public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] Allow non root users to edit files owned by root?
@ 2011-12-20 15:04 Tanstaafl
  2011-12-20 15:13 ` Michael Mol
  2011-12-20 17:19 ` [gentoo-user] " Nikos Chantziaras
  0 siblings, 2 replies; 21+ messages in thread
From: Tanstaafl @ 2011-12-20 15:04 UTC (permalink / raw
  To: gentoo-user

Hi all,

I'm guessing this is a sudo question, but I'm unfamiliar with the 
nuances of sudo (never had to use it before).

I have a new hosted VM server that I want to allow a user to be able to 
edit files owned by root, but without giving them the root password.

I already did:

/usr/sbin/visudo

and added the following line:

%sudoroot       ALL=(ALL) ALL

and made sure the user is in this group, but they still get an access 
denied error when trying to mv or cp files that are owned bu root.

What is the best way to do this? I'd really prefer to not give them the 
root password so they can su -...

Thanks,

Charles



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Allow non root users to edit files owned by root?
  2011-12-20 15:04 [gentoo-user] Allow non root users to edit files owned by root? Tanstaafl
@ 2011-12-20 15:13 ` Michael Mol
  2011-12-20 16:00   ` Florian Philipp
  2011-12-20 16:51   ` Tanstaafl
  2011-12-20 17:19 ` [gentoo-user] " Nikos Chantziaras
  1 sibling, 2 replies; 21+ messages in thread
From: Michael Mol @ 2011-12-20 15:13 UTC (permalink / raw
  To: gentoo-user

On Tue, Dec 20, 2011 at 10:04 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
> Hi all,
>
> I'm guessing this is a sudo question, but I'm unfamiliar with the nuances of
> sudo (never had to use it before).
>
> I have a new hosted VM server that I want to allow a user to be able to edit
> files owned by root, but without giving them the root password.
>
> I already did:
>
> /usr/sbin/visudo
>
> and added the following line:
>
> %sudoroot       ALL=(ALL) ALL
>
> and made sure the user is in this group, but they still get an access denied
> error when trying to mv or cp files that are owned bu root.
>
> What is the best way to do this? I'd really prefer to not give them the root
> password so they can su -...

The sudo command allows commands to be executed *as though they were root*.

'sudo su -' would work. So would 'sudo mv src dst'.

So, incidentally, would 'sudo passwd root'...

-- 
:wq



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Allow non root users to edit files owned by root?
  2011-12-20 15:13 ` Michael Mol
@ 2011-12-20 16:00   ` Florian Philipp
  2011-12-20 17:03     ` Tanstaafl
  2011-12-22 15:41     ` Tanstaafl
  2011-12-20 16:51   ` Tanstaafl
  1 sibling, 2 replies; 21+ messages in thread
From: Florian Philipp @ 2011-12-20 16:00 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1784 bytes --]

Am 20.12.2011 16:13, schrieb Michael Mol:
> On Tue, Dec 20, 2011 at 10:04 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
>> Hi all,
>>
>> I'm guessing this is a sudo question, but I'm unfamiliar with the nuances of
>> sudo (never had to use it before).
>>
>> I have a new hosted VM server that I want to allow a user to be able to edit
>> files owned by root, but without giving them the root password.
>>
>> I already did:
>>
>> /usr/sbin/visudo
>>
>> and added the following line:
>>
>> %sudoroot       ALL=(ALL) ALL
>>
>> and made sure the user is in this group, but they still get an access denied
>> error when trying to mv or cp files that are owned bu root.
>>
>> What is the best way to do this? I'd really prefer to not give them the root
>> password so they can su -...
> 
> The sudo command allows commands to be executed *as though they were root*.
> 
> 'sudo su -' would work. So would 'sudo mv src dst'.
> 
> So, incidentally, would 'sudo passwd root'...
> 

For file editing alone, you can allow rights to sudoedit, for example:
%sudoroot	sudoedit

This allows sudoroot members to execute `sudoedit $file` which starts an
editor (defined via environment variable EDITOR) with the file in a save
fashion (similar to visudo). But you also have to restrict the editors
because most of them are able to spawn a shell (which would then have
root rights). Restricted editors like `rnano` or `rvim` circumvent this
issue. To do this, set something like this in your sudoers file:
editor=rnano:rvim

You should probably also restrict which files can be edited (not
/etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this
with globs. For example:
%sudoroot	sudoedit /var/www/*

Hope this helps,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Allow non root users to edit files owned by root?
  2011-12-20 15:13 ` Michael Mol
  2011-12-20 16:00   ` Florian Philipp
@ 2011-12-20 16:51   ` Tanstaafl
  2011-12-20 17:06     ` Michael Mol
  2011-12-21  5:55     ` Walter Dnes
  1 sibling, 2 replies; 21+ messages in thread
From: Tanstaafl @ 2011-12-20 16:51 UTC (permalink / raw
  To: gentoo-user

On 2011-12-20 10:13 AM, Michael Mol <mikemol@gmail.com> wrote:
> So, incidentally, would 'sudo passwd root'...

