Restricting users from certain privileges
Hi: I could not figure out how to restrict users or other users from certain privileges to execute certain commands in FreeBSD/NanoBSD? What I meant is I want to create a NanoBSD image in which there will be an additional user, say 'admin'. I need to give this new user (admin) some privileges to run some root-can-only-execute commands, but not all (ACL similar to the firmwares in adsl modems from ISPs). I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD Rootkits' besides FreeBSD handbook, but I simply could not figure out. Could anyone throw some light on this? Appreciate it! Thanks! /zenny --- Support http://thehumanape.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Restricting users from certain privileges
Hi: I could not figure out how to restrict users or other users from certain privileges to execute certain commands in FreeBSD/NanoBSD? What I meant is I want to create a NanoBSD image in which there will be an additional user, say 'admin'. I need to give this new user (admin) some privileges to run some root-can-only-execute commands, but not all (ACL similar to the firmwares in adsl modems from ISPs). I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD Rootkits' besides FreeBSD handbook, but I simply could not figure out. Could anyone throw some light on this? Appreciate it! Thanks! /zenny try sudo from ports, security/sudo cheers, danny ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Restricting users from certain privileges
On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss da...@cs.huji.ac.il wrote: Hi: I could not figure out how to restrict users or other users from certain privileges to execute certain commands in FreeBSD/NanoBSD? What I meant is I want to create a NanoBSD image in which there will be an additional user, say 'admin'. I need to give this new user (admin) some privileges to run some root-can-only-execute commands, but not all (ACL similar to the firmwares in adsl modems from ISPs). I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD Rootkits' besides FreeBSD handbook, but I simply could not figure out. Could anyone throw some light on this? Appreciate it! Thanks! /zenny try sudo from ports, security/sudo cheers, danny Thanks Daniel, but sudo gives all (not selective) root privileges to the user (admin in my case). So this is not what I am trying to achieve in my original post. /z ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Restricting users from certain privileges
On 04/28/2012 09:50 AM, Zenny wrote: On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss da...@cs.huji.ac.il wrote: Hi: I could not figure out how to restrict users or other users from certain privileges to execute certain commands in FreeBSD/NanoBSD? What I meant is I want to create a NanoBSD image in which there will be an additional user, say 'admin'. I need to give this new user (admin) some privileges to run some root-can-only-execute commands, but not all (ACL similar to the firmwares in adsl modems from ISPs). I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD Rootkits' besides FreeBSD handbook, but I simply could not figure out. Could anyone throw some light on this? Appreciate it! Thanks! /zenny try sudo from ports, security/sudo cheers, danny Thanks Daniel, but sudo gives all (not selective) root privileges to the user (admin in my case). So this is not what I am trying to achieve in my original post. If sudo does not work then what about using ACLs? $ chmod og-rwx /bin/dangerous $ setfacl -m user:admin:rx /bin/dangerous -- VZ signature.asc Description: OpenPGP digital signature
Re: Restricting users from certain privileges
On 2012-04-28 09:50, Zenny wrote: On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss da...@cs.huji.ac.il wrote: ... try sudo from ports, security/sudo Thanks Daniel, but sudo gives all (not selective) root privileges to the user (admin in my case). This isn't true. With sudo, you can give specific users, or groups of users, restricted lists of commands they can run, and even specify on which particular machines they can be run. Please take a look at the nicely documented sample sudoers file: http://www.sudo.ws/sudo/sample.sudoers For example, these lines may do more or less what you want: # users in the secretaries netgroup need to help manage the printers # as well as add and remove users +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser # fred can run commands as oracle or sybase without a password fred ALL = (DB) NOPASSWD: ALL # on the alphas, john may su to anyone but root and flags are not allowed john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* # jen can run anything on all machines except the ones # in the SERVERS Host_Alias jen ALL, !SERVERS = ALL # jill can run any commands in the directory /usr/bin/, except for # those in the SU and SHELLS aliases. jill SERVERS = /usr/bin/, !SU, !SHELLS # steve can run any command in the directory /usr/local/op_commands/ # as user operator. steve CSNETS = (operator) /usr/local/op_commands/ # matt needs to be able to kill things on his workstation when # they get hung. matt valkyrie = KILL ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Restricting users from certain privileges
