user with special prevligies ... !

Taking care of your Linux box.

user with special prevligies ... !

Postby mrkkhattak » Mon Sep 02, 2002 2:23 pm

Assalamualaikum,

how could i create user with some special prevligies
(i.e only by defining its group as a root will he
have access to some certain areas or not)?

i want to create a user who could edit/remove changes
to apache...

beside that can anybody explain me or give me a link
or a book name, which could give me indepth info
regarding user administration ?
mrkkhattak
Site Admin
 
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
ICQ: 173967661
WLM: mrkkhattak
Yahoo Messenger: mrkkhattak
AOL: mrkkhattak
Location: Karachi

user with special prevligies ... !

Postby mahin » Mon Sep 02, 2002 5:45 pm

If you want you can borrow Linux System Administration by M.Carling/Stephen Degler/James Dennis not the best but good.
mahin
Major
 
Posts: 605
Joined: Wed Aug 07, 2002 8:00 pm
Website: http://www.linuxpakistan.net/wiki/index.php/LinuxPakistanKarachi
Location: Karachi

Postby mrkkhattak » Tue Sep 03, 2002 10:30 am

Thank You ... !
mrkkhattak
Site Admin
 
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
ICQ: 173967661
WLM: mrkkhattak
Yahoo Messenger: mrkkhattak
AOL: mrkkhattak
Location: Karachi

..

Postby Guest » Sat Oct 12, 2002 10:49 pm

Mr. Khattak,

you have 2 options :

either you use "sudo" , a package available online. SUDO is software which can be configured to allow specific users certain or all root privs.

secondly, you may simply add UID 0 to the guy's username in /etc/passwd , a rather lame hack, which simply drops him to root.

Ali Saifullah Khan.
admin@connprobe.cjb.net
Guest
 

Postby Guest » Sat Oct 12, 2002 11:18 pm

here's the link to the site where you can download SUDO from.

http://www.courtesan.com/sudo/

examples are given in the default /etc/sudoers file.
i usually use :

username NOPASSWD:ALL

for a highly trusted user, or another admin.
Guest
 

Postby newbie » Sat Oct 12, 2002 11:41 pm

sudo can even change root password.
beware :twisted:
newbie
Company Havaldaar Major
 
Posts: 156
Joined: Thu Aug 08, 2002 4:18 am
WLM: usman_fool@hotmail.com
Location: lahore

non-root admin.

Postby AsadR » Sat Oct 12, 2002 11:44 pm

Another way would be for you to create a new user (new uid and gid) and configure the apache configuration file to be writable by the new user/group. A small SUID script (executable only by the new user/group) could be used to send the Apache Daemon SIGHUP or to call "apachectl" to restart Apache to reload the configuration file.

Basically all you have to do is make sure the permissions on the Apache configuration files are such that they are readable by Apache itself, and writable by the user/group you've created, and no one else. To make the apache daemon reload it's configuration file, you need to run something like "apachectl restart" as root.
I strongly feel that you shouldn't make apachectl directly SUID, but instead to use a small intermediary script that has the SUID flag set. This is more secure as it will be small and simple, and can be configured to be run by only the specified user/group.

hope that wasn't too complicated :)

Asad

"...sudo is just plain stupid..."
AsadR
Lance Naik
 
Posts: 36
Joined: Sat Sep 14, 2002 11:27 am
ICQ: 8374759
Location: Khi.pk

Postby fawad » Sun Oct 13, 2002 8:03 am

I agree with asad's suggestion. That'll probably be the most straightforward, and will probably be most secure. However, if the operator manages to screw up the httpd.conf and apache dies, he won't be able to start it up without root privileges. Putting /etc/init.d/httpd into the sudo permissions for that group will probably take care of that. It might be a good idea to look into running apache on port >1024 and using port forwarding into that port. That way, you can run the server as a non root user and delegate privileges as you see fit.
fawad
Site Admin
 
Posts: 918
Joined: Wed Aug 07, 2002 8:00 pm
ICQ: 17672437
Website: http://www.fawad.net
WLM: fawadhalim@hotmail.com
Yahoo Messenger: fawad2048
AOL: fawadhalim
Location: Addison, IL

