[mythtv-users] Sudoers fix for MythTV builtin commands requiring sudo systemctl

Sat Jul 13 17:18:25 UTC 2019

In mythtv-setup and mythfrontend, there are commands to halt, power
off and reboot the PC and to start and stop mythbackend.  Since the
arrival of systemd, these commands as installed do not work or do not
work correctly, since they now require the use of the systemctl
command with sudo.  Having mythtv-setup unable to stop and start
mythbackend causes a number of problems for people who think they have
changed a setting but have only changed it in the database as
mythbackend needs to be restarted before it will see the change.  This
causes a lot of confusion.  And you can wind up with multiple copies
of mythbackend running at the same time also.

I have created what I hope is a good workaround for this problem on
Ubuntu 18.04, and it should also work on Ubuntu 16.04.  It uses an
entry in sudoers to allow a helper script to be run with sudo to
execute the correct systemctl commands.

Here is the /etc/sudoers.d/mythtv-systemctl-helper file:

mythtv,%mythtv
ALL=NOPASSWD:/home/mythtv/bin/mythtv-systemctl-helper.sh

(all one line - my email client wraps long lines)

And here is the /home/mythtv/bin/mythtv-systemctl-helper.sh file:

#!/bin/bash
# Sudoers helper script for MythTV programs to be able to do necessary
systemctl commands.
# Author: J S Worthington
# Version 1.0 2019-07-14

# Warning: For this script to work safely (without any security
risks), it
# must be "chown root:mythtv" and "chmod ug=rx,o=".

#set -x

if [ "$1" == "" ]; then
    exit 1
fi

if [ "$1" == "reboot" ] || [ "$1" == "poweroff" ] || [ "$1" == "halt"
]; then

    # Execute the systemctl aliased command.
    $1

elif [ "$1" == "start" ] || [ "$1" == "stop" ] || [ "$1" == "restart"
] || [ "$1" == "status" ]; then

    # Execute the command on the mythbackend service.
    systemctl $1 mythtv-backend.service

fi

To install these two new files, run the following commands to download
them from my web server:

sudo su
cd /home/mythtv/
if [ ! -d bin ]; then
	mkdir bin
	chown mythtv:mythtv bin
fi
cd bin
wget https://www.jsw.gen.nz/mythtv/mythtv-systemctl-helper.sh
chown root:mythtv mythtv-systemctl-helper.sh
chmod ug=rx,o= mythtv-systemctl-helper.sh
cd /etc/sudoers.d
wget https://www.jsw.gen.nz/mythtv/mythtv-systemctl-helper
chown root:root mythtv-systemctl-helper
chmod ug=r,o= mythtv-systemctl-helper
exit

Note that I am unable to test the above install script as it will only
work from outside my network, so please let me know if there are any
problems.

Once the above install is done, you should be able to test it by
running commands like this from your mythfrontend user:

sudo /home/mythtv/bin/mythtv-systemctl-helper.sh stop

That command should stop mythbackend, and it should not ask you for
authentication as sudo normally does.

If that works, then you need to make the following MythTV settings
changes:

mythtv-setup > 1. General > Shutdown/Wakeup Options > Server halt
command:
  sudo /home/mythtv/bin.mythtv-systemctl-helper.sh halt

mythtv-setup > 1. General > Backend Control > Backend stop command:
  sudo /home/mythtv/bin.mythtv-systemctl-helper.sh stop

mythtv-setup > 1. General > Backend Control > Backend start command:
  sudo /home/mythtv/bin.mythtv-systemctl-helper.sh start

mythfrontend > Setup > General > Shutdown/Reboot Settings > Halt
command:
  sudo /home/mythtv/bin.mythtv-systemctl-helper.sh poweroff

mythfrontend > Setup > General > Shutdown/Reboot Settings > Reboot
command:
  sudo /home/mythtv/bin.mythtv-systemctl-helper.sh reboot

The mythfrontend commands are run locally on the frontend PC, so you
have to install the files and do those two setups on each frontend as
well as the backend PC.  I only have a combined frontend/backend box,
so I have not tested with remote frontends.

Please consider this to be beta software - I make no guarantees that
it will work on your system, but it does work on mine and I would like
to have some other people test it too.  And I am no expert on using
sudoers, so it is possible that I have left a security hole.  Again,
please let me know if you think I am doing something the wrong way.