28.04.2012 14:50, Zenny пишет: try sudo from ports, security/sudo cheers, danny Thanks Daniel, but sudo gives all (not selective) root privileges to the user (admin in my case). So this is not what I am trying to achieve in my original post. Please do study sudo real power :-) It can give selective privileges per-command, an d it can also allow one to run some command with some arguments only and not with others. Or, without any arguments only - as you tune its sudoers configuration file. Eugene Grosbein ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Restricting users from certain privileges
On Sat, Apr 28, 2012 at 11:29:58AM +0200, Dimitry Andric wrote: On 2012-04-28 09:50, Zenny wrote: On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss da...@cs.huji.ac.il wrote: ... try sudo from ports, security/sudo Thanks Daniel, but sudo gives all (not selective) root privileges to the user (admin in my case). This isn't true. With sudo, you can give specific users, or groups of users, restricted lists of commands they can run, and even specify on which particular machines they can be run. Sure, but if the allowed commands were not specifically designed to be run with elevated privileges, you typically give the user ability to run any command with elevated privileges. Even specially designed commands sometimes give away much more power then intended. pgpvd54jgZVYf.pgp Description: PGP signature
Re: Restricting users from certain privileges
Hi, all, Am 28.04.2012 um 11:39 schrieb Eugene Grosbein: 28.04.2012 14:50, Zenny пишет: try sudo from ports, security/sudo cheers, danny Thanks Daniel, but sudo gives all (not selective) root privileges to the user (admin in my case). So this is not what I am trying to achieve in my original post. Please do study sudo real power :-) It can give selective privileges per-command, an d it can also allow one to run some command with some arguments only and not with others. Or, without any arguments only - as you tune its sudoers configuration file. Just make sure none of the permitted commands has got the feature of starting a shell ;-)) Kind regards, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Restricting users from certain privileges
On Sat, Apr 28, 2012 at 11:47:07AM +0200, Patrick M. Hausen wrote: Hi, all, Am 28.04.2012 um 11:39 schrieb Eugene Grosbein: 28.04.2012 14:50, Zenny ??: try sudo from ports, security/sudo cheers, danny Thanks Daniel, but sudo gives all (not selective) root privileges to the user (admin in my case). So this is not what I am trying to achieve in my original post. Please do study sudo real power :-) It can give selective privileges per-command, an d it can also allow one to run some command with some arguments only and not with others. Or, without any arguments only - as you tune its sudoers configuration file. Just make sure none of the permitted commands has got the feature of starting a shell ;-)) Right, think of vi(1), less(1), et al. pgpP10LGeyV8H.pgp Description: PGP signature
Re: Restricting users from certain privileges
On Sat, 28 Apr 2012 09:50:30 +0200 Zenny garbytr...@gmail.com wrote: Thanks Daniel, but sudo gives all (not selective) root privileges to the user (admin in my case). So this is not what I am trying to achieve in my original post. FWIW, sudo can be configured to allow only some commands. HTH -- Regards, Torfinn Ingolfsen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Restricting users from certain privileges
Hi! Please do study sudo real power :-) It can give selective privileges per-command, [...] Just make sure none of the permitted commands has got the feature of starting a shell ;-)) Right, think of vi(1), less(1), et al. Even this aspect is taken care of with sudo (at least to a certain limit): NOEXEC and EXEC If sudo has been compiled with noexec support and the underlying operating system supports it, the NOEXEC tag can be used to prevent a dynamically-linked executable from running further commands itself. In the following example, user aaron may run /usr/bin/more and /usr/bin/vi but shell escapes will be disabled. aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi See the PREVENTING SHELL ESCAPES section below for more details on how NOEXEC works and whether or not it will work on your system. -- p...@opsec.eu+49 171 3101372 8 years to go ! ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Restricting users from certain privileges
