binary privilege based on users execution - linux

I have tpdump command , when I run the command with admin tcpdump should run as a root privileges . And when I run same tcpdump command with user1 it should run as normal privilege .
I mean , binary should have the different privileges based on user's who is executing . for example if the binary runs with root , it should have root privilege .And if it runs with user1 then it should have normal privilege.
Example-1: for admin
# tcpdump -x /data/temp/test.cap
#ls -ld tcpdump
-r-sr-xr-x 1 root my 43305 Aug 5 11:48 /data/bin/tcpdump
#
Example-2: user1
# tcpdump -x /data/tmp/test1.cap
#ls -ld tcpdump
-r-sr-xr-x 1 user1 my 43305 Aug 5 11:48 /data/bin/tcpdump
#
Note: tcpdump is a root binary.
-x to capture the packets into file

This is exactly how permissions work when SUID bit isn't set (which is set for tcpdump). See man chmod and its s permission symbol.

Related

Root doesn‘t have the permission to change a directory owner

I can't change a directory's owner even if I'm root.
I want to build a NAS by using raspberry 3B+.
So I have created a user named dorm.
Then I changed sshd_file in order to restrict SFTP users(dorm) to
only visit his home directories
Now the user(dorm) doesn't have the write permission. So After I
google it,I should mkdir a 777 directory at /home/dorm/ .So I made it by root.
Then I wanna change its owner by chown -R dorm:dorm
/home/dorm/Documents. I failed.
Maybe its best to remove the user and try again, this is what I did to make it work.
log into newly setup raspberry pi as pi user, only default logins exist.
pi#raspberrypi:~ $ whoami
pi
pi#raspberrypi:~ $ lslogins -u
UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
0 root 84 root
1000 pi 5 15:31 ,,,
add new user dorm
$ sudo adduser dorm
Adding user `dorm' ...
Adding new group `dorm' (1001) ...
Adding new user `dorm' (1001) with group `dorm' ...
Creating home directory `/home/dorm' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for dorm
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
pi#raspberrypi:~ $ lslogins -u
UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
0 root 87 root
1000 pi 5 15:31 ,,,
1001 dorm 0 ,,,
make a backup and edit your sshd_config file,
pi#raspberrypi:~ $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config-bak
pi#raspberrypi:~ $ sudo vim /etc/ssh/sshd_config
pi#raspberrypi:~ $ diff /etc/ssh/sshd_config /etc/ssh/sshd_config-bak
122,128d121
<
< Match User dorm
< X11Forwarding no
< AllowTcpForwarding no
< PermitTTY no
< ForceCommand internal-sftp
< ChrootDirectory /home/dorm
restart ssh service with sudo service sshd restart
change the ownership of the dorm home directory to root.
$ sudo chown root:root /home/dorm
$ sudo chmod 755 /home/dorm
from the dorm user's directory use sudo as the pi user to create the Documents folder and give ownership to the dorm user
pi#raspberrypi:/home/dorm $ ls
pi#raspberrypi:/home/dorm $ mkdir Documents
mkdir: cannot create directory ‘Documents’: Permission denied
pi#raspberrypi:/home/dorm $ sudo mkdir Documents
pi#raspberrypi:/home/dorm $ ls -l
total 4
drwxr-xr-x 2 root root 4096 Feb 8 18:15 Documents
pi#raspberrypi:/home/dorm $ sudo chown -R dorm:dorm Documents
pi#raspberrypi:/home/dorm $ ls -l
total 4
drwxr-xr-x 2 dorm dorm 4096 Feb 8 18:15 Documents
test the connection etc. using your IP address from your host computer (ssh should reply No route to host)
$ sftp dorm#<IP>
dorm#<IP>'s password:
Connected to dorm#<IP>.
sftp>
you can see the created Documents folder and the user number that owns it (dorm's number)
sftp> ls -ltr
drwxr-xr-x 2 1001 1001 4096 Feb 8 18:15 Documents
you can't move out of the base directory
sftp> pwd
Remote working directory: /
sftp> cd ..
sftp> pwd
Remote working directory: /
you can't put files in the base directory as dorm doesn't have permissions. (file path will need to be altered for your system)
sftp> put /Users/<USER>/tmp
Uploading /Users/<USER>/tmp to /tmp
remote open("/tmp"): Permission denied
if you move into Documents then you can then upload files
sftp> cd Documents
sftp> put /Users/<USER>/tmp
Uploading /Users/<USER>/tmp to /Documents/tmp
/Users/<USER>/tmp 100% 0 0.0KB/s 00:00

