[sudo-users] (Hopefully) quick policy question

Jore community at thoughtmaybe.com
Tue Sep 26 12:18:27 MDT 2023 

On 27/9/23 2:54 am, Mihai Moldovan wrote:
> * On 9/26/23 16:59, Jore wrote:
>> Okay, to consider that approach, do you have any resources for what
>> might be good start for that? As it stands, I don't really know how to
>> approach calling a bash script inside a bash script as root safely.
> Nothing written down, but the concept is so easy that I hardly expect it to be
> part of any resource.
>
> If you want to call acme.sh and only allow specific parameters passed to it,
> create a script such as acme-wrapper.sh (using any POSIX-compatible shell should
> do), which parses the arguments (either fully manually by iterating over "${@}"
> or using helpers such as "getopts") and either errors out if it sees something
> unexpected or eventually calls acme.sh (preferably with a hardcoded, read-only
> location).
>
> Within sudo, you'll only need to make acme-wrapper.sh executable as a different
> user, since executing something else will retain privileges, unless they are
> explicitly dropped.
>
> The real magic happens in the wrapper, but what it does is completely your
> responsibility and must also be tailored to your needs, which, likewise means
> that there's no "one size fits all" solution.
>
> Mihai


Okay, I've given this a quick shot, but still have questions.

Here's a quick and dirty wrapper in '/home/test/acme-wrapper.sh' to 
exemplify:

    #!/bin/bash

    # quick wrapper for acme.sh to only accept and parse domain names to
    the root script

    # get arg
    domain="${1}"

    # parse subdomains of known domains allowed only
    regex='^[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.(example)'

    if [[ "${domain}" =~ ${regex} ]]; then
       /usr/bin/bash /root/.acme.sh/acme.sh --force --issue --domain
    "${domain}" --webroot /var/lib/acmesh/
    else
       echo "Not a valid or known domain."
       exit 1
    fi


that the test user can run as superuser, since we only want to 
process/allow subdomains for that contain something like 
foo-bar.example.whatever. This could be tightened up at a later point.

So I added this line to sudoers (and note the use of unwanted * glob 
again?? Is this still unsafe/can something better be here?):

    test ALL = NOPASSWD: /usr/bin/bash /home/test/acme-wrapper.sh *


Regardless, when test user runs:

$ bash /home/test/acme-wrapper.sh foobar123.example.com
/usr/bin/bash: /root/.acme.sh/acme.sh: Permission denied


So looks like we still need to tell sudoers to allow test user to run 
/root/.acme.sh/acme.sh in some capacity? Back to square one?

Also, this approach seems needlessly complicated?

To my noob mind, it'd be much better to build some rule in to the 
sudoers file directly, no? If possible...

More information about the sudo-users mailing list