View previous topic :: View next topic |
Author |
Message |
kgdrenefort Guru
Joined: 19 Sep 2023 Posts: 312 Location: Somewhere in the 77
|
Posted: Tue Jul 30, 2024 9:34 am Post subject: Allow rwx (perm) for a single dir without implying parents? |
|
|
Hello,
I face a new problem with how I manage my ownership, groups and permissions on a sub-directory list of files and directories.
This might be me being delusional, but so far I had a working permissions and ownership schemes for my web servers sub-directory list.
The scenario :
My server hold datas inside a mounted disk, this disk contains many directories and one, called " server ".
/mnt/server it is, the permissions are d rwx r-x r-x (755 then), for srvadm:nginx. While srvadm is the user I persona to works inside this /mnt/server/www directory I'm facing problem with.
/mnt/server/www is d rwx r-x --- (750 then), for srvadm:nginx. The idea here was to allow both user srvadm to act when needed and allowing nginx to act as well without allowing anyone else to even be able to read anything, for CMS I only enable nginx:nginx, for simple HTML/CSS site I use srvadm:nginx and for now it works like a charm.
The problem :
A local (LAN) user needs to connect from SSH to this server, connected as (let's say) dumbuser. This dumbuser needs to open one only and single directory (execution, then) and be able to read, write and execute as much as needed only in this directory, and only be able to access it without being able to reach anything else.
So, if the needed path for dumbuser is /mnt/server/www/somedir1/anothersubdir1, this should be executable for this user and only be able to read, write and execute inside. So this user should not be able to access (open) any other dir (brother or parents) that is not a child of his target : /mnt/server/www/somedir2 should be forbidden, as another other brothers, as of course /mnt/server/www/somedir1/anothersubdir2 is also forbidden.
To achieve that, I tried to add dumbuser to nginx group, to test a bit, it can't go inside /mnt/server/www but can access /mnt/server, since this path is for other r-x, which is not the case for /mnt/server/www. I'm a bit out of idea to do that without breaking my home-made law of forbidding everything to this dir to " other " ?
Am I trying to do something impossible ?
How could I open a " magic teleporter " for dumbuser to access (rwx for files as dir) /mnt/server/www/somedir1/anothersubdir1 and not anything else ?
I hope this is clear, if it's not don't hesitate to ask me to reformulate.
PS: To the question « Why simply don't use srvadm ? » I'll simply answer that this user is not made for this, it's a private user and this dumbuser should only be able to execute only this specific dir and rwx in it. For, many reasons, security (at least not allowing this person to do a mistake, it's safer this way I think).
Regards,
GASPARD DE RENEFORT Kévin _________________ Traduction wiki, pour praticiper.
Custom logos/biz card/website. |
|
Back to top |
|
|
pingtoo Veteran
Joined: 10 Sep 2021 Posts: 1223 Location: Richmond Hill, Canada
|
Posted: Tue Jul 30, 2024 11:25 am Post subject: |
|
|
I suggest for the given "dumbuser" with restricted login shell with home set to /mnt/server/www/somedir1/anothersubdir1
restricted shell usually design to only allow work in the given directory and its descendant and only execute program that is in defined PATH variable.
Please note, restricted shell is not a security feature, it is mean to support casual user to prevent unwanted mistake. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22598
|
Posted: Tue Jul 30, 2024 12:03 pm Post subject: |
|
|
To operate on a directory, a user needs search on every traversed directory, or the capability to bypass the permissions check. If you want dumbuser not to be a member of group nginx, then an ACL could grant to dumbuser the search permission on the required directories. You say dumbuser is a member of nginx, so what you describe seems to me like it should have worked. Per Guidelines item #4, please show us the actual state:- As root, the output of namei -l /mnt/server/www/somedir1/anothersubdir1 /mnt/server/www/somedir1/anothersubdir2
- As dumbuser, that same command, and the output of id.
- As dumbuser, the output of > /mnt/server/www/somedir1/anothersubdir1/tempfile ; > /mnt/server/www/somedir1/anothersubdir2/tempfile, so that we can see whether the user can really write to those directories.
|
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3407
|
Posted: Tue Jul 30, 2024 1:03 pm Post subject: |
|
|
Quote: | So, if the needed path for dumbuser is /mnt/server/www/somedir1/anothersubdir1, this should be executable for this user and only be able to read, write and execute inside. So this user should not be able to access (open) any other dir (brother or parents) that is not a child of his target : /mnt/server/www/somedir2 should be forbidden, as another other brothers, as of course /mnt/server/www/somedir1/anothersubdir2 is also forbidden.
|
To access a file you must have respective permission on that file + at least enter (--x) on all directories in the path.
x without r does not allow you to list contents of directory, you must already know the exact filename.