Ouch... any way to avoid that?

I guess the best way would be to simply give them access to the commands 
they need...

I'll look into that...

Thanks...



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Allow non root users to edit files owned by root?
  2011-12-20 16:00   ` Florian Philipp
@ 2011-12-20 17:03     ` Tanstaafl
  2011-12-20 17:20       ` Florian Philipp
  2011-12-22 15:41     ` Tanstaafl
  1 sibling, 1 reply; 21+ messages in thread
From: Tanstaafl @ 2011-12-20 17:03 UTC (permalink / raw
  To: gentoo-user

On 2011-12-20 11:00 AM, Florian Philipp <lists@binarywings.net> wrote:
> You should probably also restrict which files can be edited (not
> /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this
> with globs. For example:
> %sudoroot	sudoedit/var/www/*

Great, that helps... but...

He wants to use nano, so I set this up for nano, but there is one little 
issue...

He sometimes uses different flags with nano (ie, 'nano -wc filename') - 
is there a way to specify the use with or without flags? I know you can use:

/bin/nano -* /etc/apache2/*,

But this fails if no flags are specified.



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Allow non root users to edit files owned by root?
  2011-12-20 16:51   ` Tanstaafl
@ 2011-12-20 17:06     ` Michael Mol
  2011-12-21  5:55     ` Walter Dnes
  1 sibling, 0 replies; 21+ messages in thread
From: Michael Mol @ 2011-12-20 17:06 UTC (permalink / raw
  To: gentoo-user

On Tue, Dec 20, 2011 at 11:51 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
> On 2011-12-20 10:13 AM, Michael Mol <mikemol@gmail.com> wrote:
>>
>> So, incidentally, would 'sudo passwd root'...
>
>
> Ouch... any way to avoid that?
>
> I guess the best way would be to simply give them access to the commands
> they need...
>
> I'll look into that...

The best way would probably be to work with UNIX privileges or ACLs.
You've got a file you want people other than root to be able to edit.

groupadd $SPECIALGROUP
usermod -a -G $SPECIALGROUP $THEIRUSERNAME
chown :$SPECIALGROUP $FILENAME
chmod g+w $FILENAME

(You might want to chmod g-x $FILENAME, too, just for safety's sake.)

-- 
:wq



^ permalink raw reply	[flat|nested] 21+ messages in thread

* [gentoo-user] Re: Allow non root users to edit files owned by root?
  2011-12-20 15:04 [gentoo-user] Allow non root users to edit files owned by root? Tanstaafl
  2011-12-20 15:13 ` Michael Mol
@ 2011-12-20 17:19 ` Nikos Chantziaras
  2011-12-22 15:44   ` Tanstaafl
  1 sibling, 1 reply; 21+ messages in thread
From: Nikos Chantziaras @ 2011-12-20 17:19 UTC (permalink / raw
  To: gentoo-user

On 12/20/2011 05:04 PM, Tanstaafl wrote:
> I have a new hosted VM server that I want to allow a user to be able to
> edit files owned by root, but without giving them the root password.

If you allow someone to edit root owned files, you're practically giving 
him root access.  So the fact that he doesn't know the root password is 
totally irrelevant; he doesn't even need the password anymore to gain 
root access since he already has that access.

So you might want to rethink the way you want to allow him to edit those 
files.




^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Allow non root users to edit files owned by root?
  2011-12-20 17:03     ` Tanstaafl
@ 2011-12-20 17:20       ` Florian Philipp
  2011-12-20 18:20         ` Tanstaafl
  0 siblings, 1 reply; 21+ messages in thread
From: Florian Philipp @ 2011-12-20 17:20 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1490 bytes --]

Am 20.12.2011 18:03, schrieb Tanstaafl:
> On 2011-12-20 11:00 AM, Florian Philipp <lists@binarywings.net> wrote:
>> You should probably also restrict which files can be edited (not
>> /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this
>> with globs. For example:
>> %sudoroot    sudoedit/var/www/*
> 
> Great, that helps... but...
> 
> He wants to use nano, so I set this up for nano, but there is one little
> issue...
> 
> He sometimes uses different flags with nano (ie, 'nano -wc filename') -
> is there a way to specify the use with or without flags? I know you can
> use:
> 
> /bin/nano -* /etc/apache2/*,
> 
> But this fails if no flags are specified.
> 

Well, as I've said, using a /normal/ editor doesn't solve the problem
because you can use nano for opening a shell, thereby escalating your
privileges. You have to use rnano (or nano -R). This solution is not
really meant for the luxury of a full blown editor with arbitrary
arguments and capabilities. rnano doesn't read nanorc files, for
example. If you cannot agree on a common set of safe flags, you
shouldn't use sudo for this purpose.

