[sudo-users] limit editing files to one directory only?

donald.ritchey at exeloncorp.com donald.ritchey at exeloncorp.com
Wed Aug 16 11:40:27 EDT 2006


In the example listed, change the group of any files that should be
protected to another group that would permit web administrators to edit,
but not the ordinary web users.  In my example below, the some_app files
and the index.html and index.php files should go into a 'webadmin'
group, editable by more privileged wiki administrators, but not the
ordinary groups that would use the described sudo script.  Again, this
is more work and more complex, but it still admits to a relatively clean
solution.

This illustrates the need for a good design for the overall environment
to ensure that design goals are met by the developed solution.  The
designer needs to list pieces that should be fixed or restricted, the
parts that can be modified by less restricted/privileged users, and the
sets of tools that enforce the design.

Four groups will moderate this process:

webadmgt - Web Admin Gateway group - Wiki Administrators belong to this
group.  No files belong to this group.
webusrgt - Web User Gateway group - Wiki users that can modify Wiki
files belong to this group.  No files belong to this group.
webadmin - restricted files are owned by this group.
web      - unrestricted files are owned by this group

The sudoers file has two group membership rules:

%webadmgt WIKI_SERVERS=(webadmin) NOPASSWD: WEB_ADMIN_PROGS
%webusrgt WIKI_SERVERS=(web)      NOPASSWD  WEB_USERS_PROGS

This forces the users to go though the sudo programs to access and
change the files and the two groups of programs can enforce membership
and permission rules as files are created, modified, and deleted.  The
editing programs can perform some sort of archiving process to capture
before and after images of the files as users modify them.

Do we have any real issues that have been left out of the discussion.

Thanks,

Don Ritchey
System Administrator
Exelon Corporation

-----Original Message-----
From: Ladner, Eric (Eric.Ladner) [mailto:Eric.Ladner at chevron.com] 
Sent: Wednesday, August 16, 2006 10:22 AM
To: Ritchey, Donald; Eric.Ladner at chevron.com; jmf at zeus.bwh.harvard.edu;
sudo-users at sudo.ws
Subject: RE: [sudo-users] limit editing files to one directory only?


Curious...

In his example below (the directory structure):

  [Bill at webserver html]$ ls -l
  total 11056
  drwxrwsr-x   3 Bill  web    4096 Aug 14 22:40 blah/
  drwxrwxr-x  17 Fred  web    4096 Sep 14  2005 some_app/
  -rw-rw-r--   1 Fred  web     116 Aug 14 22:09 index.html
  -rw-rw-r--   1 Bill  web     116 Aug  8 16:30 index.php
  drwxrwsr-x   3 Bill  web    4096 Feb 13  2006 podcasts/
  -rw-rw-r--   1 Fred  web      16 Aug  9 16:17 robots.txt
  drwxrwsr-x  15 Fred  web    4096 Aug 15 11:01 wiki/

With the reqruiement of "only allow editing files in the wiki tree or
below", what's to keep the user from opening up the index.php (which is
in the web group), or any file under the "some_app" directory (which is
also presumably in the web group)?

E

-----Original Message-----
From: donald.ritchey at exeloncorp.com
[mailto:donald.ritchey at exeloncorp.com] 
Sent: Wednesday, August 16, 2006 10:04 AM
To: Eric.Ladner at chevron.com; jmf at zeus.bwh.harvard.edu;
sudo-users at sudo.ws
Cc: donald.ritchey at exeloncorp.com
Subject: RE: [sudo-users] limit editing files to one directory only?

I suggest you combine the approaches listed below, but with a twist.

1.  Ensure that all files in the Wiki that need to edited are group
'web' and are writeable through the group permissions.

2.  In your sudo script, ensure that the files are located in the wiki
directories and do not exec the editor without a successful check.

3.  In the your script, sudo via a restricted user (that belongs only to
the 'web' group) to exec the editor (something like:

	'webedit:*:UID:GID for web:Wiki Editing
User:/home/restricted/webedit:/bin/rksh'

filling in the appropriate IDs for your system and making sure the user
ID is set to a restricted shell).

This way you use the principle of "least privilege" to get the desired
results.  The restricted user can only write to its own files (if you
are careful, there aren't any) and to files in group 'web'.  Check to
make sure that only the intended set of files are owned by group 'web'
and you should be relatively safe.