Quote: | How could I open a " magic teleporter " for dumbuser to access (rwx for files as dir) /mnt/server/www/somedir1/anothersubdir1 and not anything else ? | mount --bind to a location dumbuser can already access _________________ Make Computing Fun Again |
|
Back to top |
|
|
no101 n00b
Joined: 10 Oct 2022 Posts: 13 Location: Piney Woods
|
Posted: Tue Jul 30, 2024 2:09 pm Post subject: |
|
|
Not a direct solution but you could work around the problem and use a bind mount to (also) mount the directory in dumbuser's home directory. Something like...
Code: | dumbuser$ mkdir ~/anothersubdir1
# mount --bind /mnt/server/www/somedir1/anothersubdir1 ~dumbuser/anothersubdir1 |
As long as the final directory in /mnt/server/www/somedir1/anothersubdir1 is writable by dumbuser, the permissions on the parent directory don't matter because dumbuser's view of the tree has ~dumbuser as the parent dir.
So dumbuser can write to ~/anothersubdir1 but not /mnt/server/www/somedir1/anothersubdir1. Because of the bind mount, both paths point to the same files. As a bonus, you don't expose parent or sibling directories directly to dumbuser. |
|
Back to top |
|
|
kgdrenefort Guru
Joined: 19 Sep 2023 Posts: 312 Location: Somewhere in the 77
|
Posted: Thu Aug 01, 2024 7:32 am Post subject: |
|
|
Hu wrote: | To operate on a directory, a user needs search on every traversed directory, or the capability to bypass the permissions check. If you want dumbuser not to be a member of group nginx, then an ACL could grant to dumbuser the search permission on the required directories. You say dumbuser is a member of nginx, so what you describe seems to me like it should have worked. Per Guidelines item #4, please show us the actual state:- As root, the output of namei -l /mnt/server/www/somedir1/anothersubdir1 /mnt/server/www/somedir1/anothersubdir2
- As dumbuser, that same command, and the output of id.
- As dumbuser, the output of > /mnt/server/www/somedir1/anothersubdir1/tempfile ; > /mnt/server/www/somedir1/anothersubdir2/tempfile, so that we can see whether the user can really write to those directories.
|
I stop to hide the real path and such, I think this will complicate so much the debugs for nothing much, will just hide the domain :
Code: | Mephistopheles ~ # namei -l /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/ /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/
f: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/
drwxr-xr-x root root /
drwxr-xr-x root root mnt
drwxr-xr-x srvadm nginx server
drwxr-x--- srvadm nginx www
drwxr-x--- srvadm nginx project
drwxr-xr-x srvadm srvadm LEA
drwxr-x--- nginx nginx xxx
drwxr-x--- nginx nginx prod
drwxr-x--- nginx nginx htdocs
drwxrwxrwx nginx nginx cache
drwxr-x--- nginx nginx themes
f: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/
drwxr-xr-x root root /
drwxr-xr-x root root mnt
drwxr-xr-x srvadm nginx server
drwxr-x--- srvadm nginx www
drwxr-x--- srvadm nginx project
drwxr-xr-x srvadm srvadm LEA
drwxr-x--- nginx nginx forum.xxx.org
drwxr-x--- nginx nginx htdocs
drwxr-x--- nginx nginx install |
Code: | justine@Mephistopheles ~ $ namei -l /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/ /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/
f: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/
drwxr-xr-x root root /
drwxr-xr-x root root mnt
drwxr-xr-x srvadm nginx server
drwxr-x--- srvadm nginx www
drwxr-x--- srvadm nginx project
drwxr-xr-x srvadm srvadm LEA
drwxr-x--- nginx nginx forum.xxx.org
drwxr-x--- nginx nginx prod
drwxr-x--- nginx nginx htdocs
drwxrwxrwx nginx nginx cache
drwxr-x--- nginx nginx themes
f: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/
drwxr-xr-x root root /
drwxr-xr-x root root mnt
drwxr-xr-x srvadm nginx server
drwxr-x--- srvadm nginx www
drwxr-x--- srvadm nginx project
drwxr-xr-x srvadm srvadm LEA
drwxr-x--- nginx nginx forum.xxx.org
drwxr-x--- nginx nginx prod
drwxr-x--- nginx nginx htdocs
drwxr-x--- nginx nginx install |
justine being that « dumb user » :
Code: | justine@Mephistopheles ~ $ id
uid=1003(justine) gid=1003(justine) groupes=1003(justine),82(nginx),100(users) |
While I add to add «test» at the end of the last both commands otherwise it was just saying these are dir :
Code: | justine@Mephistopheles ~ $ LC_ALL=C > /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/test ; > /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/test
-bash: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/test: Permission denied
-bash: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/test: Permission denied |
Thanks for your time.
Regards,
GASPARD DE RENEFORT _________________ Traduction wiki, pour praticiper.
Custom logos/biz card/website. |
|
Back to top |
|
|
kgdrenefort Guru
Joined: 19 Sep 2023 Posts: 312 Location: Somewhere in the 77
|
Posted: Thu Aug 01, 2024 7:35 am Post subject: |
|
|
pingtoo wrote: | I suggest for the given "dumbuser" with restricted login shell with home set to /mnt/server/www/somedir1/anothersubdir1
restricted shell usually design to only allow work in the given directory and its descendant and only execute program that is in defined PATH variable.