In that case, I recommend Michael's proposed solution of ACLs or
probably group write access +setgid to the specific directories.
Alternatively, allow editing outside of the directory and something like
%sudoroot	cp * /etc/apache/*
so that they can /commit/ their changes instead of editing directly.

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Allow non root users to edit files owned by root?
  2011-12-20 17:20       ` Florian Philipp
@ 2011-12-20 18:20         ` Tanstaafl
  0 siblings, 0 replies; 21+ messages in thread
From: Tanstaafl @ 2011-12-20 18:20 UTC (permalink / raw
  To: gentoo-user

On 2011-12-20 12:20 PM, Florian Philipp <lists@binarywings.net> wrote:
> Well, as I've said, using a/normal/  editor doesn't solve the problem
> because you can use nano for opening a shell, thereby escalating your
> privileges. You have to use rnano (or nano -R). This solution is not
> really meant for the luxury of a full blown editor with arbitrary
> arguments and capabilities. rnano doesn't read nanorc files, for
> example. If you cannot agree on a common set of safe flags, you
> shouldn't use sudo for this purpose.

Points taken from all, thanks...

I settled on requiring the -R flag for nano, and limited the files that 
he can edit, so he will simply have to live with this.

Thanks all...



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Allow non root users to edit files owned by root?
  2011-12-20 16:51   ` Tanstaafl
  2011-12-20 17:06     ` Michael Mol
@ 2011-12-21  5:55     ` Walter Dnes
  2011-12-21 19:07       ` Florian Philipp
  1 sibling, 1 reply; 21+ messages in thread
From: Walter Dnes @ 2011-12-21  5:55 UTC (permalink / raw
  To: gentoo-user

On Tue, Dec 20, 2011 at 11:51:11AM -0500, Tanstaafl wrote
> On 2011-12-20 10:13 AM, Michael Mol <mikemol@gmail.com> wrote:
> > So, incidentally, would 'sudo passwd root'...
> 
> Ouch... any way to avoid that?
> 
> I guess the best way would be to simply give them access to the commands 
> they need...
> 
> I'll look into that...

  Howsabout in sudoers giving them the right to execute 2 commands...

cat /etc/whatever > scratchfile (this one may not be necessary)
cat scratchfile > /etc/whatever

  The first command copies the contents of the file to whatever
directory the user is in.  He can work on the copy using his regular
privileges.  Note that I'm assuming the user does not have read
privileges on the file.  If he does have read privileges, then the first
command does not require sudoers.

  At the last step, he can send the finished copy back to the
original file.  The sequence the user will have to follow is, logged in
as regular user...

1a) If he does *NOT* have read prileges to /etc/whatever
touch scratchfile
sudo cat /etc/whatever > scratchfile

1b) If he *DOES* have read prileges to /etc/whatever
cp /etc/whatever scratchfile


2) edit scratchfile *LOCALLY* with his favourite editor.  No need to
worry about restricting an editor.

3) sudo cat scratchfile > /etc/whatever

Note the use of "cat", rather than "cp", when using sudo.  "cp" will
copy the file attributes, including the fact that it's owned by the user
doing the copying, e.g. sudo (as root) copies the file and it's owned by
root (oops).  Ditto for "cat" when redirected *TO A NEW FILE*.  "touch"
guarantees that the file will exist, and get overwritten by the content
of /etc/whatever, but still retaining the fact that it's owned by the
local user.

If local user has read access to /etc/whatever, that makes things
easier.  When he does "cp" as local user, the resulting file is owned by
hin.  Edit at liesure, and send the result back with "cat".

-- 
Walter Dnes <waltdnes@waltdnes.org>



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Allow non root users to edit files owned by root?
  2011-12-21  5:55     ` Walter Dnes
@ 2011-12-21 19:07       ` Florian Philipp
  0 siblings, 0 replies; 21+ messages in thread
From: Florian Philipp @ 2011-12-21 19:07 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 2879 bytes --]

Am 21.12.2011 06:55, schrieb Walter Dnes:
> On Tue, Dec 20, 2011 at 11:51:11AM -0500, Tanstaafl wrote
>> On 2011-12-20 10:13 AM, Michael Mol <mikemol@gmail.com> wrote:
>>> So, incidentally, would 'sudo passwd root'...
>>
>> Ouch... any way to avoid that?
>>
>> I guess the best way would be to simply give them access to the commands 
>> they need...
>>
>> I'll look into that...
> 
>   Howsabout in sudoers giving them the right to execute 2 commands...
> 
> cat /etc/whatever > scratchfile (this one may not be necessary)
> cat scratchfile > /etc/whatever
> 

