| 1 |
Instead of all the "sudo su ...." stuff does this make things simpler. |
| 2 |
|
| 3 |
Add the following lines to /etc/sudoers (assuming you also have the |
| 4 |
emerge user) |
| 5 |
|
| 6 |
User_Alais EMERGE_ADMINS = user1, user2, user3 |
| 7 |
Host_Alais EMERGEABLE_HOSTS = host1, host2 |
| 8 |
Cmnd_Alias EMERGE = /usr/bin/emerge |
| 9 |
|
| 10 |
EMERGE_ADMINS EMERGEABLE_HOSTS = (emerge) EMERGE |
| 11 |
|
| 12 |
Are there any security problems with this? If you wanted you could add |
| 13 |
stuff to the Cmnd_Alias to restrict users from being able to unmerge |
| 14 |
packages... I think that would be like this... |
| 15 |
|
| 16 |
Cmnd_Alias EMERGE = /usr/bin/emerge, !/usr/bin/emerge *unmerge*, |
| 17 |
!/usr/bin/emerge *-C* |
| 18 |
|
| 19 |
~Michael |
| 20 |
|
| 21 |
Bart Alewijnse wrote: |
| 22 |
>>Bart Alewijnse wrote: |
| 23 |
>>| Errm. I was referring to the *user* 'emerge' - I wasn't aware you can |
| 24 |
>>| use su to execute binaries. sudo, yes, but su? 'sudo su emerge' would |
| 25 |
>>| cause sudo to run su with the command line parameter 'emerge' which |
| 26 |
>>| can only be a username - rather than hand sudo two executable names, |
| 27 |
>>| right? |
| 28 |
>>| But if you're paranoid, you could likely require the path to emerge in |
| 29 |
>>| sudoers, so that it'd have to be |
| 30 |
>>| 'sudo su /usr/bin/emerge' - or possibly just that it'd only accept |
| 31 |
>>| running emerge if the actual emerge binary being suggested for running |
| 32 |
>>| is the one in /usr/bin. Since you don't have direct accidental access |
| 33 |
>>| to that as either considered user, it's not a risk. |
| 34 |
>>| |
| 35 |
>>Yes, su can run commands with the -c option. So 'su root -c "rm -rf /"' |
| 36 |
>>would blow away your system. However, in your example you don't have |
| 37 |
> |
| 38 |
> |
| 39 |
> Good point, didn't know that. |
| 40 |
> |
| 41 |
> But root? What? I was suggesting only su-ing from selected users to |
| 42 |
> the 'emerge' user. |
| 43 |
> |
| 44 |
> The worst you could do then is probably 'sudo su emerge -c |
| 45 |
> /evil/emergee', which would then be executed as emerge - which I was |
| 46 |
> assuming to be a non-admin account, just as a syntactic command line |
| 47 |
> sugar inbetween step. |
| 48 |
> |
| 49 |
> The point to that was that people that would emerge would both have a |
| 50 |
> common account (possibly good for config files), but just to the |
| 51 |
> point, that that's a nice conceptual location you could run the actual |
| 52 |
> emerge binary from - again, through sudo, because if emerge is an |
| 53 |
> admin acccount, it might as well be root itself. |
| 54 |
> |
| 55 |
> |
| 56 |
> Actually, indeed, just adjusting sudoers to have specific people have |
| 57 |
> the ability to run /usr/bin/emerge would be enough, pretty much |
| 58 |
> period. |
| 59 |
> |
| 60 |
> |
| 61 |
> And if not that, according to taste and as someone just mailed me, you |
| 62 |
> also do what I suggest in one step, indeed with a 'sudu so -c |
| 63 |
> /usr/bin/emerge' with assorted |
| 64 |
> things-you-actually-also-need-in-reality(tm) (again, I've not used |
| 65 |
> sudo much at all) |
| 66 |
> |
| 67 |
> That's indeed simpler systemwise. I was just going for the |
| 68 |
> understandable-for-people-not-on-this-list (and possibly myself next |
| 69 |
> week) angle. Rather pointless, really. There are such things as |
| 70 |
> scripts:) |
| 71 |
> |
| 72 |
> |
| 73 |
> Interesing suggestion, but how exactly would you break out of chroot |
| 74 |
> once you're properly authenticated? I mean, there's very little point |
| 75 |
> to running emerge within a chrooted environment, right? You're doing |
| 76 |
> something cleaner, though, so do please explain. |
| 77 |
> |
| 78 |
> |
| 79 |
> But as I keep saying, security is entirely moot in this matter, as bad |
| 80 |
> intentsions are met with essential root access no matter what you do, |
| 81 |
> because emerge itself needs it. It's better than giving them root |
| 82 |
> access as accidental typo's could be entirely fatal there, but not as |
| 83 |
> the emerge user - unless you did something stupid with emerge, but |
| 84 |
> then you shouldn't be emerging in the first place. |
| 85 |
> |
| 86 |
> --Bart Alewijnse |
| 87 |
> |
| 88 |
> -- |
| 89 |
> gentoo-security@g.o mailing list |
| 90 |
> |
| 91 |
|
| 92 |
|
| 93 |
-- |
| 94 |
gentoo-security@g.o mailing list |
Archives