View previous topic :: View next topic |
Author |
Message |
Marcih Apprentice
Joined: 19 Feb 2018 Posts: 213
|
Posted: Sat Apr 14, 2018 8:29 am Post subject: [SOLVED] Allow only a specified group to execute shutdown |
|
|
I'm looking to give permission to run the shutdown command to a non-superuser using user groups. My idea was to create a group called "power" or "shutdown" (name is yet to be decided, submit your suggestions now!) and have users in that group be able to execute shutdown as root with the help of setuid.
From what I've understood reading the man page, doing chmod u+s /sbin/shutdown allows everybody to be able to run the command as if they were the owner of the file, i.e. root. I want to restrict this to only users in a specific group. Any ideas?
EDIT: Changed thread title from "Set rights flag on a file for a specific group only" to "[SOLVED] Allow only a specified group to execute shutdown" _________________
Bones McCracker wrote: | It wouldn't be so bad, if it didn't suck. |
NeddySeagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
Last edited by Marcih on Sat Apr 14, 2018 5:54 pm; edited 1 time in total |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5937
|
Posted: Sat Apr 14, 2018 10:27 am Post subject: |
|
|
I would recommend sudo. Back in ye olde unix days, there was an operator user/group who had the ability to do almost-root level stuff, but its usefulness has kind of waned. I'd still go the sudo route though. _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
Mr. T. Guru
Joined: 26 Dec 2016 Posts: 477
|
Posted: Sat Apr 14, 2018 11:58 am Post subject: |
|
|
Someone can find an answer for less than two minutes.
The title thread is ambivalent: someone may search a particular answer or someone may search a general answer.
This could lead to a waste of time for contributors and other users that search a similar topic but potentially unrelated.
The particular issue prevails in your case so you have to prioritize questions. Therefore, the real question would have been the one asked in the thread title.
Edit: revision to comply with Gentoo Guidelines.
Last edited by Mr. T. on Sat Apr 14, 2018 4:39 pm; edited 1 time in total |
|
Back to top |
|
|
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10659 Location: Somewhere over Atlanta, Georgia
|
Posted: Sat Apr 14, 2018 1:11 pm Post subject: |
|
|
Mr. T. wrote: | Someone can find an answer for less than two minutes.
Lazy user!!
Edit: The thread title is ambivalent concerning a search!! | Mr. T, although your post is technically correct and provides good sources, it's in violation of at least two Forum Guidelines: #8 (No bashing) and #10 (No personal attacks). It's perfectly fine to suggest that someone Read The Fine Manual, or even search before posting (Guideline #3, after all), but let's keep it civil. Also, it would be good if you read the Guidelines again as a refresher.
- John _________________ I can confirm that I have received between 0 and 499 National Security Letters. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22756
|
Posted: Sat Apr 14, 2018 4:16 pm Post subject: |
|
|
I concur with bunder. For completeness, if you really want to do as originally described, the traditional solution is to make the file mode 4710 and give it a group id matching the approved group. Users in that group will match the group id and be able to execute it because it is g+x. Users not in the group (other than the owner) will match other and be unable to execute it because it is o-x. Since they cannot run it at all, they cannot enjoy the setuid bit on it. Note that this has the minor undesirable aspect that non-privileged users cannot run the program even for "safe" purposes such as running with --help to see what options it accepts or, in the case of multifunction programs, running useful non-root functions. For the specific case, that undesirable aspect is probably acceptable to you. |
|
Back to top |
|
|
Marcih Apprentice
Joined: 19 Feb 2018 Posts: 213
|
Posted: Sat Apr 14, 2018 5:50 pm Post subject: |
|
|
Mr T.,
I have stumbled upon and read both of the topics quoted before posting as well as the man pages (does that count as a manual?) for shutdown, chmod and chown because, after all, I'm still new to the *nix world. Needless to say neither have been much help. I haven't needed sudo up until now and I intended for it to stay that way. The -a option on shutdown seemed to be ineffective, as much as I wish it worked. What I said in the OP was just an idea that I wanted to know whether it would even work since my attempts at it have not been successful.
I don't assume bad faith but there are better ways of putting your point across.
Hu,
I can't believe I didn't think of that before, thanks! So if I understand it correctly, the way suid/sgid works is it sets the user/group ID to the owner/group of the file regardless of who executes it? That would mean what I tried to do cannot be done. I'll mark the thread as solved and change the title to a more fitting one. _________________
Bones McCracker wrote: | It wouldn't be so bad, if it didn't suck. |
NeddySeagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
|
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22756
|
Posted: Sat Apr 14, 2018 7:59 pm Post subject: |
|
|
That is how it works, and that's why, if I understood your request correctly, what you want is possible and is done in the way I described above. The key is to remove other-execute (o-x), so that only the owner of the file (and, if group execute is maintained, users in the group of the file) can run the program at all. If you leave other-execute enabled, then you let anyone run the program without restriction, and with the elevated rights from suid/sgid. Take a simple program such as sleep, give it various combinations of permissions, and run it with a long enough delay that you can inspect its /proc/PID/status file to see real/effective IDs. I suggest trying these permissions as a start: Code: | chmod 755 /tmp/sleep
chmod 750 /tmp/sleep
chmod 4755 /tmp/sleep
chmod 4750 /tmp/sleep
chmod 4700 /tmp/sleep | Run all those combinations with ownership of root:root and ownership of root:GROUP, where GROUP is some group your user is a member of. (Also, be sure your shell is not marked with no_new_privs, since that's effectively a per-process nosuid flag and will completely ruin the whole test.)
You may need to use some other place for your temporary sleep, since if you followed good security practice, your /tmp will be noexec and nobody can run anything there. Take care not to change the permissions on the real /bin/sleep, both to avoid breaking anything while you experiment and to make it easier to clean up when you are done.
Regarding Mr. T., he shows up in many threads. If I understand correctly, he uses an English-to-X translator to read posts and an X-to-English translator to prepare his posts (for some language X that I cannot recall). As a result, nuance is often lost. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sat Apr 14, 2018 8:21 pm Post subject: |
|
|
If you're using sysvinit, there's a dirty secret you ought to be aware of: /sbin/shutdown just writes a few magic bytes to /run/initctl (a FIFO file). You can make initctl writable by whoever you want while leaving /sbin/shutdown untouched, and it'll work. |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Sun Apr 15, 2018 7:55 am Post subject: |
|
|
because none suggest it, this will also do the wanted job:
- a running script checking for a file presence, if present, trigger shutdown (better with delay)
- file presence in a directory restrict to a group, and better use a volatile one (ie: /run/myshutdown)
this way, as soon as a user create the file in /run/shutdown, the script itself detect it and initiate the shutdown process.
no real changes to the system and no sudo. if your users are dumb, create a script that create the file for them in the correct location and instruct them to use that script to shutdown (you can make a /usr/bin/stop that just do touch /run/myshutdown/afile) |
|
Back to top |
|
|
Mr. T. Guru
Joined: 26 Dec 2016 Posts: 477
|
Posted: Sun Apr 15, 2018 8:47 am Post subject: |
|
|
Personally, I will have used sudo because it was developed for that. Otherwise, I will have hacked shutdown or OpenRC.
Otherwise, I will have used Access Control List. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|