That doesn't work because redirection is not done by the sudoed process
but by the calling shell. You need to do something like this:
/bin/sh -c 'cat scratchfile > /etc/whatever'

>   The first command copies the contents of the file to whatever
> directory the user is in.  He can work on the copy using his regular
> privileges.  Note that I'm assuming the user does not have read
> privileges on the file.  If he does have read privileges, then the first
> command does not require sudoers.
> 
>   At the last step, he can send the finished copy back to the
> original file.  The sequence the user will have to follow is, logged in
> as regular user...
> 
> 1a) If he does *NOT* have read prileges to /etc/whatever
> touch scratchfile
> sudo cat /etc/whatever > scratchfile
> 
> 1b) If he *DOES* have read prileges to /etc/whatever
> cp /etc/whatever scratchfile
> 
> 
> 2) edit scratchfile *LOCALLY* with his favourite editor.  No need to
> worry about restricting an editor.
> 
> 3) sudo cat scratchfile > /etc/whatever
> 

I just double checked my assumption that sudoedit uses $EDITOR with root
access. While the man page doesn't state it, it seems that the editor is
called with normal user rights and sudo handles exactly the same
sequence you outlined above (using a temporary file owned by
$user:$user, chmod 0600). Therefore it seems you can safely use a normal
editor with sudoedit. Sorry for the confusion.

> Note the use of "cat", rather than "cp", when using sudo.  "cp" will
> copy the file attributes, including the fact that it's owned by the user
> doing the copying, e.g. sudo (as root) copies the file and it's owned by
> root (oops).  Ditto for "cat" when redirected *TO A NEW FILE*.  "touch"
> guarantees that the file will exist, and get overwritten by the content
> of /etc/whatever, but still retaining the fact that it's owned by the
> local user.
> 

I think you can get the same result with `cp --no-preserve=all` but
probably with higher performance (not that is makes a difference with
config files).

> If local user has read access to /etc/whatever, that makes things
> easier.  When he does "cp" as local user, the resulting file is owned by
> hin.  Edit at liesure, and send the result back with "cat".
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Allow non root users to edit files owned by root?
  2011-12-20 16:00   ` Florian Philipp
  2011-12-20 17:03     ` Tanstaafl
@ 2011-12-22 15:41     ` Tanstaafl
  2011-12-22 15:46       ` James Broadhead
  1 sibling, 1 reply; 21+ messages in thread
From: Tanstaafl @ 2011-12-22 15:41 UTC (permalink / raw
  To: gentoo-user

On 2011-12-20 11:00 AM, Florian Philipp <lists@binarywings.net> wrote:
> You should probably also restrict which files can be edited (not
> /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this
> with globs. For example:
> %sudoroot	sudoedit/var/www/*

Ok, just found out that subdirectories are not included when doing it 
this way, and haven't found a way to include them...

Please tell me there is a way, and I won't have to explicitly define 
every subdirectory under /var/www that they will need to be able to work 
in...



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Re: Allow non root users to edit files owned by root?
  2011-12-20 17:19 ` [gentoo-user] " Nikos Chantziaras
@ 2011-12-22 15:44   ` Tanstaafl
  2011-12-22 18:00     ` Nikos Chantziaras
  0 siblings, 1 reply; 21+ messages in thread
From: Tanstaafl @ 2011-12-22 15:44 UTC (permalink / raw
  To: gentoo-user

On 2011-12-20 12:19 PM, Nikos Chantziaras <realnc@arcor.de> wrote:
> If you allow someone to edit root owned files, you're practically giving
> him root access.

Well, yeah, but only on those defined files...

I'm not worried about them messing up stuff in /var/www/*, but I am 
worried about them messing up stuff in /etc

> So the fact that he doesn't know the root password is totally
> irrelevant; he doesn't even need the password anymore to gain root
> access since he already has that access.

But he only has root access in explicitly defined, non-system, non 
critical directories...

> So you might want to rethink the way you want to allow him to edit those
> files.

I *want* him to be able to do whatever he wants in /var/www (and a few 
other non critical directories)...



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Allow non root users to edit files owned by root?
  2011-12-22 15:41     ` Tanstaafl
@ 2011-12-22 15:46       ` James Broadhead
  0 siblings, 0 replies; 21+ messages in thread
From: James Broadhead @ 2011-12-22 15:46 UTC (permalink / raw
  To: gentoo-user

On 22 December 2011 15:41, Tanstaafl <tanstaafl@libertytrek.org> wrote:
> On 2011-12-20 11:00 AM, Florian Philipp <lists@binarywings.net> wrote:
>>
>> You should probably also restrict which files can be edited (not
>> /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this
>> with globs. For example:
>> %sudoroot       sudoedit/var/www/*
>
>
> Ok, just found out that subdirectories are not included when doing it this
> way, and haven't found a way to include them...
>
> Please tell me there is a way, and I won't have to explicitly define every
> subdirectory under /var/www that they will need to be able to work in...

