Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Sudo Authentication, useradd/passwd/bash/php/apache
petterg
post May 5 2004, 08:20 AM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 12
Joined: 5-May 04
Member No.: 2,890



This question is acctually short, but I'll include a description of the situation in case someone have any better idea of how to get around this.

The question: By default sudo asks for users password to run. Is there any way to make sudo ask for password of a group admin? What I'm looking for is a way to run a command as root from web without allowing the apache user to sudo run it! Say the user bradm is allowed to run the command as root (using sudo). However he wants to run the command using a webinterface, using apache/php. Then it's actually apache who needs to be executing the command. Because of security I will not allow apache to sudo. Is there for apache to execute the command as root by providing the user 'bradm' and corresponding password?


Situation
I'm administrating a few servers for a couple of companies. (Serving web/sftp(ssh)/smb/atalk/mail)
Most users have their account limited to a chroot jail. There are a few of these jails.

What I want to do is create a group administrator account for each jail. The groupadmin user should be allowed to create/delete users in his jail. He should also be able change users passwords. Group admin should not be able to modify users in other jails (or users who are not jailed at all.)

In order to give a group admin access to the useradd/del, passwd and smbpasswd commands he cannot be jailed. I would like this user to not have direct access to files outside his jail, so I was thinking to not provide this user any shell login access at all.
Then the way he will be able to administrate useraccounts will be trough a website running apache/ssl/php.

Here comes the security issues:
Lets say a chroot jail is called 'br'. Jail path is /home/br/./
All users jailed inside br have the group br as their primary group.
The group administrator will be called 'bradm'. He should have access to modify all users jailed to the br jail. But not all users in the br group are jailed in the br jail. (The user I'm using to administrate the system (when I'm not using root) is also a member of the br group. Bradm should not have access to change my password.)
So, to get around this I create a new usergroup 'bradm', and put all the users bradm should have access to administrate into the bradm group.
Also, bradm should not have access to create a user outside his jail. Therefor bradm should not have direct access to useradd/del, passwd and smbpasswd, but he will have access to a bash script that does the same thing. Example script for useradd in the br jail, 'bruseradd':
CODE
#!/bin/bash
# syntax:
# bruseradd username password

user=$1
pass=$2
jailname="br"
jailpath="/home/${jailname}/./"
(check that ${user} and ${password} does not contain the letters "root")
(check that ${user} is a valid username)
(check that the username ${user} does not exists)
(check that ${password} is a valid password)

#adding user to system
/usr/sbin/useradd -g ${jailname} -G ${jailname}adm -d ${jailpath}${user} -m ${user}
#setting userpassword
echo "${user}:${pass}" | /usr/sbin/chpasswd
#adding user to samba
/usr/sbin/smbpasswd -a ${user} ${pass}

#updating passwd and group in jail
cp -a /etc/passwd ${jailpath}etc
cp -a /etc/group ${jailpath}etc

(The scripts for userdel and passwd are simmilar, but also checks if ${user} is a member of the group bradm.

So, bradm needs sudo access to run bruseradd as root. However bradm does not have any access to login to any shell. He's running this trough apache (user=apache). This means that running the script would require apache to have access to sudo and run this script. That does not sound safe to me. I see 2 ways (3 if including a really insecure way) to get around this. Both of them leads me into some code that I don't know how to write.

1: By default sudo asks for users password to run. Is there any way to make sudo ask for the group admin password? In this case where it's acctually apache who is running the script, I would like sudo to require apache to be provide the user 'bradm' and bradmpassword.

2: Add a user authentication to the start of the script:
CODE
#!/bin/bash
# syntax:
# bruseradd authuser authpass username password

authuser=$1
authpass=$2
user=$3
pass=$4
(some code to check that ${authpass} is the correct password to user ${authuser}

Anyone got any ideas of how to write the authentication part of the script?

3: (Really insecure) Make 'bradm' a virtual user only (store user/pass in a mysql db), php script refuses to run if it's not provided with the correct user/passwd. This way does not stop any user to make his own php script to execute the bash script! (Probably none of the users are capable of writing such a php script, but that doesn't make it safe!)

Thank you,
pg
Go to the top of the page
 
+Quote Post
petterg
post May 7 2004, 07:56 AM
Post #2


Whats this Lie-nix Thing?
*

Group: Members
Posts: 12
Joined: 5-May 04
Member No.: 2,890



There acctually was a simle solution to this:

Make apache a member of the wheel group and have apache/php do
echo bradm_password | su bradm -c sudo bruseradd
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 21st October 2017 - 03:50 AM