Hi: I could not figure out how to restrict users or other users from certain privileges to execute certain commands in FreeBSD/NanoBSD? What I meant is I want to create a NanoBSD image in which there will be an additional user, say 'admin'. I need to give this new user (admin) some privileges to run some root-can-only-execute commands, but not all (ACL similar to the firmwares in adsl modems from ISPs). I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD Rootkits' besides FreeBSD handbook, but I simply could not figure out. Could anyone throw some light on this? Appreciate it! Thanks! /zenny --- Support http://thehumanape.org
> Hi: > > I could not figure out how to restrict users or other users from certain > privileges to execute certain commands in FreeBSD/NanoBSD? > > What I meant is I want to create a NanoBSD image in which there will be an > additional user, say 'admin'. I need to give this new user (admin) some > privileges to run some root-can-only-execute commands, but not all (ACL > similar to the firmwares in adsl modems from ISPs). > > I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD > Rootkits' besides FreeBSD handbook, but I simply could not figure out. > Could anyone throw some light on this? Appreciate it! > > Thanks! > > /zennytry sudo from ports, security/sudo cheers, danny
Hi, all, Am 28.04.2012 um 11:39 schrieb Eugene Grosbein:> 28.04.2012 14:50, Zenny ?????: > >>> try sudo from ports, security/sudo >>> >>> cheers, >>> danny >>> >>> >> Thanks Daniel, but sudo gives all (not selective) root privileges to the >> user (admin in my case). So this is not what I am trying to achieve in my >> original post. > > Please do study sudo real power :-) > It can give selective privileges per-command, > an d it can also allow one to run some command with some arguments only > and not with others. Or, without any arguments only - as you tune > its sudoers configuration file.Just make sure none of the permitted commands has got the feature of starting a shell ;-)) Kind regards, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 info@punkt.de http://www.punkt.de Gf: J?rgen Egeling AG Mannheim 108285
On Sat, Apr 28, 2012 at 11:47:07AM +0200, Patrick M. Hausen wrote:> Hi, all, > > Am 28.04.2012 um 11:39 schrieb Eugene Grosbein: > > > 28.04.2012 14:50, Zenny ??????????: > > > >>> try sudo from ports, security/sudo > >>> > >>> cheers, > >>> danny > >>> > >>> > >> Thanks Daniel, but sudo gives all (not selective) root privileges to the > >> user (admin in my case). So this is not what I am trying to achieve in my > >> original post. > > > > Please do study sudo real power :-) > > It can give selective privileges per-command, > > an d it can also allow one to run some command with some arguments only > > and not with others. Or, without any arguments only - as you tune > > its sudoers configuration file. > > > Just make sure none of the permitted commands has got the > feature of starting a shell ;-))Right, think of vi(1), less(1), et al. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20120428/53535c4f/attachment.pgp
Hi!> > > Please do study sudo real power :-) > > > It can give selective privileges per-command,[...]> > Just make sure none of the permitted commands has got the > > feature of starting a shell ;-)) > > Right, think of vi(1), less(1), et al.Even this aspect is taken care of with sudo (at least to a certain limit): NOEXEC and EXEC If sudo has been compiled with noexec support and the underlying operating system supports it, the NOEXEC tag can be used to prevent a dynamically-linked executable from running further commands itself. In the following example, user aaron may run /usr/bin/more and /usr/bin/vi but shell escapes will be disabled. aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi See the "PREVENTING SHELL ESCAPES" section below for more details on how NOEXEC works and whether or not it will work on your system. -- pi@opsec.eu +49 171 3101372 8 years to go !
On Sat, Apr 28, 2012 at 08:04:31PM +0200, Kurt Jaeger wrote:> Hi! > > > > > Please do study sudo real power :-) > > > > It can give selective privileges per-command, > [...] > > > Just make sure none of the permitted commands has got the > > > feature of starting a shell ;-)) > > > > Right, think of vi(1), less(1), et al. > > Even this aspect is taken care of with sudo (at least to a certain limit): > > NOEXEC and EXEC > > If sudo has been compiled with noexec support and the underlying > operating system supports it, the NOEXEC tag can be used to prevent a > dynamically-linked executable from running further commands itself. > > In the following example, user aaron may run /usr/bin/more and > /usr/bin/vi but shell escapes will be disabled. > > aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi > > See the "PREVENTING SHELL ESCAPES" section below for more details on > how NOEXEC works and whether or not it will work on your system. >cp /usr/bin/vi ~/ or upload your own... sudo $HOME/vi You need to be very careful with this NOEXEC thinking as it will not always get you what you originally intended. -- - (2^(N-1))