Date: Tue, 14 May 2024 09:17:13 +0200 From: Baptiste Daroussin <bapt@freebsd.org> To: hackers@freebsd.org Subject: mdo(1) run as another user without setuid bit Message-ID: <2y3wjlrzgxocjxtwnx7avo5xuukkee4lvfjlppqpm3kfbqsrvt@nfszfoezpz3d>
next in thread | raw e-mail | index | archive | help
Hello everyone, This is an idea that I have been thinking about for a while (actually since 2015) and that I have been trying to implement a couple of days ago. On server usage of FreeBSD one thing which often happen is we segregate services with their own users (service_user). We also give access to the administrators of those services via their own ssh keys on their own user (foo) account and of course we want to allow "foo" to run some commands as "service_user" or get "service_user" privileges. Usually this is done via some sudo or some doas configuration which both involved first become root via the setuid bit. In many cases doas or sudo are overkill for this sole purpose. To cover this need, I thought we could write a very simple tool which will leverage the mac framework to make sure we could switch credentials without the need of the setuid root. Here comes the idea of mac_do(4) policy. This is a kernel module policy which allows calling setuid and setgroup from a non root user, according to some policy root and if the request comes from the /usr/bin/mdo binary. The policy are set via sysctl(8): security.mac.do.rules which contains a list of rules separated with coma, for example: uid=1001:80,gid=0:1003,uid=1002:* which can be translated as: the user which id is 1001 can become uid 80 the users belonging to the group which id is 0 can become any user 1003 the user which id is 1002 can become any user. This is only intended to allow full access to the target user, this is not intended to provide fine grain accès like sudo, doas or userv can do. Here is an implementation of this idea: https://reviews.freebsd.org/D45145 Best regards, Bapt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2y3wjlrzgxocjxtwnx7avo5xuukkee4lvfjlppqpm3kfbqsrvt>