From nobody Tue May 14 13:04:57 2024 X-Original-To: hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VdxRF6Vzrz5K4PZ for ; Tue, 14 May 2024 13:05:13 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VdxRF4mF3z4LQM for ; Tue, 14 May 2024 13:05:13 +0000 (UTC) (envelope-from tomek@cedro.info) Authentication-Results: mx1.freebsd.org; none Received: by mail-yb1-xb33.google.com with SMTP id 3f1490d57ef6-de60380c04aso6421277276.2 for ; Tue, 14 May 2024 06:05:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; t=1715691911; x=1716296711; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=NnPQCqxFAjoNgbJ/hJY0rqE12Peyhkd7Be3OYvV+iA0=; b=hPeEnnKWwrmZs8TXql3TCDVaPqETXm0WMXAx3q2qakN0b1I1E5c2UJNPSAEltpk1BE J7XQhzIWl0EOFKrn5PDDe4gj0rknmh4Q0gVLv39ixSgZr4skNqWx7Yq+cN7J0t3Cyd85 rfSVptvAZZk12GXDfM5mndLNeIWO2QlZnMfUo3cbQqoaephD4wz22nhZtxS1BBShOcyM RKoNHfiq+BpHrGkM2bC06yYCd4HLa7ZmOejdWxdHCZjVJDphp7JJTGO4sE+fKDYZ5r2A 2FcW+Jpje5fOOYDwy7fgVWy6S/Lxja+ezDbLPjfqRw2QuHAs25PyUQGSOCHHvcXGLLSj hoGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715691911; x=1716296711; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NnPQCqxFAjoNgbJ/hJY0rqE12Peyhkd7Be3OYvV+iA0=; b=Em+u2B89QV+WB2ARV37sUqZy025t0MUDz/3XlHoLxmXMF50d9M7txeDCc48lKmbC2s Zar1KJ4hElkLm+wd61B6Hkbri9/jPjllxiuZUfup3h3x+Hc0hL4Wra1+GbGinqYqiX4s tclXk/+OfqE3td4PqpZnJ+Yle1hyAcGKXY8ZXjhI6r55M6TVVNuqfnLm0yK9GQPVihN5 N/MnHek1PiVyvuVVdmeSBLWZHdcT1CXl+kqDlfkN/IViB5sdVVO8EbXWIkx48rWYlv+m v/4ETDE9wkvyFO7fV06Xhsk2J8j3Kb3+tXrqNwh9kfS0zmiaRQxVZByhEBvHOZrpBcsj ePEQ== X-Gm-Message-State: AOJu0YxXhLbLpuQDAJp+38nEzyFN5AwZW8ttNQKv3K3KVmtJ1ztydo7C qusWN1GBWJR9pLojBNUfCb+driuJDRruShoCrGlQL320K3KOgIs5C0/u0YInSQ== X-Google-Smtp-Source: AGHT+IEjeExO7z39qj0heqZYfmXXpCFf+SOGCgeXrroNNRDl7x0HzXApqMRHA4F/74U+3t2Y5Zvr+A== X-Received: by 2002:a25:ef0e:0:b0:deb:3c99:1b55 with SMTP id 3f1490d57ef6-dee4f355d0cmr12099190276.45.1715691910597; Tue, 14 May 2024 06:05:10 -0700 (PDT) Received: from mail-yb1-f181.google.com (mail-yb1-f181.google.com. [209.85.219.181]) by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-debd3745351sm2558760276.34.2024.05.14.06.05.10 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 14 May 2024 06:05:10 -0700 (PDT) Received: by mail-yb1-f181.google.com with SMTP id 3f1490d57ef6-de60380c04aso6421246276.2; Tue, 14 May 2024 06:05:10 -0700 (PDT) X-Received: by 2002:a05:6902:4f0:b0:de6:482:c7d5 with SMTP id 3f1490d57ef6-dee4f355d00mr10696149276.43.1715691909423; Tue, 14 May 2024 06:05:09 -0700 (PDT) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org MIME-Version: 1.0 References: <2y3wjlrzgxocjxtwnx7avo5xuukkee4lvfjlppqpm3kfbqsrvt@nfszfoezpz3d> In-Reply-To: <2y3wjlrzgxocjxtwnx7avo5xuukkee4lvfjlppqpm3kfbqsrvt@nfszfoezpz3d> From: Tomek CEDRO Date: Tue, 14 May 2024 15:04:57 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: mdo(1) run as another user without setuid bit To: Baptiste Daroussin Cc: hackers@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4VdxRF4mF3z4LQM On Tue, May 14, 2024 at 9:17=E2=80=AFAM Baptiste Daroussin wrote: > Hello everyone, > This is an idea that I have been thinking about for a while (actually sin= ce > 2015) and that I have been trying to implement a couple of days ago. > On server usage of FreeBSD one thing which often happen is we segregate s= ervices > with their own users (service_user). > We also give access to the administrators of those services via their own= ssh > keys on their own user (foo) account and of course we want to allow "foo"= to run > some commands as "service_user" or get "service_user" privileges. > Usually this is done via some sudo or some doas configuration which both > involved first become root via the setuid bit. > In many cases doas or sudo are overkill for this sole purpose. To cover t= his > need, I thought we could write a very simple tool which will leverage the= mac > framework to make sure we could switch credentials without the need of th= e > setuid root. > Here comes the idea of mac_do(4) policy. > This is a kernel module policy which allows calling setuid and setgroup f= rom a > non root user, according to some policy root and if the request comes fro= m the > /usr/bin/mdo binary. > (..) So when I have several users / client accounts to manage I can use my standard non-root user to perform actions on behalf of enabled users.. just like su client1 but without providing password? Env will be also switched to that target user? :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info