Perhaps I missed it, but my approach to this would be to create a
'webadmin' group, and change the group of the directory (and
applicable subdirs).



^ permalink raw reply	[flat|nested] 21+ messages in thread

* [gentoo-user] Re: Allow non root users to edit files owned by root?
  2011-12-22 15:44   ` Tanstaafl
@ 2011-12-22 18:00     ` Nikos Chantziaras
  2011-12-22 18:53       ` Tanstaafl
  0 siblings, 1 reply; 21+ messages in thread
From: Nikos Chantziaras @ 2011-12-22 18:00 UTC (permalink / raw
  To: gentoo-user

On 12/22/2011 05:44 PM, Tanstaafl wrote:
> On 2011-12-20 12:19 PM, Nikos Chantziaras <realnc@arcor.de> wrote:
>> If you allow someone to edit root owned files, you're practically giving
>> him root access.
>
> Well, yeah, but only on those defined files...

root access is global.  You can't limit it.  root is root, the all 
powerful Unix being.  Period :-)


>> So the fact that he doesn't know the root password is totally
>> irrelevant; he doesn't even need the password anymore to gain root
>> access since he already has that access.
>
> But he only has root access in explicitly defined, non-system, non
> critical directories...

Again, root can have no limits.


>> So you might want to rethink the way you want to allow him to edit those
>> files.
>
> I *want* him to be able to do whatever he wants in /var/www (and a few
> other non critical directories)...

Then you put the files in a special group and make them g+w, and add the 
affected users to that group.  Then they will able to write to those 
files.  If you want to give them write access to a whole directory, you 
put the directory in the group and make it g+w.  This is how it's 
traditionally been done in Unix for ages, and it's extremely easy to set up.




^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Re: Allow non root users to edit files owned by root?
  2011-12-22 18:00     ` Nikos Chantziaras
@ 2011-12-22 18:53       ` Tanstaafl
  2011-12-22 19:21         ` Alan McKinnon
  2011-12-22 19:36         ` Nikos Chantziaras
  0 siblings, 2 replies; 21+ messages in thread
From: Tanstaafl @ 2011-12-22 18:53 UTC (permalink / raw
  To: gentoo-user

On 2011-12-22 1:00 PM, Nikos Chantziaras <realnc@arcor.de> wrote:
> On 12/22/2011 05:44 PM, Tanstaafl wrote:
>> On 2011-12-20 12:19 PM, Nikos Chantziaras <realnc@arcor.de> wrote:
>>> If you allow someone to edit root owned files, you're practically giving
>>> him root access.
>>
>> Well, yeah, but only on those defined files...
>
> root access is global. You can't limit it. root is root, the all
> powerful Unix being. Period :-)

Ummm... then what is the purpose of sudo??

If I add the following line to sudoers:

%sudoroot       ALL=(root)NOPASSWD:/bin/chmod /var/www/localhost/htdocs/*

Are you saying that this does NOT limit anyone in the sudoroot group to 
*only* be able to run the chmod command, and only on files located in 
/var/www/localhost/htdocs?

> Then you put the files in a special group and make them g+w, and add the
> affected users to that group. Then they will able to write to those
> files. If you want to give them write access to a whole directory, you
> put the directory in the group and make it g+w. This is how it's
> traditionally been done in Unix for ages, and it's extremely easy to set
> up.

Yeah, I think I got a little tunnel vision trying to do this with sudo.



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Re: Allow non root users to edit files owned by root?
  2011-12-22 18:53       ` Tanstaafl
@ 2011-12-22 19:21         ` Alan McKinnon
  2011-12-22 19:33           ` Tanstaafl
  2011-12-22 19:42           ` Nikos Chantziaras
  2011-12-22 19:36         ` Nikos Chantziaras
  1 sibling, 2 replies; 21+ messages in thread
From: Alan McKinnon @ 2011-12-22 19:21 UTC (permalink / raw
  To: gentoo-user

On Thu, 22 Dec 2011 13:53:43 -0500
Tanstaafl <tanstaafl@libertytrek.org> wrote:

> On 2011-12-22 1:00 PM, Nikos Chantziaras <realnc@arcor.de> wrote:
> > On 12/22/2011 05:44 PM, Tanstaafl wrote:
> >> On 2011-12-20 12:19 PM, Nikos Chantziaras <realnc@arcor.de> wrote:
> >>> If you allow someone to edit root owned files, you're practically
> >>> giving him root access.
> >>
> >> Well, yeah, but only on those defined files...
> >
> > root access is global. You can't limit it. root is root, the all
> > powerful Unix being. Period :-)
> 
> Ummm... then what is the purpose of sudo??