Postby mrkkhattak » Mon Oct 14, 2002 11:35 am

thanks for all ur help ... i posted this message on 2 september, the problem i had, has been solved :-) but these tips did increase my knowledge ... !
mrkkhattak
Site Admin
 
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
ICQ: 173967661
WLM: mrkkhattak
Yahoo Messenger: mrkkhattak
AOL: mrkkhattak
Location: Karachi

Postby AsadR » Tue Oct 15, 2002 4:01 pm

I agree with asad's suggestion. That'll probably be the most straightforward, and will probably be most secure. However, if the operator manages to screw up the httpd.conf and apache dies, he won't be able to start it up without root privileges. Putting /etc/init.d/httpd into the sudo permissions for that group will probably take care of that. It might be a good idea to look into running apache on port >1024 and using port forwarding into that port. That way, you can run the server as a non root user and delegate privileges as you see fit.


Running scripts that aren't written to be SUID is always a bad idea. Many authors don't bother writing secure code if they know the script will not be running as SUID which is why I show my distaste for SUDO and the like.

A better option would be to just create another tiny SUID script which executes "apachectl start" with the necessary options. Any sort of user-interaction with SUIDs should also be minimal, which is why I didn't suggest creating a direct wrapper for apachectl.

In this way, even if the operator "screws up", he can start/stop/restart apache using the pre-made streamlined SUID scripts without ever having to see root privileges directly.

Other then this, running Apache as a completely non-root user sounds like a pretty good idea :)

ok, i guess i've said enough even though the problems been solved :P

Asad
AsadR
Lance Naik
 
Posts: 36
Joined: Sat Sep 14, 2002 11:27 am
ICQ: 8374759
Location: Khi.pk

Postby mrkkhattak » Wed Oct 16, 2002 2:55 pm

oh... NO it is okay ! i keep checking this thread, it DOES increase my knowledge ... as i don't know that much about adminstration !

i will surely try writing this script, but now a days a lot of stuff is in pipeline, so i won't be able to give it a try ... !

InshAllah once i try this, i know i would have problems & i would come again to this thread ... :lol:
mrkkhattak
Site Admin
 
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
ICQ: 173967661
WLM: mrkkhattak
Yahoo Messenger: mrkkhattak
AOL: mrkkhattak
Location: Karachi

Postby fawad » Thu Oct 17, 2002 12:26 am

i think by 'script' asad meant a wrapper c app. Cause AFAIK, shell scripts cannot be suid on linux (due to race conditions).
fawad
Site Admin
 
Posts: 918
Joined: Wed Aug 07, 2002 8:00 pm
ICQ: 17672437
Website: http://www.fawad.net
WLM: fawadhalim@hotmail.com
Yahoo Messenger: fawad2048
AOL: fawadhalim
Location: Addison, IL

Postby mrkkhattak » Thu Oct 17, 2002 10:51 am

:-( i didn't know that, i thought that i will have to write my own shell script. so can u pls define a little more "wrapper c app" (with examples of scripts) ... i don't have any idea about that ... !
mrkkhattak
Site Admin
 
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
ICQ: 173967661
WLM: mrkkhattak
Yahoo Messenger: mrkkhattak
AOL: mrkkhattak
Location: Karachi

Postby AsadR » Thu Oct 17, 2002 4:23 pm

It is true that most modern kernels are configured to disallow execution of interpreted scripts. However, since the types of scripts I've mentioned are hardly one-line, you can use the following C program:

Code: Select all

#include <stdio.h>

main()
{
    system("/usr/local/sbin/apachectl restart");
}



Just replace the text within the quotes of the system() function call with whatever you want to execute.
Then compile with the standard:
gcc my-script-to-start-apache.c -o my-script-to-start-apache

Make it SUID with:
chmod 4750 my-script-to-start-apache

And then make sure whoever you want to use it belongs to the group of the file; ie:
chown root.khattak my-script-to-start-apache

Where "khattak" is the group that your Apache controller (they guy who needs to be able to start/stop/restart the Apache Daemon without being root) belongs to.

Should work fine... hopefully ;)

Asad
AsadR
Lance Naik
 
Posts: 36
Joined: Sat Sep 14, 2002 11:27 am
ICQ: 8374759
Location: Khi.pk


Return to “%s” Administration

Who is online

Users browsing this forum: No registered users and 2 guests

cron