Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Allow rwx (perm) for a single dir without implying parents?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
kgdrenefort
Guru
Guru


Joined: 19 Sep 2023
Posts: 312
Location: Somewhere in the 77

PostPosted: Tue Jul 30, 2024 9:34 am    Post subject: Allow rwx (perm) for a single dir without implying parents? Reply with quote

Hello,

I face a new problem with how I manage my ownership, groups and permissions on a sub-directory list of files and directories.

This might be me being delusional, but so far I had a working permissions and ownership schemes for my web servers sub-directory list.

The scenario :

My server hold datas inside a mounted disk, this disk contains many directories and one, called " server ".

/mnt/server it is, the permissions are d rwx r-x r-x (755 then), for srvadm:nginx. While srvadm is the user I persona to works inside this /mnt/server/www directory I'm facing problem with.

/mnt/server/www is d rwx r-x --- (750 then), for srvadm:nginx. The idea here was to allow both user srvadm to act when needed and allowing nginx to act as well without allowing anyone else to even be able to read anything, for CMS I only enable nginx:nginx, for simple HTML/CSS site I use srvadm:nginx and for now it works like a charm.

The problem :

A local (LAN) user needs to connect from SSH to this server, connected as (let's say) dumbuser. This dumbuser needs to open one only and single directory (execution, then) and be able to read, write and execute as much as needed only in this directory, and only be able to access it without being able to reach anything else.

So, if the needed path for dumbuser is /mnt/server/www/somedir1/anothersubdir1, this should be executable for this user and only be able to read, write and execute inside. So this user should not be able to access (open) any other dir (brother or parents) that is not a child of his target : /mnt/server/www/somedir2 should be forbidden, as another other brothers, as of course /mnt/server/www/somedir1/anothersubdir2 is also forbidden.

To achieve that, I tried to add dumbuser to nginx group, to test a bit, it can't go inside /mnt/server/www but can access /mnt/server, since this path is for other r-x, which is not the case for /mnt/server/www. I'm a bit out of idea to do that without breaking my home-made law of forbidding everything to this dir to " other " ?

Am I trying to do something impossible ?

How could I open a " magic teleporter " for dumbuser to access (rwx for files as dir) /mnt/server/www/somedir1/anothersubdir1 and not anything else ?

I hope this is clear, if it's not don't hesitate to ask me to reformulate.

PS: To the question « Why simply don't use srvadm ? » I'll simply answer that this user is not made for this, it's a private user and this dumbuser should only be able to execute only this specific dir and rwx in it. For, many reasons, security (at least not allowing this person to do a mistake, it's safer this way I think).

Regards,
GASPARD DE RENEFORT Kévin
_________________
Traduction wiki, pour praticiper.
Custom logos/biz card/website.
Back to top
View user's profile Send private message
pingtoo
Veteran
Veteran


Joined: 10 Sep 2021
Posts: 1236
Location: Richmond Hill, Canada

PostPosted: Tue Jul 30, 2024 11:25 am    Post subject: Reply with quote

I suggest for the given "dumbuser" with restricted login shell with home set to /mnt/server/www/somedir1/anothersubdir1

restricted shell usually design to only allow work in the given directory and its descendant and only execute program that is in defined PATH variable.

Please note, restricted shell is not a security feature, it is mean to support casual user to prevent unwanted mistake.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22619

PostPosted: Tue Jul 30, 2024 12:03 pm    Post subject: Reply with quote

To operate on a directory, a user needs search on every traversed directory, or the capability to bypass the permissions check. If you want dumbuser not to be a member of group nginx, then an ACL could grant to dumbuser the search permission on the required directories. You say dumbuser is a member of nginx, so what you describe seems to me like it should have worked. Per Guidelines item #4, please show us the actual state:
  • As root, the output of namei -l /mnt/server/www/somedir1/anothersubdir1 /mnt/server/www/somedir1/anothersubdir2
  • As dumbuser, that same command, and the output of id.
  • As dumbuser, the output of > /mnt/server/www/somedir1/anothersubdir1/tempfile ; > /mnt/server/www/somedir1/anothersubdir2/tempfile, so that we can see whether the user can really write to those directories.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3420

PostPosted: Tue Jul 30, 2024 1:03 pm    Post subject: Reply with quote

Quote:
So, if the needed path for dumbuser is /mnt/server/www/somedir1/anothersubdir1, this should be executable for this user and only be able to read, write and execute inside. So this user should not be able to access (open) any other dir (brother or parents) that is not a child of his target : /mnt/server/www/somedir2 should be forbidden, as another other brothers, as of course /mnt/server/www/somedir1/anothersubdir2 is also forbidden.


To access a file you must have respective permission on that file + at least enter (--x) on all directories in the path.
x without r does not allow you to list contents of directory, you must already know the exact filename.