On 04/28/2012 02:50 AM, Zenny wrote: On Sat, Apr 28, 2012 at 9:38 AM, Daniel Branissda...@cs.huji.ac.il wrote: Hi: I could not figure out how to restrict users or other users from certain privileges to execute certain commands in FreeBSD/NanoBSD? What I meant is I want to create a NanoBSD image in which there will be an additional user, say 'admin'. I need to give this new user (admin) some privileges to run some root-can-only-execute commands, but not all (ACL similar to the firmwares in adsl modems from ISPs). I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD Rootkits' besides FreeBSD handbook, but I simply could not figure out. Could anyone throw some light on this? Appreciate it! Thanks! /zenny try sudo from ports, security/sudo cheers, danny Thanks Daniel, but sudo gives all (not selective) root privileges to the user (admin in my case). So this is not what I am trying to achieve in my original post. Try the security/super port. It is easy to create very fine grained privileges to selected users. (I am not saying that sudo cannot do this, but with super it is very easy.) ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Restricting users from certain privileges
On Apr 28, 2012 12:50 AM, Zenny garbytr...@gmail.com wrote: On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss da...@cs.huji.ac.il wrote: Hi: I could not figure out how to restrict users or other users from certain privileges to execute certain commands in FreeBSD/NanoBSD? What I meant is I want to create a NanoBSD image in which there will be an additional user, say 'admin'. I need to give this new user (admin) some privileges to run some root-can-only-execute commands, but not all (ACL similar to the firmwares in adsl modems from ISPs). I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD Rootkits' besides FreeBSD handbook, but I simply could not figure out. Could anyone throw some light on this? Appreciate it! Thanks! /zenny try sudo from ports, security/sudo cheers, danny Thanks Daniel, but sudo gives all (not selective) root privileges to the user (admin in my case). So this is not what I am trying to achieve in my original post. Sudo let's you do a lot more than all-or-nothing access. You can specify individual commands that can be run, even down to the options that can be used, and whether or not they need a passwd. And you can even specify which user to run the command as (doesn't have to be root). Read through the sudoers(5) man page and the comments in the default sudoers file for all the gory details. Cheers, Freddie Cash fjwc...@gmail.com ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Restricting users from certain privileges
On Sat, Apr 28, 2012 at 08:04:31PM +0200, Kurt Jaeger wrote: Hi! Please do study sudo real power :-) It can give selective privileges per-command, [...] Just make sure none of the permitted commands has got the feature of starting a shell ;-)) Right, think of vi(1), less(1), et al. Even this aspect is taken care of with sudo (at least to a certain limit): NOEXEC and EXEC If sudo has been compiled with noexec support and the underlying operating system supports it, the NOEXEC tag can be used to prevent a dynamically-linked executable from running further commands itself. In the following example, user aaron may run /usr/bin/more and /usr/bin/vi but shell escapes will be disabled. aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi See the PREVENTING SHELL ESCAPES section below for more details on how NOEXEC works and whether or not it will work on your system. cp /usr/bin/vi ~/ or upload your own... sudo $HOME/vi You need to be very careful with this NOEXEC thinking as it will not always get you what you originally intended. -- - (2^(N-1)) ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Restricting users from certain privileges
On Apr 28, 2012 4:03 PM, Jason Hellenthal jhellent...@dataix.net wrote: cp /usr/bin/vi ~/ or upload your own... sudo $HOME/vi If your Cmnd_Alias includes the full path to vi, then your last command won't work. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: Restricting users from certain privileges
On Sat, Apr 28, 2012 at 04:34:34PM -0700, Freddie Cash wrote: On Apr 28, 2012 4:03 PM, Jason Hellenthal jhellent...@dataix.net wrote: cp /usr/bin/vi ~/ or upload your own... sudo $HOME/vi If your Cmnd_Alias includes the full path to vi, then your last command won't work. I know. Just an example of why you should be careful. I had an admin on a box I supervise add an entry where it enabled a user to run miscelaneous commands. It did not effect anything since the user is well trusted but if it had been the other way around and had not be caught the sheer consequence of such could have been disasterous. -- - (2^(N-1)) ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org