Best wishes,

Don Ritchey
System Administrator
Exelon Corporation

-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of Ladner, Eric
(Eric.Ladner)
Sent: Wednesday, August 16, 2006 8:43 AM
To: juan manuel fangio; sudo-users at sudo.ws
Subject: Re: [sudo-users] limit editing files to one directory only?



Giving somebody "vi" through sudo is dangerous due to the shell
integration inside vi.  However, there is a restricted mode in vim (not
vi, but vim - http://www.vim.org) call rvim that won't allow shell
interaction (just straight editing).  But...  Rvim will allow you to
open a file and write the contents out to another file (rvim
/home/wiki/somefile.php, change the file, then :w!/etc/passwd)

Out of curiosity, does the system this is located on support acls?  Acls
are kind of hit and miss sometimes because not all shell commands play
nice with the extra fluff in the inodes to support acls, but if your
system has good acl support, that might be the way to go.

Having said all that, it wouildn't be impossible to write a wrapper
script that checks to see if the files being edited are in that
directory and won't kick off the vi if they are not (checking $PWD and
the passed in file names before calling vi), but without the restricted
vi (rvim) mentioned above, anybody that's worth his salt in vi could
easily edit any file on the system once inside vi.  It looks like with
rvim or straight vi, this would be very dangerous, though.

Like this:

$ sudo vi-wrapper /home/user/wiki/file.php (inside vi) :1,$d
:r/etc/passwd (editing and hacking here) :w!/etc/passwd

Eric

-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of juan manuel
fangio
Sent: Tuesday, August 15, 2006 10:51 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] limit editing files to one directory only?

I am wondering if it is possible to restrict one user's privileges so
that he can only edit text (PHP) files in one directory tree.

Here's my situation:
- Three users on a webserver; Bill, Fred and John
- Bill and Fred are admins in the wheel group and have full root
capabilities via sudo:
    %wheel  ALL=(ALL) ALL
- Bill and Fred are members of the 'web' group
- Webserver documents are all group-owned by web. E.G.:
    [Bill at webserver html]$ ls -l
    total 11056
    drwxrwsr-x   3 Bill  web    4096 Aug 14 22:40 blah/
    drwxrwxr-x  17 Fred  web    4096 Sep 14  2005 some_app/
    -rw-rw-r--   1 Fred  web     116 Aug 14 22:09
index.html
    -rw-rw-r--   1 Bill  web     116 Aug  8 16:30 index.php
    drwxrwsr-x   3 Bill  web    4096 Feb 13  2006 podcasts/
    -rw-rw-r--   1 Fred  web      16 Aug  9 16:17
robots.txt
    drwxrwsr-x  15 Fred  web    4096 Aug 15 11:01 wiki/

- John wants a wiki
- John wants to modify certain visual elements of the wiki
- John is great guy but, as a rule, Bill and Fred don't like to give
people enough rope to hang themselves on production servers

I have tried a couple of things but none seem to work. It seems that I
can limit John to ALL commands in the wiki directory, or I can limit him
to /usr/bin/vim as a member of the web group. I can't seem to limit him
to /usr/bin/vim as a member of the web group for only those files in
wiki/ (and its subdirectories).

What is the best way to allow John the ability to edit, and only edit,
just those files located in the directory wiki/ and below?

Thanks!


CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s). The information
contained in this message may be private and confidential, and may also
be subject to the work product doctrine. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.  

____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws> For list information,
options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users



____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws> For list information,
options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users

-----------------------------------------
**************************************************
This e-mail and any of its attachments may contain Exelon Corporation
proprietary information, which is privileged, confidential, or subject
to copyright belonging to the Exelon Corporation family of Companies.
This e-mail is intended solely for the use of the individual or entity
to which it is addressed.  If you are not the intended recipient of this
e-mail, you are hereby notified that any dissemination, distribution,
copying, or action taken in relation to the contents of and attachments
to this e-mail is strictly prohibited and may be unlawful.  If you have
received this e-mail in error, please notify the sender immediately and
permanently delete the original and any copy of this e-mail and any
printout.
Thank You.
**************************************************







More information about the sudo-users mailing list