Quote:
How could I open a " magic teleporter " for dumbuser to access (rwx for files as dir) /mnt/server/www/somedir1/anothersubdir1 and not anything else ?
mount --bind to a location dumbuser can already access
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
no101
n00b
n00b


Joined: 10 Oct 2022
Posts: 13
Location: Piney Woods

PostPosted: Tue Jul 30, 2024 2:09 pm    Post subject: Reply with quote

Not a direct solution but you could work around the problem and use a bind mount to (also) mount the directory in dumbuser's home directory. Something like...
Code:
dumbuser$ mkdir ~/anothersubdir1
# mount --bind /mnt/server/www/somedir1/anothersubdir1 ~dumbuser/anothersubdir1

As long as the final directory in /mnt/server/www/somedir1/anothersubdir1 is writable by dumbuser, the permissions on the parent directory don't matter because dumbuser's view of the tree has ~dumbuser as the parent dir.

So dumbuser can write to ~/anothersubdir1 but not /mnt/server/www/somedir1/anothersubdir1. Because of the bind mount, both paths point to the same files. As a bonus, you don't expose parent or sibling directories directly to dumbuser.
Back to top
View user's profile Send private message
kgdrenefort
Guru
Guru


Joined: 19 Sep 2023
Posts: 312
Location: Somewhere in the 77

PostPosted: Thu Aug 01, 2024 7:32 am    Post subject: Reply with quote

Hu wrote:
To operate on a directory, a user needs search on every traversed directory, or the capability to bypass the permissions check. If you want dumbuser not to be a member of group nginx, then an ACL could grant to dumbuser the search permission on the required directories. You say dumbuser is a member of nginx, so what you describe seems to me like it should have worked. Per Guidelines item #4, please show us the actual state:
  • As root, the output of namei -l /mnt/server/www/somedir1/anothersubdir1 /mnt/server/www/somedir1/anothersubdir2
  • As dumbuser, that same command, and the output of id.
  • As dumbuser, the output of > /mnt/server/www/somedir1/anothersubdir1/tempfile ; > /mnt/server/www/somedir1/anothersubdir2/tempfile, so that we can see whether the user can really write to those directories.


I stop to hide the real path and such, I think this will complicate so much the debugs for nothing much, will just hide the domain :

Code:
Mephistopheles ~ # namei -l /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/ /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/
f: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/
drwxr-xr-x root   root   /
drwxr-xr-x root   root   mnt
drwxr-xr-x srvadm nginx  server
drwxr-x--- srvadm nginx  www
drwxr-x--- srvadm nginx  project
drwxr-xr-x srvadm srvadm LEA
drwxr-x--- nginx  nginx  xxx
drwxr-x--- nginx  nginx  prod
drwxr-x--- nginx  nginx  htdocs
drwxrwxrwx nginx  nginx  cache
drwxr-x--- nginx  nginx  themes
f: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/
drwxr-xr-x root   root   /
drwxr-xr-x root   root   mnt
drwxr-xr-x srvadm nginx  server
drwxr-x--- srvadm nginx  www
drwxr-x--- srvadm nginx  project
drwxr-xr-x srvadm srvadm LEA
drwxr-x--- nginx  nginx  forum.xxx.org
drwxr-x--- nginx  nginx  htdocs
drwxr-x--- nginx  nginx  install


Code:
justine@Mephistopheles ~ $ namei -l /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/ /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/
f: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/
drwxr-xr-x root   root   /
drwxr-xr-x root   root   mnt
drwxr-xr-x srvadm nginx  server
drwxr-x--- srvadm nginx  www
drwxr-x--- srvadm nginx  project
drwxr-xr-x srvadm srvadm LEA
drwxr-x--- nginx  nginx  forum.xxx.org
drwxr-x--- nginx  nginx  prod
drwxr-x--- nginx  nginx  htdocs
drwxrwxrwx nginx  nginx  cache
drwxr-x--- nginx  nginx  themes
f: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/
drwxr-xr-x root   root   /
drwxr-xr-x root   root   mnt
drwxr-xr-x srvadm nginx  server
drwxr-x--- srvadm nginx  www
drwxr-x--- srvadm nginx  project
drwxr-xr-x srvadm srvadm LEA
drwxr-x--- nginx  nginx  forum.xxx.org
drwxr-x--- nginx  nginx  prod
drwxr-x--- nginx  nginx  htdocs
drwxr-x--- nginx  nginx  install


justine being that « dumb user » :
Code:
justine@Mephistopheles ~ $ id
uid=1003(justine) gid=1003(justine) groupes=1003(justine),82(nginx),100(users)


While I add to add «test» at the end of the last both commands otherwise it was just saying these are dir :

Code:
justine@Mephistopheles ~ $ LC_ALL=C > /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/test ; > /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/test
-bash: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/test: Permission denied
-bash: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/test: Permission denied


Thanks for your time.

Regards,
GASPARD DE RENEFORT
_________________
Traduction wiki, pour praticiper.
Custom logos/biz card/website.
Back to top
View user's profile Send private message
kgdrenefort
Guru
Guru


Joined: 19 Sep 2023
Posts: 312
Location: Somewhere in the 77

PostPosted: Thu Aug 01, 2024 7:35 am    Post subject: Reply with quote

pingtoo wrote:
I suggest for the given "dumbuser" with restricted login shell with home set to /mnt/server/www/somedir1/anothersubdir1

restricted shell usually design to only allow work in the given directory and its descendant and only execute program that is in defined PATH variable.

