From nobody Tue May 14 13:09:24 2024 X-Original-To: hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VdxX64rXkz5K4ck for ; Tue, 14 May 2024 13:09:26 +0000 (UTC) (envelope-from bapt@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VdxX63xxHz4Lxt; Tue, 14 May 2024 13:09:26 +0000 (UTC) (envelope-from bapt@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1715692166; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UfHUIgxCDdUSswBz/Z7Xgx0yaSZg5wBX5xyRld+Qz9w=; b=m99aeYSKC4hCrP3jhlba5t7DOfQlqUdrYW1ETRmJVuk7o81BPMGPMH2FnRtzFcD07cguvl HOHFK0sJjKvsrgqOcZqJxoWomRAtr7/L7AH/O2SByeq6bnAloUUrEJbIwIAzziK0N+EWpa XiiNhWrNQd7XmE3rQMKk6VjW3hvzsdYy5Mq6SLK6+LbPD1y/SzATjvS4DTLniH2PlBa5QN xXqflXRMjWNi4bbllNPe+RO5I9vGd6yzf+yT1Y/gsqMeSnfoH7diTNsnjkJ9ATSNnIyFeO vcQ0+n2nYE5BbRT0LpS72bjFJ6vD2KEYi0s9k41c9/MDCZCrYgRsrZCKGtS/uw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1715692166; a=rsa-sha256; cv=none; b=nejupAE1S5LA8+WmG2sa5j/xDRMBlBdCJ5s0uSYF0oPK/OY94pZxJS7Q0TvarVjpkzSV1s dcPtrYD+1fInbuq3cDjJ4RQstu12wLhrojTzT1D28MYhz8i6kg/PAoNrgXnP97KxPtOmw0 SxSOlIhWJXZseGIQlPWrCDBANiC6y4hLRxbk2t4bc1mY4iMCzCD3uoCdst4Umqb/fnSz34 AtRmJfm7bU1SDKtTmDakSa1dpdL9HjDdvgpBLPezwc6394c1ByZsfZ4uKEsF7aI2bBwqA1 andsqJcwTUXMvPwBDvDoASQta/ULGsRIpHrBwq1rycZQT1pRP5zqCuM4r0SMgg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1715692166; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UfHUIgxCDdUSswBz/Z7Xgx0yaSZg5wBX5xyRld+Qz9w=; b=n6QS486OS3FiJnBmqNZOy4Tdcyc6YoJl8cjhRoVsMdokvS7f3Jo/GuldQO1KbZasFBqnSr y7qO/6OfAXrP4bAzKG9Dvr65IoXRPaXw9C3+kMZtc5Qhr4kn1LOPsNIKtFDpBfCr/d52KE K0zInJ9+iCfQIuFRVFU2ZbHIeJD/T64F7BuXQSlLfevvbiyASynVbgDhV0lAYYQNBfI916 OoE5PjBYZ3n2H2VJZlRtrIrtvvFvOSxw5fgqfo8WqyIb7aL1Dvq27ACdIa1XLsdvlxRNGo Bl30aDicKsqXBY5TD6XPDYfFwzgb4KoVh7aqdnXkMxhBo6rsDxbSLuNU0FvS7A== Received: from aniel.nours.eu (nours.eu [IPv6:2001:41d0:8:3a4d::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: bapt) by smtp.freebsd.org (Postfix) with ESMTPSA id 4VdxX62fkhzjhF; Tue, 14 May 2024 13:09:26 +0000 (UTC) (envelope-from bapt@freebsd.org) Received: by aniel.nours.eu (Postfix, from userid 1001) id D08E872E8C; Tue, 14 May 2024 15:09:24 +0200 (CEST) Date: Tue, 14 May 2024 15:09:24 +0200 From: Baptiste Daroussin To: Tomek CEDRO Cc: hackers@freebsd.org Subject: Re: mdo(1) run as another user without setuid bit Message-ID: References: <2y3wjlrzgxocjxtwnx7avo5xuukkee4lvfjlppqpm3kfbqsrvt@nfszfoezpz3d> List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Tue 14 May 15:04, Tomek CEDRO wrote: > On Tue, May 14, 2024 at 9:17 AM Baptiste Daroussin wrote: > > Hello everyone, > > This is an idea that I have been thinking about for a while (actually since > > 2015) and that I have been trying to implement a couple of days ago. > > On server usage of FreeBSD one thing which often happen is we segregate services > > with their own users (service_user). > > We also give access to the administrators of those services via their own ssh > > keys on their own user (foo) account and of course we want to allow "foo" to run > > some commands as "service_user" or get "service_user" privileges. > > Usually this is done via some sudo or some doas configuration which both > > involved first become root via the setuid bit. > > In many cases doas or sudo are overkill for this sole purpose. To cover this > > need, I thought we could write a very simple tool which will leverage the mac > > framework to make sure we could switch credentials without the need of the > > setuid root. > > Here comes the idea of mac_do(4) policy. > > This is a kernel module policy which allows calling setuid and setgroup from a > > non root user, according to some policy root and if the request comes from the > > /usr/bin/mdo binary. > > (..) > > So when I have several users / client accounts to manage I can use my > standard non-root user to perform actions on behalf of enabled users.. > just like su client1 but without providing password? Env will be also > switched to that target user? :-) Yes about the like su client1 About the env, right now, no, but the set of feature provided by the mdo(1) can be discussed here, as long as it remain really simple. Best regards, Bapt