Run each Docker container in a specific user namespace configuration

Problem:
I am trying to mount a directory as Docker volume in such a way,
that a user, which is created inside a container could write
into a file in that volume. And at the same time, the file should
be at least readable to my user lape outside the container.
Essentially, I need to remap a user UID from container user namespace to a specific UID on the host user namespace.
How can I do that?
I would prefer answers that:
do not involve changing the way how Docker daemon is run;
and allows a possibility to configure container user namespace for each container separately;
do not require rebuilding the image;
I would accept answer that shows a nice solution using Access Control Lists as well;
Setup:
This is how the situation can be replicated.
I have my Linux user lape, assigned to docker group, so I
can run Docker containers without being root.
lape#localhost ~ $ id
uid=1000(lape) gid=1000(lape) groups=1000(lape),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),121(lpadmin),131(sambashare),999(docker)
Dockerfile:
FROM alpine
RUN apk add --update su-exec && rm -rf /var/cache/apk/*
# I create a user inside the image which i want to be mapped to my `lape`
RUN adduser -D -u 800 -g 801 insider
VOLUME /data
COPY ./entrypoint.sh /entrypoint.sh
ENTRYPOINT ["sh", "/entrypoint.sh"]
entrypoint.sh:
#!/bin/sh
chmod 755 /data
chown insider:insider /data
# This will run as `insider`, and will touch a file to the shared volume
# (the name of the file will be current timestamp)
su-exec insider:insider sh -c 'touch /data/$(date +%s)'
# Show permissions of created files
ls -las /data
Once the is built with:
docker build -t nstest
I run the container:
docker run --rm -v $(pwd)/data:/data nstest
The output looks like:
total 8
4 drwxr-xr-x 2 insider insider 4096 Aug 26 08:44 .
4 drwxr-xr-x 31 root root 4096 Aug 26 08:44 ..
0 -rw-r--r-- 1 insider insider 0 Aug 26 08:44 1503737079
So the file seems to be created as user insider.
From my host the permissions look like this:
lape#localhost ~ $ ls -las ./data
total 8
4 drwxr-xr-x 2 800 800 4096 Aug 26 09:44 .
4 drwxrwxr-x 3 lape lape 4096 Aug 26 09:43 ..
0 -rw-r--r-- 1 800 800 0 Aug 26 09:44 1503737079
Which indicates that the file belongs to uid=800 (that is the insider user which does not even exist outside the Docker namespace).
Things I tried already:
I tried specifying --user parameter to docker run, but it seems it can only map which user on the host is mapped to uid=0 (root) inside the docker namespace, in my case the insider is not root. So it did not really work in this case.
The only way how I achieved insider(uid=800) from within container, to be seen as lape(uid=1000) from host, was by adding --userns-remap="default" to the dockerd startup script, and adding dockremap:200:100000 to files /etc/subuid and /etc/subgid as suggested in documentation for --userns-remap. Coincidentally this worked for me, but it is not sufficient solution, because:
it requires reconfigure the way how the Docker daemon runs;
requires to do some arithmetic on user ids: '200 = 1000 - 800', where 1000 is the UID my user on the host, and 800 the UID is of the insider user;
that would not even work if the insider user would need to have a higher UID than my host user;
it can only configure how user namespaces are mapped globally, without a way to have unique configuration per container;
this solution kind of works but it is a bit too ugly for practical usage.
If you just need a read access for your user, the simplest will be to add the read permissions for all files and subdirectories in /data with acls outside of docker.
Add default acl: setfacl -d -m u:lape:-rx /data.
You will also need to give access to the directory itself: setfacl -m u:lape:-rx /data.
Are there any obstacles for such a solution?

