Date: Tue, 14 May 2024 15:04:57 +0200 From: Tomek CEDRO <tomek@cedro.info> To: Baptiste Daroussin <bapt@freebsd.org> Cc: hackers@freebsd.org Subject: Re: mdo(1) run as another user without setuid bit Message-ID: <CAFYkXj=tRCbK-cKVRxUhSbh_-5e9KO5yOjtrt9sREzweNWE=%2Bg@mail.gmail.com> In-Reply-To: <2y3wjlrzgxocjxtwnx7avo5xuukkee4lvfjlppqpm3kfbqsrvt@nfszfoezpz3d> References: <2y3wjlrzgxocjxtwnx7avo5xuukkee4lvfjlppqpm3kfbqsrvt@nfszfoezpz3d>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 14, 2024 at 9:17=E2=80=AFAM Baptiste Daroussin wrote: > Hello everyone, > This is an idea that I have been thinking about for a while (actually sin= ce > 2015) and that I have been trying to implement a couple of days ago. > On server usage of FreeBSD one thing which often happen is we segregate s= ervices > with their own users (service_user). > We also give access to the administrators of those services via their own= ssh > keys on their own user (foo) account and of course we want to allow "foo"= to run > some commands as "service_user" or get "service_user" privileges. > Usually this is done via some sudo or some doas configuration which both > involved first become root via the setuid bit. > In many cases doas or sudo are overkill for this sole purpose. To cover t= his > need, I thought we could write a very simple tool which will leverage the= mac > framework to make sure we could switch credentials without the need of th= e > setuid root. > Here comes the idea of mac_do(4) policy. > This is a kernel module policy which allows calling setuid and setgroup f= rom a > non root user, according to some policy root and if the request comes fro= m the > /usr/bin/mdo binary. > (..) So when I have several users / client accounts to manage I can use my standard non-root user to perform actions on behalf of enabled users.. just like su client1 but without providing password? Env will be also switched to that target user? :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFYkXj=tRCbK-cKVRxUhSbh_-5e9KO5yOjtrt9sREzweNWE=%2Bg>