Please note, restricted shell is not a security feature, it is mean to support casual user to prevent unwanted mistake.


I used in my previous job something like that. So far as I remember, it was painful until it was sets, then it was really sweet. Can't remember any name right now, will take a look, thanks.

no101 wrote:
Not a direct solution but you could work around the problem and use a bind mount to (also) mount the directory in dumbuser's home directory. Something like...
Code:
dumbuser$ mkdir ~/anothersubdir1
# mount --bind /mnt/server/www/somedir1/anothersubdir1 ~dumbuser/anothersubdir1

As long as the final directory in /mnt/server/www/somedir1/anothersubdir1 is writable by dumbuser, the permissions on the parent directory don't matter because dumbuser's view of the tree has ~dumbuser as the parent dir.

So dumbuser can write to ~/anothersubdir1 but not /mnt/server/www/somedir1/anothersubdir1. Because of the bind mount, both paths point to the same files. As a bonus, you don't expose parent or sibling directories directly to dumbuser.


I also had this idea but I wasn't sure that binding would allow such access, to me it was still needing the full perm path, but I do not do much bind so it's time to take a try, thanks. As for szatox answer as well.

Regards,
GASPARD DE RENEFORT Kévin
_________________
Traduction wiki, pour praticiper.
Custom logos/biz card/website.
Back to top
View user's profile Send private message
kgdrenefort
Guru
Guru


Joined: 19 Sep 2023
Posts: 312
Location: Somewhere in the 77

PostPosted: Fri Aug 02, 2024 1:24 pm    Post subject: Reply with quote

Hello,

I tried to mount a directory within dumbuser /home (aka justine here).

Then once it was mounted, I tried to write, which is sadly not working (and I was expecting this). I used :

Code:
mount --rbind -o rw /target/path/in/documentroot /home/justine/some/dir/to/works/from


I had to change the owner to justine:nginx to allow her the permissions to work inside.

To be honest, I could barely not care since this is needed only for a few weeks, while this site is online but protected by htpasswd file for access, as IP, it's not referenced on any web search engine respecting robots.txt rules and there is only me and 4 others peoples knowing it. So… even if somehow it could be bad, or not, there is no real security problem here I think.

But, at the same time, it would be great to achieve what I want : Giving access to this user to a small parts of a MyBB directory, being /cache/themes, because this one doesn't wants to edit HTML/CSS with the GUI provided by MyBB or plugins. Since I like my users to be in ease…

Anyway, this is not solved per se, but at least for now I have this workaround…

Steps to mount and give read, write and execution to the user:

1/ From the account of this annoying user, create within it's home a path or a single folder, what ever :
Code:
$ mkdir -p ~/DocumentRoot/nameofthesite/themes


2/ From root or super-user account (hi sudo users), mount from the target (inside the DocumentRoot) to the working directory of this annoying user :
Code:
# mount --rbind -o rw /target/path/in/document/root/cache/themes /home/justine/DocumentRoot/nameofthesite/themes


3/ Still from this root or super-user account, give temporary access by changing the user owning the themes directory, while keeping groups for web server :
Code:
# chown -R justine:nginx /home/justine/DocumentRoot/nameofthesite/themes

(it should work the same if you do the last command on the real directory inside the actual document root)

4/ Giving back the goods ownership before unmounting, still with powered user :
Code:
# chown nginx:nginx /home/justine/DocumentRoot/nameofthesite/themes


5/ Once there is no more needs to allow this users to works in this dirty way, from root still (or super-user) :
Code:
# umount /home/justine/DocumentRoot/nameofthesite/themes


It's really bad in my opinion, and I would be glad to have better worksaround that this stuff, still it's working so far. Will have to test it more and report if I did said dog crap :).

Regards,
GASPARD DE RENEFORT Kévin
_________________
Traduction wiki, pour praticiper.
Custom logos/biz card/website.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22619

PostPosted: Fri Aug 02, 2024 2:21 pm    Post subject: Reply with quote

kgdrenefort wrote:
Code:
Mephistopheles ~ # namei -l /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/ /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/
f: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/
drwxr-x--- nginx  nginx  htdocs
drwxrwxrwx nginx  nginx  cache
drwxr-x--- nginx  nginx  themes
justine being that « dumb user » :
Code:
justine@Mephistopheles ~ $ id
uid=1003(justine) gid=1003(justine) groupes=1003(justine),82(nginx),100(users)
Code:
justine@Mephistopheles ~ $ LC_ALL=C > /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/test ; > /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/test
-bash: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/test: Permission denied
This result looks correct to me. The user justine can successfully search every level of the path. The user can write files in cache, since that directory is world writable. The user cannot write files in themes, because that user is not nginx, and only the user nginx has write access to themes. Neither the nginx group (of which justine is a member) nor members of "other" have write permission to themes. Give justine or justine's groups write access to themes.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum