stop-status, we can call spm-exec like this:
##     start-stop-status -> spm-exec real-start-stop-status > real-start-stop-status
/usr/local/bin/spm-exec -pid /path/to/pid /path/to/hello-world.sh

矿神群晖SPK套件源套件处理示例(初始版本,仅供参考!!!)

1、将套件 scripts 里面的 start-stop-status 重命名为 real-start-stop-status 并签名,增加权限提示

if [[ `id -u` -eq 0 ]]; then
    echo -e "⚠️本套件将以root权限运行!This package will run with root privileges!" | tee -a $SYNOPKG_TEMP_LOGFILE
else
    echo -e "需要root权限启动:请安装SimplePermissionManager(授权管理器)套件并激活它。<br>Need root:Please install SimplePermissionManager package and activate it.<br><br>或SSH修复权限,仅对本次安装有效(Or SSH repair permission,valid only now):<br>sudo sed -i 's/package/root/g' /var/packages/${SYNOPKG_PKGNAME}/conf/privilege" | tee -a $SYNOPKG_TEMP_LOGFILE
    exit 0
fi

2、新建 start-stop-status 转发处理脚本

#!/bin/bash

# 定义实际执行的脚本路径
REAL_SCRIPT="/var/packages/${SYNOPKG_PKGNAME}/scripts/real-start-stop-status"

if [ ! -d "/var/packages/SimplePermissionManager" ] || [ ! -e /usr/local/bin/spm-exec ] || [ "$(stat -c "%U %G %a" /usr/local/bin/spm-exec 2>/dev/null)" != "root root 6755" ]; then
    # 如果SimplePermissionManager文件夹不存在,spm-exec不存在,或者spm-exec权限不正确,执行REAL_SCRIPT脚本
    $REAL_SCRIPT $@
    exit $?
fi

# 如果所有检查都通过,使用spm-exec提权执行real-start-stop-status脚本,并传递所有参数
/usr/local/bin/spm-exec $REAL_SCRIPT $@

# 获取执行结果,并退出
exit $?

目前矿神群晖SPK套件源的相关root启动套件还在测试优化中。。。欢迎测试反馈

原创文章,作者:ERROR204,本文章内容未经书面许可禁止一切形式的转载:https://imnks.com/10514.html
利用老骥伏枥发现的铁威马漏洞,测试安装TOS5.1、6.0beta
« 上一篇 07-14
【独家】群晖DSM7 RoonServer套件修复支持USB DAC
下一篇 » 08-06