a fail-secure replacement for sudo
Jakob Kaivo 757c0bd92b implement full precedence rules | 3 rokov pred | |
---|---|---|
check | 3 rokov pred | |
doc | 3 rokov pred | |
exec | 3 rokov pred | |
privexec | 3 rokov pred | |
.gitignore | 3 rokov pred | |
LICENSE | 3 rokov pred | |
Makefile | 3 rokov pred | |
README.md | 3 rokov pred |
PrivExec is an attempt to provide administrators with a way to allow privelige
escalation in a manner similar to sudo
, but in a more resilient way by
splitting different stages of the escalation process into separate binaries.
PrivExec consists of three binaries:
privexec
check
exec
The first, privexec
, is the user-facing binary. It should be installed in
a directory that is part of the global $PATH
. In order to function properly,
privexec
must be installed SETGID (NOT SETUID) to a group that contains
not actual users (we suggest _privexec
for this purpose).
The other two binaries should be installed with group ownership set to the
same group, and permissions set to allow user and group execution for both,
with other execution disabled, as well as root
ownership and SETUID for
exec
. In summary, you should have something like:
$ ls -l /usr/local/bin/privexec /usr/local/lib/privexec/check /usr/local/lib/privexec/exec
-rwxr-sr-x 1 root _privexec 19888 Feb 1 10:32 /usr/local/bin/privexec
-r-xr-x--- 1 root _privexec 19888 Feb 1 10:33 /usr/local/lib/privexec/check
-r-sr-x--- 1 root _privexec 19456 Feb 1 10:13 /usr/local/lib/privexec/exec
The front-end binary is responsible for calling the check
binary to verify
whether the user is authorized to execute the given command, and then calling
the exec
binary to execute the command with elevated privileges if and only
if the check
command positively confirms authorization. The exec
command
is obviously SETUID to enable privilege escalation. The privexec
command is
SETGID to restrict the execution of the other two commands. The check
command
is largely unprivileged (though administrators may wish to restrict its
configuration file to be readable only by the _privexec
group to prohibit
casual inspection of which accounts are allowed to elevate privileges), and
is the location of all complexity. It is responsible for parsing
/etc/privexec.conf
and determining whether the given user is authorized to
run the given command.
Configuration is done via /etc/privexec.conf
. The format is intentionally
strict. Each may be blank, a comment (beginning with a '#' character in the
first column), or a directive. Directives are of the form:
<keyword> <principal> [command]
Where <keyword>
is one of authorize
, authenticate
, or deny
;
<principal>
is either a username or a group name prepended with ':', and
[command]
is an optional command. Tokens must be separated by exactly one
space. Additional white space is not allowed.
The entire configuration file is parsed whenever privexec
invokes check
.
Any syntax errors will result in failure. Privilege checking is performed so
as to be most restrictive. In order from least to most:
`authorize` - The user is authorized to execute the associate command
without further interaction.
`authenticate` - The user must authenticate themself before the command
is executed. This is handled by PAM with the service name `privexec`.
`deny` - The user is not permitted to execute the command.
A user name match has higher precedence than a group match, and a match containing a program name has higher precedence than a match without the program name. So the total ordering of precedence (from least to most) is:
authorize :group
authenticate :group
deny :group
authorize :group command
authenticate :group command
deny :group command
authorize user
authenticate user
deny user
authorize user command
authenticate user command
deny user command