Re: mdo(1) run as another user without setuid bit
Date: Tue, 14 May 2024 13:04:57 UTC
On Tue, May 14, 2024 at 9:17 AM Baptiste Daroussin wrote: > Hello everyone, > This is an idea that I have been thinking about for a while (actually since > 2015) and that I have been trying to implement a couple of days ago. > On server usage of FreeBSD one thing which often happen is we segregate services > with their own users (service_user). > We also give access to the administrators of those services via their own ssh > keys on their own user (foo) account and of course we want to allow "foo" to run > some commands as "service_user" or get "service_user" privileges. > Usually this is done via some sudo or some doas configuration which both > involved first become root via the setuid bit. > In many cases doas or sudo are overkill for this sole purpose. To cover this > need, I thought we could write a very simple tool which will leverage the mac > framework to make sure we could switch credentials without the need of the > setuid root. > Here comes the idea of mac_do(4) policy. > This is a kernel module policy which allows calling setuid and setgroup from a > non root user, according to some policy root and if the request comes from the > /usr/bin/mdo binary. > (..) So when I have several users / client accounts to manage I can use my standard non-root user to perform actions on behalf of enabled users.. just like su client1 but without providing password? Env will be also switched to that target user? :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info