The purpose of sudo is to provide *fine-grained* control of elevated
privilege to users and groups. Few people seem to realize just how
finely this can be controlled, most assume that sudo lets you become
root and that's it.

As with all things fine-grained, it can get very complex very quick. If
you want to allow 5 commands to operate on 5 files, you have to make 25
allow statements (unless you can use some funky wildcard syntax).


> 
> If I add the following line to sudoers:
> 
> %sudoroot
> ALL=(root)NOPASSWD:/bin/chmod /var/www/localhost/htdocs/*
> 
> Are you saying that this does NOT limit anyone in the sudoroot group
> to *only* be able to run the chmod command, and only on files located
> in /var/www/localhost/htdocs?

Not quite, take out the word "only". When you say only, you exclude
everything else and that is not true - you might have a second set of
permissions somewhere else. The line you quoted does exactly what
you said without the word "only" - it allows the action. Different
commands and different files are outside the scope of that config line

> 
> > Then you put the files in a special group and make them g+w, and
> > add the affected users to that group. Then they will able to write
> > to those files. If you want to give them write access to a whole
> > directory, you put the directory in the group and make it g+w. This
> > is how it's traditionally been done in Unix for ages, and it's
> > extremely easy to set up.
> 
> Yeah, I think I got a little tunnel vision trying to do this with
> sudo.

Permissions and right of access is hard. Few people know how to do it
right, and you can't consider just sudo in isolation.

sudo is one command in a whole system and you have to take that into
account too. The method you use will depend more on everything else
that machine can do than just on what sudo you can do.

If you need to allow just one single user to access just one single
directory, you are better off with using Posix ACLS (NOT regular
owner, group and perms - that almost never works out right for www data)

If you have many different users needing all sorts of different access
to things, you might even consider SE-Linux. Just be prepared for huge
amounts of customizing. But if it really is what you need, SE Linux is
worth the sweat.

 
-- 
Alan McKinnnon
alan.mckinnon@gmail.com



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Re: Allow non root users to edit files owned by root?
  2011-12-22 19:21         ` Alan McKinnon
@ 2011-12-22 19:33           ` Tanstaafl
  2011-12-22 19:49             ` Alan McKinnon
  2011-12-22 19:42           ` Nikos Chantziaras
  1 sibling, 1 reply; 21+ messages in thread
From: Tanstaafl @ 2011-12-22 19:33 UTC (permalink / raw
  To: gentoo-user

Thanks for the explanation Alan... have to do some reading/studying on this.

Any good pointers for best practices for this kind of thing?

Thanks again...

On 2011-12-22 2:21 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> On Thu, 22 Dec 2011 13:53:43 -0500
> Tanstaafl<tanstaafl@libertytrek.org>  wrote:
>
>> On 2011-12-22 1:00 PM, Nikos Chantziaras<realnc@arcor.de>  wrote:
>>> On 12/22/2011 05:44 PM, Tanstaafl wrote:
>>>> On 2011-12-20 12:19 PM, Nikos Chantziaras<realnc@arcor.de>  wrote:
>>>>> If you allow someone to edit root owned files, you're practically
>>>>> giving him root access.
>>>>
>>>> Well, yeah, but only on those defined files...
>>>
>>> root access is global. You can't limit it. root is root, the all
>>> powerful Unix being. Period :-)
>>
>> Ummm... then what is the purpose of sudo??
>
> The purpose of sudo is to provide *fine-grained* control of elevated
> privilege to users and groups. Few people seem to realize just how
> finely this can be controlled, most assume that sudo lets you become
> root and that's it.
>
> As with all things fine-grained, it can get very complex very quick. If
> you want to allow 5 commands to operate on 5 files, you have to make 25
> allow statements (unless you can use some funky wildcard syntax).
>
>
>>
>> If I add the following line to sudoers:
>>
>> %sudoroot
>> ALL=(root)NOPASSWD:/bin/chmod /var/www/localhost/htdocs/*
>>
>> Are you saying that this does NOT limit anyone in the sudoroot group
>> to *only* be able to run the chmod command, and only on files located
>> in /var/www/localhost/htdocs?
>
> Not quite, take out the word "only". When you say only, you exclude
> everything else and that is not true - you might have a second set of
> permissions somewhere else. The line you quoted does exactly what
> you said without the word "only" - it allows the action. Different
> commands and different files are outside the scope of that config line
>
>>
>>> Then you put the files in a special group and make them g+w, and
>>> add the affected users to that group. Then they will able to write
>>> to those files. If you want to give them write access to a whole
>>> directory, you put the directory in the group and make it g+w. This
>>> is how it's traditionally been done in Unix for ages, and it's
>>> extremely easy to set up.
>>
>> Yeah, I think I got a little tunnel vision trying to do this with
>> sudo.
>
> Permissions and right of access is hard. Few people know how to do it
> right, and you can't consider just sudo in isolation.
>
> sudo is one command in a whole system and you have to take that into
> account too. The method you use will depend more on everything else
> that machine can do than just on what sudo you can do.
>
> If you need to allow just one single user to access just one single
> directory, you are better off with using Posix ACLS (NOT regular
> owner, group and perms - that almost never works out right for www data)
>
> If you have many different users needing all sorts of different access
> to things, you might even consider SE-Linux. Just be prepared for huge
> amounts of customizing. But if it really is what you need, SE Linux is
> worth the sweat.
>
>




