Date: Tue, 14 May 2024 15:09:24 +0200 From: Baptiste Daroussin <bapt@freebsd.org> To: Tomek CEDRO <tomek@cedro.info> Cc: hackers@freebsd.org Subject: Re: mdo(1) run as another user without setuid bit Message-ID: <m6bkj3ex72ce6fhiexcs5nwispbtuxgmrhftjomuelrbmuv4zh@ploiihokrkuo> In-Reply-To: <CAFYkXj=tRCbK-cKVRxUhSbh_-5e9KO5yOjtrt9sREzweNWE=%2Bg@mail.gmail.com> References: <2y3wjlrzgxocjxtwnx7avo5xuukkee4lvfjlppqpm3kfbqsrvt@nfszfoezpz3d> <CAFYkXj=tRCbK-cKVRxUhSbh_-5e9KO5yOjtrt9sREzweNWE=%2Bg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue 14 May 15:04, Tomek CEDRO wrote: > On Tue, May 14, 2024 at 9:17 AM Baptiste Daroussin wrote: > > Hello everyone, > > This is an idea that I have been thinking about for a while (actually since > > 2015) and that I have been trying to implement a couple of days ago. > > On server usage of FreeBSD one thing which often happen is we segregate services > > with their own users (service_user). > > We also give access to the administrators of those services via their own ssh > > keys on their own user (foo) account and of course we want to allow "foo" to run > > some commands as "service_user" or get "service_user" privileges. > > Usually this is done via some sudo or some doas configuration which both > > involved first become root via the setuid bit. > > In many cases doas or sudo are overkill for this sole purpose. To cover this > > need, I thought we could write a very simple tool which will leverage the mac > > framework to make sure we could switch credentials without the need of the > > setuid root. > > Here comes the idea of mac_do(4) policy. > > This is a kernel module policy which allows calling setuid and setgroup from a > > non root user, according to some policy root and if the request comes from the > > /usr/bin/mdo binary. > > (..) > > So when I have several users / client accounts to manage I can use my > standard non-root user to perform actions on behalf of enabled users.. > just like su client1 but without providing password? Env will be also > switched to that target user? :-) Yes about the like su client1 About the env, right now, no, but the set of feature provided by the mdo(1) can be discussed here, as long as it remain really simple. Best regards, Bapt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m6bkj3ex72ce6fhiexcs5nwispbtuxgmrhftjomuelrbmuv4zh>