Linux permissions issue on sftp server

Good day!
I have a linux sftp server located in VM. This VM has access to a GlusterFS storage, where sftp directories are located. Sftp works via OpenSSH server and chroots sftpusers group to sftp directories on GlusterFS storage. All worked well... After one moment I had got an issue...
Trying to create user:
# useradd -d /mnt/cluster-data/repositories/masters/test-user -G masters,sftpusers -m -s /bin/nologin test-user
Checking:
# cat /etc/passwd | grep test-user
test-user:x:1029:1032::/mnt/cluster-data/repositories/masters/test-user:/bin/nologin
# cat /etc/group | grep test-user
masters:x:1000:test-user
sftpusers:x:1005:test-user
test-user:x:1032:
Doing chown and chmod for home dir by hand:
# chown -R test-user:test-user /mnt/cluster-data/repositories/masters/test-user
# chmod -R 770 /mnt/cluster-data/repositories/masters/test-user
Checking:
# ls -la /mnt/cluster-data/repositories/masters/test-user
итого 16
drwxrwx--- 2 test-user test-user 4096 Окт 27 2013 .
drwxr-xr-x 13 root masters 4096 Окт 27 2013 ..
Adding another user to test-user's group:
# usermod -G test-user -a tarasov-af
# cat /etc/passwd | grep tarasov-af
tarasov-af:x:1028:1006::/mnt/cluster-data/repositories/lecturers/tarasov-af/:/bin/nologin
# cat /etc/group | grep tarasov-af
masters:x:1000:tarasov-af,test-user
sftpusers:x:1005:tarasov-af,test-user
lecturers:x:1006:tarasov-af
specialists:x:1008:tarasov-af
test-user:x:1032:tarasov-af
Login as tarasov-af:
sftp> cd masters/test-user
sftp> ls
remote readdir("/masters/test-user"): Permission denied
sftp> ls -la ..
drwxr-xr-x 13 0 1000 4096 Oct 26 21:30 .
drwxr-xr-x 6 0 0 4096 Oct 2 15:53 ..
drwxrwx--- 2 1029 1032 4096 Oct 26 21:53 test-user
I tried to login as tarasov-af into bash (usermod -s /bin/bash tarasov-af):
$ id
uid=1028 gid=1006
groups=1000,1005,1006,1008,1032
p.s. I guess this issue began after VM disk failed and I've got /etc/passwd and /etc/group broken, I've restored them from backups and all previous accounts works well, I have this issue only with new accounts.
I've found the reason of this issue: user tarasov-af has more than 16 secondary groups, first 15 groups work good, other -- don't work. I've set kernel.ngroups_max = 65535 in sysctl.conf on every computer in cluster (GlusterFS) and on sftp VM but nothing changed.
This issue goes to glusterfs client, it can't manipulate with more than 15 secondary groups.
# glusterfs --version
glusterfs 3.2.7 built on Sep 29 2013 03:28:05

Unix files permissions depending on path(?)

I have a directory cyanspring with a nohup.out file.
drwxr-xr-x 12 usr1 usr1 4096 Aug 20 13:59 cyanspring
Owner of the file is able to read it:
[root#lw414 usr1]# sudo -u usr1 ls -l cyanspring/nohup.out
-rw-r--r-- 1 usr1 usr1 30617 Aug 20 14:00 cyanspring/nohup.out
When I try to read it with another user, I get Permission denied.
[root#lw414 usr1]# sudo -u zabbix ls -l cyanspring/nohup.out
ls: cannot access cyanspring/nohup.out: Permission denied
If i go inside the directory, I am able to read the file with the same user who had "Permission Denied".
[root#lw414 usr1]# cd cyanspring
[root#lw414 cyanspring]# sudo -u zabbix ls -l nohup.out
-rw-r--r-- 1 usr1 usr1 30617 Aug 20 14:00 nohup.out
Absolute path doesn`t work as well.
I thought it doesn`t matter where you try to access the file from as long as you have the link and permissions. Can anybody give me a hint where I am wrong? Could it be because of outer folders permissions?
You got "Permission denied" because user zabbix does not have search permission to lachesis directory.
This can be fixed by starting this command from lachesis directory:
sudo chmod go+x .
Permissions are calculated for each directory beginning from current directory if you give relative path, or beginning from root, if you give absolute path.

why it is not possible to modify file in a directory, where i have read/write group rights

I am currently messing around on my linux system and now I have the following situation.
The directory /srv/http has the following permissions set:
drwxrwxr-x 2 root httpdev 80 Jun 13 11:48 ./
drwxr-xr-x 6 root root 152 Mar 26 13:56 ../
-rwxrwxr-x 1 root httpdev 8 Jun 13 11:48 index.html*
I have created the group httpdev before with the command:
groupadd httpdev
and added my user sighter with:
gpasswd -a sighter httpdev
Then I have set the permissions as above using the chown and chmod commands.
But now I am not allowed to modify the index.html file or create a new file, as user sighter ,with touch like that:
<sighter [bassment] ~http> touch hallo.php
touch: cannot touch `hallo.php': Permission denied
What do I understand wrong. I was expecting that I can do what I want there then the group has all the rights.
The following Output is for your information.
<sighter [bassment] ~http> cat /etc/group | grep sighter
...
httpdev:x:1000:sighter
...
The used linux-distro is archlinux.
Adding a user to a group does not affect currently running sessions. So you have to logout and login again or use su - sighter to login.
After this you should be able to do what you want to do.
You're not in the right group. You need to log out and back in again. Also, superuser.

Resources