^ permalink raw reply	[flat|nested] 21+ messages in thread

* [gentoo-user] Re: Allow non root users to edit files owned by root?
  2011-12-22 18:53       ` Tanstaafl
  2011-12-22 19:21         ` Alan McKinnon
@ 2011-12-22 19:36         ` Nikos Chantziaras
  1 sibling, 0 replies; 21+ messages in thread
From: Nikos Chantziaras @ 2011-12-22 19:36 UTC (permalink / raw
  To: gentoo-user

On 12/22/2011 08:53 PM, Tanstaafl wrote:
> On 2011-12-22 1:00 PM, Nikos Chantziaras <realnc@arcor.de> wrote:
>> On 12/22/2011 05:44 PM, Tanstaafl wrote:
>>> On 2011-12-20 12:19 PM, Nikos Chantziaras <realnc@arcor.de> wrote:
>>>> If you allow someone to edit root owned files, you're practically
>>>> giving
>>>> him root access.
>>>
>>> Well, yeah, but only on those defined files...
>>
>> root access is global. You can't limit it. root is root, the all
>> powerful Unix being. Period :-)
>
> Ummm... then what is the purpose of sudo??

sudo is for executing programs as another user.  It is not for giving 
file permissions.


> If I add the following line to sudoers:
>
> %sudoroot ALL=(root)NOPASSWD:/bin/chmod /var/www/localhost/htdocs/*
>
> Are you saying that this does NOT limit anyone in the sudoroot group to
> *only* be able to run the chmod command, and only on files located in
> /var/www/localhost/htdocs?

That doesn't seem to work at all here.  But even if it did work, the 
users still gain full root access.  Look at what users can do:

   cd /var/www/localhost/htdocs
   sudo chmod a+w some_directory
   cd some_directory
   ln /etc/passwd .
   sudo chmod a+w passwd

There.  He now has full write access to /etc/passwd.  And with the same 
methodology, to every file in the system.




^ permalink raw reply	[flat|nested] 21+ messages in thread

* [gentoo-user] Re: Allow non root users to edit files owned by root?
  2011-12-22 19:21         ` Alan McKinnon
  2011-12-22 19:33           ` Tanstaafl
@ 2011-12-22 19:42           ` Nikos Chantziaras
  1 sibling, 0 replies; 21+ messages in thread
From: Nikos Chantziaras @ 2011-12-22 19:42 UTC (permalink / raw
  To: gentoo-user

> If you need to allow just one single user to access just one single
> directory, you are better off with using Posix ACLS (NOT regular
> owner, group and perms - that almost never works out right for www data)

Depends.  On a multi-user server I maintain, where every user has a 
~/public_html/ directory, I let apache run PHP scrips with suphp 
(www-apache/mod_suphp) so that files are not written with "www-data" or 
"apache" permissions, but fully belong to the users, like every other 
file they own.  This means there's no need for ACLs or any other kind of 
permission setup.




^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [gentoo-user] Re: Allow non root users to edit files owned by root?
  2011-12-22 19:33           ` Tanstaafl
@ 2011-12-22 19:49             ` Alan McKinnon
  0 siblings, 0 replies; 21+ messages in thread
From: Alan McKinnon @ 2011-12-22 19:49 UTC (permalink / raw
  To: gentoo-user

On Thu, 22 Dec 2011 14:33:47 -0500
Tanstaafl <tanstaafl@libertytrek.org> wrote:

> Thanks for the explanation Alan... have to do some reading/studying
> on this.
> 
> Any good pointers for best practices for this kind of thing?


"Best practice" - the two most useless words in all of IT.

By definition best practice is always optimized for someone else (or
for nothing), never for you. Yes, there are guidelines about security
that are very helpful, but step 1 is always to know exactly what YOU
are trying to accomplish and what is going to work best for YOU. Your
opinion in this is everything, mine is almost irrelevant.

