0

Because of some recent bluetooth issues, I need to be able to run sudo pkill bluetoothd quite frequently, so I decided to create a shell script Shortcut to have on my menu bar for quick access. I usually need to run this command in urgent situations, so I hope you can understand typing in my password or waiting for Touch ID to finally recognise my finger can become annoying very quickly.

At first I thought to use blueutil as it doesn't require sudo, but unfortunately it doesn't seem to work the same (it reconnects to my devices slower than terminating bluetoothd), so unless there's a way to make blueutil faster I want to avoid using it.

Then I considered modifying my sudoers file to make pkill runnable without sudo, but it sounds like a huge security risk doing that. Because of this, I thought of creating a .command file and specifying it in my sudoers file, but I'm afraid the file can be edited without privileges, again creating a big security risk.

I'm looking for the best way to do this, but if there's a method to either make bluetoothd killable without sudo, or to make a .command file executable but non-writeable, do let me know.

Thanks in advance! :)

Improve this question
0

1 Answer 1

Reset to default
0

Then I considered modifying my sudoers file to make pkill runnable without sudo, …

You cannot use sudoers to make something runnable without sudo. sudoers is relevant if and only if sudo is involved. You can use sudoers to make something runnable with sudo without password.

… but it sounds like a huge security risk doing that.

It depends on how you do it.

  • If you allow pkill without password then yes, you will allow pkill and pkill anything, and also pkill anything and_more ….

  • If you allow specifically pkill bluetoothd without password then you will allow only pkill with exactly one argument bluetoothd; you won't allow pkill something_else, not even pkill bluetoothd something_more.

A relevant line in sudoers will look like this:

arber ALL=(ALL) NOPASSWD: /full/path/to/pkill bluetoothd

The point is sudo pkill foo or sudo pkill bluetoothd foo will still ask for your password (unless they match another NOPASSWD rule or your credentials are being cached).

When building your sudoers, remember that where there are multiple matches, the last match is used (which is not necessarily the most specific match).

[…] but I'm afraid the file can be edited without privileges, again creating a big security risk.

If you use the above solution then you won't need such file.

In general, if you ever need such file, then create the file as owned by root, writable only by its owner, in a directory owned by root and writable only by its owner. Allow other users to read and enter the directory; allow other users to read and (if you want) execute the file.

Example: the directory and the file in it are owned by root:wheel. The mode for the directory is 755, the mode for the file is 755. One can edit or overwrite or remove or replace such file only when acting as root.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .