[sudo-users] Sudo for groups?
Rogan Dawes
lists at dawes.za.net
Wed Apr 6 15:50:10 EDT 2005
Ladner, Eric (Eric.Ladner) wrote:
> Oh.. I misunderstood. I still think I misunderstand..
>
> So if you just need to change the group membership instead of the user,
> why use sudo at all?
>
> If user fred is in "users" as his main group and "yourapp" as a
> secondary group that owns the application you can do this:
>
> $ newgrp yourapp # they're in this group in the first place, right?
> $ /some/application/command
>
> Ah, but then you have the problem that they are actually IN the group
> and they can modify the files anyway. I see your point.
>
> I don't think sudo can do that (or at least I can't see how it could
> from the sudoers man page). Best bet is probably a sgid executable
> wrapper that forces the group to the application group.
>
> Eric Ladner, Systems Analyst
> RFMS IT Support
>
Hi Eric,
Yes, you hit the nail on the head. If they are in the group, they can
modify the files outside of the application.
We ARE currently using a setgid wrapper, but as I mentioned in the
original email, I'm afriad of falling into the same traps that the sudo
authors have avoided long ago. Things like LD_PRELOAD environment
variables, etc.
Besides, it seems like sudo would be a good place to put something like
this, even if it is not THAT much in demand. It is basically a
controlled sugrp command that I'm looking for . . . .
Regards,
Rogan
> -----Original Message-----
> From: Rogan Dawes [mailto:lists at dawes.za.net]
> Sent: Wednesday, April 06, 2005 12:00 PM
> To: Ladner, Eric (Eric.Ladner)
> Cc: sudo-users at courtesan.com
> Subject: Re: [sudo-users] Sudo for groups?
>
> Ladner, Eric (Eric.Ladner) wrote:
>
>>I think you're in luck.
>>
>>According to the sudoers man page
>>(http://www.courtesan.com/sudo/man/sudoers.html):
>>
>>A User_List is made up of one or more usernames, system groups
>>(prefixed with '%'), netgroups (prefixed with '+') and other aliases.
>>Each list item may be prefixed with one or more '!' operators. An odd
>>number of '!' operators negate the value of the item; an even number
>>just cancel each other out.
>>
>>Eric Ladner, Systems Analyst
>>RFMS IT Support
>
>
> Hi Eric,
>
> Thanks for your response.
>
> But doesn't this simply control WHICH users are allowed to do things?
> i.e. members of the specified group, rather than listing them
> individually?
>
> I am trying to allow users to gain controlled access to a specific group
> rather than to a specific user, which is what sudo normally does.
>
> I think that I am looking for group support in the Runas_Alias /
> Runas_List / Runas_Spec keywords.
>
> Regards,
>
> Rogan
>
>
>
>>-----Original Message-----
>>From: sudo-users-bounces at courtesan.com
>>[mailto:sudo-users-bounces at courtesan.com] On Behalf Of
>>lists at dawes.za.net
>>Sent: Wednesday, April 06, 2005 5:19 AM
>>To: sudo-users at courtesan.com
>>Subject: [sudo-users] Sudo for groups?
>>
>>Hi folks,
>>
>>I have a situation that I am trying to correct as best I can.
>>
>>A company has a legacy application that needs world-writable
>>permissions on its data files to operate. I think this is bad
>>practice, and am trying to limit this to group writable for a specific
>
> application group.
>
>>There are then a couple of possibilities:
>>
>>1) Add all application users to the application group
>>
>>2) Use a setuid/setgid wrapper that calls the application.
>>
>>1) has the disadvantage that the user is then still able to modify the
>
>
>>data files directly.
>>
>>2) seems to me to be a workable solution.
>>
>>Trying not to reinvent the wheel (and fall into the same security
>>traps that everyone else has already climbed out of), I thought that
>>maybe sudo could let me do this.
>>
>>One thing that I would like to have, though, is that the userid should
>
>
>>not be changed, just the group. This is because the application checks
>
>
>>the uid when deciding what operations the user should be allowed to
>>perform.
>>
>>Were it not for the "own userid" condition, I could just create an
>>"appuser"
>>user who is a member of the "appgrp" group, and allow members of the
>>"appusers"
>>group to execute /opt/app/bin/app as "appuser".
>>
>>SetGID directories could even control the permissions and ownership of
>
>
>>spool files . . .
>>
>>Is such a thing possible with sudo? I have checked the archives, and
>>saw a post last year referring to an application called "hat" that set
>
>
>>hardcoded groups.
>>Unfortunately, it seems to be a private app, and there was no further
>>discussion on the list.
>>
>>Ideally, what I would like is something like:
>>
>>%appusers ALL = (%appgrp) NOPASSWD: /opt/app/bin/app
>>
>>Where member of the appusers group would be permitted to run
>>/opt/app/bin/app with the primary group set to be appgrp, but their
>>UID still their own.
>>
>>Any suggestions? Am I out of luck?
>>
>>I should mention that the platform is Tru64 Unix V40.F and V5.1B, so
>>the Linuxish alternative of allowing the users to execute /usr/bin/sg
>>appgrp /opt/app/bin/app is not available. Thinking about it, though, I
>
>
>>don't think that would work anyway, due to the uid issue :-(
>>
>>Many thanks for any assistance.
>>
>>Rogan
>>____________________________________________________________
>>sudo-users mailing list <sudo-users at sudo.ws> For list information,
>>options, or to unsubscribe, visit:
>>http://www.sudo.ws/mailman/listinfo/sudo-users
>>
>>
>>
>
>
> --
> Rogan Dawes
>
> *ALL* messages to discard at dawes.za.net will be dropped, and added to my
> blacklist. Please respond to "lists AT dawes DOT za DOT net"
>
>
>
--
Rogan Dawes
*ALL* messages to discard at dawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
More information about the sudo-users
mailing list