Best advice I can give is to read up on the various technologies
mentioned in this thread so that you have a good grasp of what they
achieve (never mind the detail, think big picture). Usually, what you
should do next then becomes quite obvious.


> 
> Thanks again...
> 
> On 2011-12-22 2:21 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> > On Thu, 22 Dec 2011 13:53:43 -0500
> > Tanstaafl<tanstaafl@libertytrek.org>  wrote:
> >
> >> On 2011-12-22 1:00 PM, Nikos Chantziaras<realnc@arcor.de>  wrote:
> >>> On 12/22/2011 05:44 PM, Tanstaafl wrote:
> >>>> On 2011-12-20 12:19 PM, Nikos Chantziaras<realnc@arcor.de>
> >>>> wrote:
> >>>>> If you allow someone to edit root owned files, you're
> >>>>> practically giving him root access.
> >>>>
> >>>> Well, yeah, but only on those defined files...
> >>>
> >>> root access is global. You can't limit it. root is root, the all
> >>> powerful Unix being. Period :-)
> >>
> >> Ummm... then what is the purpose of sudo??
> >
> > The purpose of sudo is to provide *fine-grained* control of elevated
> > privilege to users and groups. Few people seem to realize just how
> > finely this can be controlled, most assume that sudo lets you become
> > root and that's it.
> >
> > As with all things fine-grained, it can get very complex very
> > quick. If you want to allow 5 commands to operate on 5 files, you
> > have to make 25 allow statements (unless you can use some funky
> > wildcard syntax).
> >
> >
> >>
> >> If I add the following line to sudoers:
> >>
> >> %sudoroot
> >> ALL=(root)NOPASSWD:/bin/chmod /var/www/localhost/htdocs/*
> >>
> >> Are you saying that this does NOT limit anyone in the sudoroot
> >> group to *only* be able to run the chmod command, and only on
> >> files located in /var/www/localhost/htdocs?
> >
> > Not quite, take out the word "only". When you say only, you exclude
> > everything else and that is not true - you might have a second set
> > of permissions somewhere else. The line you quoted does exactly what
> > you said without the word "only" - it allows the action. Different
> > commands and different files are outside the scope of that config
> > line
> >
> >>
> >>> Then you put the files in a special group and make them g+w, and
> >>> add the affected users to that group. Then they will able to write
> >>> to those files. If you want to give them write access to a whole
> >>> directory, you put the directory in the group and make it g+w.
> >>> This is how it's traditionally been done in Unix for ages, and
> >>> it's extremely easy to set up.
> >>
> >> Yeah, I think I got a little tunnel vision trying to do this with
> >> sudo.
> >
> > Permissions and right of access is hard. Few people know how to do
> > it right, and you can't consider just sudo in isolation.
> >
> > sudo is one command in a whole system and you have to take that into
> > account too. The method you use will depend more on everything else
> > that machine can do than just on what sudo you can do.
> >
> > If you need to allow just one single user to access just one single
> > directory, you are better off with using Posix ACLS (NOT regular
> > owner, group and perms - that almost never works out right for www
> > data)
> >
> > If you have many different users needing all sorts of different
> > access to things, you might even consider SE-Linux. Just be
> > prepared for huge amounts of customizing. But if it really is what
> > you need, SE Linux is worth the sweat.
> >
> >
> 
> 



-- 
Alan McKinnnon
alan.mckinnon@gmail.com



^ permalink raw reply	[flat|nested] 21+ messages in thread

end of thread, other threads:[~2011-12-22 19:50 UTC | newest]

Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-20 15:04 [gentoo-user] Allow non root users to edit files owned by root? Tanstaafl
2011-12-20 15:13 ` Michael Mol
2011-12-20 16:00   ` Florian Philipp
2011-12-20 17:03     ` Tanstaafl
2011-12-20 17:20       ` Florian Philipp
2011-12-20 18:20         ` Tanstaafl
2011-12-22 15:41     ` Tanstaafl
2011-12-22 15:46       ` James Broadhead
2011-12-20 16:51   ` Tanstaafl
2011-12-20 17:06     ` Michael Mol
2011-12-21  5:55     ` Walter Dnes
2011-12-21 19:07       ` Florian Philipp
2011-12-20 17:19 ` [gentoo-user] " Nikos Chantziaras
2011-12-22 15:44   ` Tanstaafl
2011-12-22 18:00     ` Nikos Chantziaras
2011-12-22 18:53       ` Tanstaafl
2011-12-22 19:21         ` Alan McKinnon
2011-12-22 19:33           ` Tanstaafl
2011-12-22 19:49             ` Alan McKinnon
2011-12-22 19:42           ` Nikos Chantziaras
2011-12-22 19:36         ` Nikos Chantziaras

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox