[sudo-users] Sudo for groups?

Rogan Dawes lists at dawes.za.net
Wed Apr 6 15:50:10 EDT 2005



Ladner, Eric (Eric.Ladner) wrote:
> Oh..  I misunderstood.  I still think I misunderstand..
> 
> So if you just need to change the group membership instead of the user,
> why use sudo at all?
> 
> If user fred is in "users" as his main group and "yourapp" as a
> secondary group that owns the application you can do this:
> 
> $ newgrp yourapp # they're in this group in the first place, right?
> $ /some/application/command
> 
> Ah, but then you have the problem that they are actually IN the group
> and they can modify the files anyway.  I see your point. 
> 
> I don't think sudo can do that (or at least I can't see how it could
> from the sudoers man page).  Best bet is probably a sgid executable
> wrapper that forces the group to the application group.
> 
> Eric Ladner, Systems Analyst 
> RFMS IT Support
> 

Hi Eric,

Yes, you hit the nail on the head. If they are in the group, they can 
modify the files outside of the application.

We ARE currently using a setgid wrapper, but as I mentioned in the 
original email, I'm afriad of falling into the same traps that the sudo 
authors have avoided long ago. Things like LD_PRELOAD environment 
variables, etc.

Besides, it seems like sudo would be a good place to put something like 
this, even if it is not THAT much in demand. It is basically a 
controlled sugrp command that I'm looking for . . . .

Regards,

Rogan
> -----Original Message-----
> From: Rogan Dawes [mailto:lists at dawes.za.net] 
> Sent: Wednesday, April 06, 2005 12:00 PM
> To: Ladner, Eric (Eric.Ladner)
> Cc: sudo-users at courtesan.com
> Subject: Re: [sudo-users] Sudo for groups?
> 
> Ladner, Eric (Eric.Ladner) wrote:
> 
>>I think you're in luck.
>>
>>According to the sudoers man page
>>(http://www.courtesan.com/sudo/man/sudoers.html):
>>
>>A User_List is made up of one or more usernames, system groups 
>>(prefixed with '%'), netgroups (prefixed with '+') and other aliases. 
>>Each list item may be prefixed with one or more '!' operators. An odd 
>>number of '!' operators negate the value of the item; an even number 
>>just cancel each other out.
>>
>>Eric Ladner, Systems Analyst
>>RFMS IT Support
> 
> 
> Hi Eric,
> 
> Thanks for your response.
> 
> But doesn't this simply control WHICH users are allowed to do things? 
> i.e. members of the specified group, rather than listing them
> individually?
> 
> I am trying to allow users to gain controlled access to a specific group
> rather than to a specific user, which is what sudo normally does.
> 
> I think that I am looking for group support in the Runas_Alias /
> Runas_List / Runas_Spec keywords.
> 
> Regards,
> 
> Rogan
> 
> 
> 
>>-----Original Message-----
>>From: sudo-users-bounces at courtesan.com 
>>[mailto:sudo-users-bounces at courtesan.com] On Behalf Of 
>>lists at dawes.za.net
>>Sent: Wednesday, April 06, 2005 5:19 AM
>>To: sudo-users at courtesan.com
>>Subject: [sudo-users] Sudo for groups?
>>
>>Hi folks,
>>
>>I have a situation that I am trying to correct as best I can.
>>
>>A company has a legacy application that needs world-writable 
>>permissions on its data files to operate. I think this is bad 
>>practice, and am trying to limit this to group writable for a specific
> 
> application group.
> 
>>There are then a couple of possibilities:
>>
>>1) Add all application users to the application group
>>
>>2) Use a setuid/setgid wrapper that calls the application.
>>
>>1) has the disadvantage that the user is then still able to modify the
> 
> 
>>data files directly.
>>
>>2) seems to me to be a workable solution.
>>
>>Trying not to reinvent the wheel (and fall into the same security 
>>traps that everyone else has already climbed out of), I thought that 
>>maybe sudo could let me do this.
>>
>>One thing that I would like to have, though, is that the userid should
> 
> 
>>not be changed, just the group. This is because the application checks
> 
> 
>>the uid when deciding what operations the user should be allowed to 
>>perform.
>>
>>Were it not for the "own userid" condition, I could just create an 
>>"appuser"
>>user who is a member of the "appgrp" group, and allow members of the 
>>"appusers"
>>group to execute /opt/app/bin/app as "appuser".
>>
>>SetGID directories could even control the permissions and ownership of
> 
> 
>>spool files . . .
>>
>>Is such a thing possible with sudo? I have checked the archives, and 
>>saw a post last year referring to an application called "hat" that set
> 
> 
>>hardcoded groups.
>>Unfortunately, it seems to be a private app, and there was no further 
>>discussion on the list.
>>
>>Ideally, what I would like is something like:
>>
>>%appusers    ALL = (%appgrp) NOPASSWD: /opt/app/bin/app
>>
>>Where member of the appusers group would be permitted to run 
>>/opt/app/bin/app with the primary group set to be appgrp, but their 
>>UID still their own.
>>
>>Any suggestions? Am I out of luck?
>>
>>I should mention that the platform is Tru64 Unix V40.F and V5.1B, so 
>>the Linuxish alternative of allowing the users to execute /usr/bin/sg 
>>appgrp /opt/app/bin/app is not available. Thinking about it, though, I
> 
> 
>>don't think that would work anyway, due to the uid issue :-(
>>
>>Many thanks for any assistance.
>>
>>Rogan
>>____________________________________________________________
>>sudo-users mailing list <sudo-users at sudo.ws> For list information, 
>>options, or to unsubscribe, visit:
>>http://www.sudo.ws/mailman/listinfo/sudo-users
>>
>>
>>
> 
> 
> --
> Rogan Dawes
> 
> *ALL* messages to discard at dawes.za.net will be dropped, and added to my
> blacklist. Please respond to "lists AT dawes DOT za DOT net"
> 
> 
> 

-- 
Rogan Dawes

*ALL* messages to discard at dawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"



More information about the sudo-users mailing list