user with special prevligies ... !
-
- Site Admin
- Posts: 285
- Joined: Wed Aug 07, 2002 8:00 pm
- Location: Karachi
- Contact:
user with special prevligies ... !
Assalamualaikum,
how could i create user with some special prevligies
(i.e only by defining its group as a root will he
have access to some certain areas or not)?
i want to create a user who could edit/remove changes
to apache...
beside that can anybody explain me or give me a link
or a book name, which could give me indepth info
regarding user administration ?
how could i create user with some special prevligies
(i.e only by defining its group as a root will he
have access to some certain areas or not)?
i want to create a user who could edit/remove changes
to apache...
beside that can anybody explain me or give me a link
or a book name, which could give me indepth info
regarding user administration ?
user with special prevligies ... !
If you want you can borrow Linux System Administration by M.Carling/Stephen Degler/James Dennis not the best but good.
-
- Site Admin
- Posts: 285
- Joined: Wed Aug 07, 2002 8:00 pm
- Location: Karachi
- Contact:
..
Mr. Khattak,
you have 2 options :
either you use "sudo" , a package available online. SUDO is software which can be configured to allow specific users certain or all root privs.
secondly, you may simply add UID 0 to the guy's username in /etc/passwd , a rather lame hack, which simply drops him to root.
Ali Saifullah Khan.
admin@connprobe.cjb.net
you have 2 options :
either you use "sudo" , a package available online. SUDO is software which can be configured to allow specific users certain or all root privs.
secondly, you may simply add UID 0 to the guy's username in /etc/passwd , a rather lame hack, which simply drops him to root.
Ali Saifullah Khan.
admin@connprobe.cjb.net
here's the link to the site where you can download SUDO from.
http://www.courtesan.com/sudo/
examples are given in the default /etc/sudoers file.
i usually use :
username NOPASSWD:ALL
for a highly trusted user, or another admin.
http://www.courtesan.com/sudo/
examples are given in the default /etc/sudoers file.
i usually use :
username NOPASSWD:ALL
for a highly trusted user, or another admin.
non-root admin.
Another way would be for you to create a new user (new uid and gid) and configure the apache configuration file to be writable by the new user/group. A small SUID script (executable only by the new user/group) could be used to send the Apache Daemon SIGHUP or to call "apachectl" to restart Apache to reload the configuration file.
Basically all you have to do is make sure the permissions on the Apache configuration files are such that they are readable by Apache itself, and writable by the user/group you've created, and no one else. To make the apache daemon reload it's configuration file, you need to run something like "apachectl restart" as root.
I strongly feel that you shouldn't make apachectl directly SUID, but instead to use a small intermediary script that has the SUID flag set. This is more secure as it will be small and simple, and can be configured to be run by only the specified user/group.
hope that wasn't too complicated
Asad
"...sudo is just plain stupid..."
Basically all you have to do is make sure the permissions on the Apache configuration files are such that they are readable by Apache itself, and writable by the user/group you've created, and no one else. To make the apache daemon reload it's configuration file, you need to run something like "apachectl restart" as root.
I strongly feel that you shouldn't make apachectl directly SUID, but instead to use a small intermediary script that has the SUID flag set. This is more secure as it will be small and simple, and can be configured to be run by only the specified user/group.
hope that wasn't too complicated
Asad
"...sudo is just plain stupid..."
I agree with asad's suggestion. That'll probably be the most straightforward, and will probably be most secure. However, if the operator manages to screw up the httpd.conf and apache dies, he won't be able to start it up without root privileges. Putting /etc/init.d/httpd into the sudo permissions for that group will probably take care of that. It might be a good idea to look into running apache on port >1024 and using port forwarding into that port. That way, you can run the server as a non root user and delegate privileges as you see fit.
-
- Site Admin
- Posts: 285
- Joined: Wed Aug 07, 2002 8:00 pm
- Location: Karachi
- Contact:
Running scripts that aren't written to be SUID is always a bad idea. Many authors don't bother writing secure code if they know the script will not be running as SUID which is why I show my distaste for SUDO and the like.I agree with asad's suggestion. That'll probably be the most straightforward, and will probably be most secure. However, if the operator manages to screw up the httpd.conf and apache dies, he won't be able to start it up without root privileges. Putting /etc/init.d/httpd into the sudo permissions for that group will probably take care of that. It might be a good idea to look into running apache on port >1024 and using port forwarding into that port. That way, you can run the server as a non root user and delegate privileges as you see fit.
A better option would be to just create another tiny SUID script which executes "apachectl start" with the necessary options. Any sort of user-interaction with SUIDs should also be minimal, which is why I didn't suggest creating a direct wrapper for apachectl.
In this way, even if the operator "screws up", he can start/stop/restart apache using the pre-made streamlined SUID scripts without ever having to see root privileges directly.
Other then this, running Apache as a completely non-root user sounds like a pretty good idea
ok, i guess i've said enough even though the problems been solved
Asad
-
- Site Admin
- Posts: 285
- Joined: Wed Aug 07, 2002 8:00 pm
- Location: Karachi
- Contact:
oh... NO it is okay ! i keep checking this thread, it DOES increase my knowledge ... as i don't know that much about adminstration !
i will surely try writing this script, but now a days a lot of stuff is in pipeline, so i won't be able to give it a try ... !
InshAllah once i try this, i know i would have problems & i would come again to this thread ...
i will surely try writing this script, but now a days a lot of stuff is in pipeline, so i won't be able to give it a try ... !
InshAllah once i try this, i know i would have problems & i would come again to this thread ...
-
- Site Admin
- Posts: 285
- Joined: Wed Aug 07, 2002 8:00 pm
- Location: Karachi
- Contact:
It is true that most modern kernels are configured to disallow execution of interpreted scripts. However, since the types of scripts I've mentioned are hardly one-line, you can use the following C program:
Just replace the text within the quotes of the system() function call with whatever you want to execute.
Then compile with the standard:
gcc my-script-to-start-apache.c -o my-script-to-start-apache
Make it SUID with:
chmod 4750 my-script-to-start-apache
And then make sure whoever you want to use it belongs to the group of the file; ie:
chown root.khattak my-script-to-start-apache
Where "khattak" is the group that your Apache controller (they guy who needs to be able to start/stop/restart the Apache Daemon without being root) belongs to.
Should work fine... hopefully
Asad
Code: Select all
#include <stdio.h>
main()
{
system("/usr/local/sbin/apachectl restart");
}
Just replace the text within the quotes of the system() function call with whatever you want to execute.
Then compile with the standard:
gcc my-script-to-start-apache.c -o my-script-to-start-apache
Make it SUID with:
chmod 4750 my-script-to-start-apache
And then make sure whoever you want to use it belongs to the group of the file; ie:
chown root.khattak my-script-to-start-apache
Where "khattak" is the group that your Apache controller (they guy who needs to be able to start/stop/restart the Apache Daemon without being root) belongs to.
Should work fine... hopefully
Asad