Please note, restricted shell is not a security feature, it is mean to support casual user to prevent unwanted mistake. |
I used in my previous job something like that. So far as I remember, it was painful until it was sets, then it was really sweet. Can't remember any name right now, will take a look, thanks.
no101 wrote: | Not a direct solution but you could work around the problem and use a bind mount to (also) mount the directory in dumbuser's home directory. Something like...
Code: | dumbuser$ mkdir ~/anothersubdir1
# mount --bind /mnt/server/www/somedir1/anothersubdir1 ~dumbuser/anothersubdir1 |
As long as the final directory in /mnt/server/www/somedir1/anothersubdir1 is writable by dumbuser, the permissions on the parent directory don't matter because dumbuser's view of the tree has ~dumbuser as the parent dir.
So dumbuser can write to ~/anothersubdir1 but not /mnt/server/www/somedir1/anothersubdir1. Because of the bind mount, both paths point to the same files. As a bonus, you don't expose parent or sibling directories directly to dumbuser. |
I also had this idea but I wasn't sure that binding would allow such access, to me it was still needing the full perm path, but I do not do much bind so it's time to take a try, thanks. As for szatox answer as well.
Regards,
GASPARD DE RENEFORT Kévin _________________ Traduction wiki, pour praticiper.
Custom logos/biz card/website. |
|
Back to top |
|
|
kgdrenefort Guru
Joined: 19 Sep 2023 Posts: 312 Location: Somewhere in the 77
|
Posted: Fri Aug 02, 2024 1:24 pm Post subject: |
|
|
Hello,
I tried to mount a directory within dumbuser /home (aka justine here).
Then once it was mounted, I tried to write, which is sadly not working (and I was expecting this). I used :
Code: | mount --rbind -o rw /target/path/in/documentroot /home/justine/some/dir/to/works/from |
I had to change the owner to justine:nginx to allow her the permissions to work inside.
To be honest, I could barely not care since this is needed only for a few weeks, while this site is online but protected by htpasswd file for access, as IP, it's not referenced on any web search engine respecting robots.txt rules and there is only me and 4 others peoples knowing it. So… even if somehow it could be bad, or not, there is no real security problem here I think.
But, at the same time, it would be great to achieve what I want : Giving access to this user to a small parts of a MyBB directory, being /cache/themes, because this one doesn't wants to edit HTML/CSS with the GUI provided by MyBB or plugins. Since I like my users to be in ease…
Anyway, this is not solved per se, but at least for now I have this workaround…
Steps to mount and give read, write and execution to the user:
1/ From the account of this annoying user, create within it's home a path or a single folder, what ever :
Code: | $ mkdir -p ~/DocumentRoot/nameofthesite/themes |
2/ From root or super-user account (hi sudo users), mount from the target (inside the DocumentRoot) to the working directory of this annoying user :
Code: | # mount --rbind -o rw /target/path/in/document/root/cache/themes /home/justine/DocumentRoot/nameofthesite/themes |
3/ Still from this root or super-user account, give temporary access by changing the user owning the themes directory, while keeping groups for web server :
Code: | # chown -R justine:nginx /home/justine/DocumentRoot/nameofthesite/themes |
(it should work the same if you do the last command on the real directory inside the actual document root)
4/ Giving back the goods ownership before unmounting, still with powered user :
Code: | # chown nginx:nginx /home/justine/DocumentRoot/nameofthesite/themes |
5/ Once there is no more needs to allow this users to works in this dirty way, from root still (or super-user) :
Code: | # umount /home/justine/DocumentRoot/nameofthesite/themes |
It's really bad in my opinion, and I would be glad to have better worksaround that this stuff, still it's working so far. Will have to test it more and report if I did said dog crap :).
Regards,
GASPARD DE RENEFORT Kévin _________________ Traduction wiki, pour praticiper.
Custom logos/biz card/website. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22598
|
Posted: Fri Aug 02, 2024 2:21 pm Post subject: |
|
|
kgdrenefort wrote: | Code: | Mephistopheles ~ # namei -l /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/ /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/
f: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/
drwxr-x--- nginx nginx htdocs
drwxrwxrwx nginx nginx cache
drwxr-x--- nginx nginx themes
| justine being that « dumb user » : Code: | justine@Mephistopheles ~ $ id
uid=1003(justine) gid=1003(justine) groupes=1003(justine),82(nginx),100(users) |
Code: | justine@Mephistopheles ~ $ LC_ALL=C > /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/test ; > /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/install/test
-bash: /mnt/server/www/project/LEA/forum.xxx.org/prod/htdocs/cache/themes/test: Permission denied |
| This result looks correct to me. The user justine can successfully search every level of the path. The user can write files in cache, since that directory is world writable. The user cannot write files in themes, because that user is not nginx, and only the user nginx has write access to themes. Neither the nginx group (of which justine is a member) nor members of "other" have write permission to themes. Give justine or justine's groups write access to themes. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|