user with special prevligies ... !

Taking care of your Linux box.
Locked
mrkkhattak
Site Admin
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
Location: Karachi
Contact:

user with special prevligies ... !

Post by mrkkhattak »

Assalamualaikum,

how could i create user with some special prevligies
(i.e only by defining its group as a root will he
have access to some certain areas or not)?

i want to create a user who could edit/remove changes
to apache...

beside that can anybody explain me or give me a link
or a book name, which could give me indepth info
regarding user administration ?
mahin
Major
Posts: 605
Joined: Wed Aug 07, 2002 8:00 pm
Location: Karachi
Contact:

user with special prevligies ... !

Post by mahin »

If you want you can borrow Linux System Administration by M.Carling/Stephen Degler/James Dennis not the best but good.
mrkkhattak
Site Admin
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
Location: Karachi
Contact:

Post by mrkkhattak »

Thank You ... !
Guest

..

Post by Guest »

Mr. Khattak,

you have 2 options :

either you use "sudo" , a package available online. SUDO is software which can be configured to allow specific users certain or all root privs.

secondly, you may simply add UID 0 to the guy's username in /etc/passwd , a rather lame hack, which simply drops him to root.

Ali Saifullah Khan.
admin@connprobe.cjb.net
Guest

Post by Guest »

here's the link to the site where you can download SUDO from.

http://www.courtesan.com/sudo/

examples are given in the default /etc/sudoers file.
i usually use :

username NOPASSWD:ALL

for a highly trusted user, or another admin.
newbie
Company Havaldaar Major
Posts: 156
Joined: Thu Aug 08, 2002 4:18 am
Location: lahore

Post by newbie »

sudo can even change root password.
beware :twisted:
AsadR
Lance Naik
Posts: 36
Joined: Sat Sep 14, 2002 11:27 am
Location: Khi.pk
Contact:

non-root admin.

Post by AsadR »

Another way would be for you to create a new user (new uid and gid) and configure the apache configuration file to be writable by the new user/group. A small SUID script (executable only by the new user/group) could be used to send the Apache Daemon SIGHUP or to call "apachectl" to restart Apache to reload the configuration file.

Basically all you have to do is make sure the permissions on the Apache configuration files are such that they are readable by Apache itself, and writable by the user/group you've created, and no one else. To make the apache daemon reload it's configuration file, you need to run something like "apachectl restart" as root.
I strongly feel that you shouldn't make apachectl directly SUID, but instead to use a small intermediary script that has the SUID flag set. This is more secure as it will be small and simple, and can be configured to be run by only the specified user/group.

hope that wasn't too complicated :)

Asad

"...sudo is just plain stupid..."
fawad
Site Admin
Posts: 918
Joined: Wed Aug 07, 2002 8:00 pm
Location: Addison, IL
Contact:

Post by fawad »

I agree with asad's suggestion. That'll probably be the most straightforward, and will probably be most secure. However, if the operator manages to screw up the httpd.conf and apache dies, he won't be able to start it up without root privileges. Putting /etc/init.d/httpd into the sudo permissions for that group will probably take care of that. It might be a good idea to look into running apache on port >1024 and using port forwarding into that port. That way, you can run the server as a non root user and delegate privileges as you see fit.
mrkkhattak
Site Admin
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
Location: Karachi
Contact:

Post by mrkkhattak »

thanks for all ur help ... i posted this message on 2 september, the problem i had, has been solved :-) but these tips did increase my knowledge ... !
AsadR
Lance Naik
Posts: 36
Joined: Sat Sep 14, 2002 11:27 am
Location: Khi.pk
Contact:

Post by AsadR »

I agree with asad's suggestion. That'll probably be the most straightforward, and will probably be most secure. However, if the operator manages to screw up the httpd.conf and apache dies, he won't be able to start it up without root privileges. Putting /etc/init.d/httpd into the sudo permissions for that group will probably take care of that. It might be a good idea to look into running apache on port >1024 and using port forwarding into that port. That way, you can run the server as a non root user and delegate privileges as you see fit.
Running scripts that aren't written to be SUID is always a bad idea. Many authors don't bother writing secure code if they know the script will not be running as SUID which is why I show my distaste for SUDO and the like.

A better option would be to just create another tiny SUID script which executes "apachectl start" with the necessary options. Any sort of user-interaction with SUIDs should also be minimal, which is why I didn't suggest creating a direct wrapper for apachectl.

In this way, even if the operator "screws up", he can start/stop/restart apache using the pre-made streamlined SUID scripts without ever having to see root privileges directly.

Other then this, running Apache as a completely non-root user sounds like a pretty good idea :)

ok, i guess i've said enough even though the problems been solved :P

Asad
mrkkhattak
Site Admin
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
Location: Karachi
Contact:

Post by mrkkhattak »

oh... NO it is okay ! i keep checking this thread, it DOES increase my knowledge ... as i don't know that much about adminstration !

i will surely try writing this script, but now a days a lot of stuff is in pipeline, so i won't be able to give it a try ... !

InshAllah once i try this, i know i would have problems & i would come again to this thread ... :lol:
fawad
Site Admin
Posts: 918
Joined: Wed Aug 07, 2002 8:00 pm
Location: Addison, IL
Contact:

Post by fawad »

i think by 'script' asad meant a wrapper c app. Cause AFAIK, shell scripts cannot be suid on linux (due to race conditions).
mrkkhattak
Site Admin
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
Location: Karachi
Contact:

Post by mrkkhattak »

:-( i didn't know that, i thought that i will have to write my own shell script. so can u pls define a little more "wrapper c app" (with examples of scripts) ... i don't have any idea about that ... !
AsadR
Lance Naik
Posts: 36
Joined: Sat Sep 14, 2002 11:27 am
Location: Khi.pk
Contact:

Post by AsadR »

It is true that most modern kernels are configured to disallow execution of interpreted scripts. However, since the types of scripts I've mentioned are hardly one-line, you can use the following C program:

Code: Select all

#include <stdio.h>

main()
{
    system("/usr/local/sbin/apachectl restart");
}

Just replace the text within the quotes of the system() function call with whatever you want to execute.
Then compile with the standard:
gcc my-script-to-start-apache.c -o my-script-to-start-apache

Make it SUID with:
chmod 4750 my-script-to-start-apache

And then make sure whoever you want to use it belongs to the group of the file; ie:
chown root.khattak my-script-to-start-apache

Where "khattak" is the group that your Apache controller (they guy who needs to be able to start/stop/restart the Apache Daemon without being root) belongs to.

Should work fine... hopefully ;)

Asad
Locked