-bash-3.2$ man chgrp | head -1
CHGRP(1) User Commands CHGRP(1)
-bash-3.2$ man chown | head -1
CHOWN(1) User Commands CHOWN(1)
following content is from 'man 7 man':
1 Commands
Those commands that can be executed by the user from within a shell.
8 System management commands
Commands like mount(8), many of which only root can execute.
Why CHGRP(1)/CHOWN(1) cannot be used by ordinary user? In my understanding, CHGRP(8)/CHOWN(8) cannot be used by ordinary user.
Letting non-root user to use chown or chgrp would have many problems.
If user were able to chown otheruser ownfile, then after that, he would not be able to access his own file anymore - not good.
If some evil user hijacked your account, he would be able to change permissions on your files such that they are now owned by other user: like evil user or www user. Then, it would be trivial to steal your data.
If any user could successfully call the chown(2) syscall (e.g. thru chrgrp and chown commands) on files not belonging to him, the user-based access protection provided by the Linux kernel would be useless. A malicious user would change ownership of every file whose access is limited to him
Of course, the user could execute the chown command (e.g. by typing /usr/bin/chown file) but if called from an ordinary user these commands will fail (and have a non-zero exit code) because the underlying chown(2) syscall would fail.
NB: as documented, an ordinary user may chgrp to some group he belongs to.
All users can use chgrp change the group of a file they own to other groups they are a member of. Try this, replacing the group name lpadmin with any second group that are in:
touch t; ls -l t; chgrp lpadmin t; ls -l t
The before and after calls to ls will show that the group changed.
Related
In Unix, if I run a binary which mucks around with files, does the binary have the same file permissions as myself (the user who ran the binary)?
In most of the cases, the answer is yes!
However this is not true if you have setuid, setgid bits enabled on that binary.
Classic example of binary with the setuid enabled.
ls -ltra `which passwd`
That command would not be able to work, if it could not grant you (the user that execute the command) the same privilege as root during its execution to modify files like /etc/password or /etc/shadow
Have a look at:
https://docs.oracle.com/cd/E19683-01/816-4883/secfile-69/index.html
setuid Permission
When set-user identification (setuid) permission is set on an
executable file, a process that runs this file is granted access based
on the owner of the file (usually root), rather than the user who is
running the executable file. This special permission allows a user to
access files and directories that are normally only available to the
owner.
setgid Permission
The set-group identification (setgid) permission is similar to setuid,
except that the process's effective group ID (GID) is changed to the
group owner of the file, and a user is granted access based on
permissions granted to that group. The /usr/bin/mail command has
setgid permissions
You might also want to have a look at fork and exec if you want to dig a bit further into how does Linux manage processes and subprocesses.
Is it possible avoid sudo word while executing the higher privileged commands to a non-root user via a sudo policy such non-root users should not be able to know that he is executing higher privileged commands and also the usage of sudo might be complex.
Example:
Normal Execution of Sudo Command.
$ sudo -u root /usr/bin/tcpdump
non-root users should execute tcpdump like below.
$ tcpdump
Thanks in advance.
Note: I have defined a Sudo Policy for non-root users. So, when a non-root user executes tcpdump, in the backend it should execute as
sudo -u root tcpdump.
Yes. It is possible.
You should:
1- Create a new specific new group where some users would belong:
groupadd nonroot
2- Add your privileged users to that group:
2.1- Edit /etc/group:
vim /etc/group
2.2- Find the line of new created group. It should look like that:
nonroot:x:127:
2.3- At the end, add your privilaged users:
nonroot:x:127:user1,user2
3- Change the group of your binary:
chgrp nonroot /usr/bin/tcpdump
4- Give group execution permissions to the binary:
chmod g+x /usr/bin/tcpdump
You have to have in count that if the binary reads, writes or executes files which user1 has no permissions, you'll have modify them in the same way.
If you cannot change the group of the binary, check the right answer of post bellow, which is a similar way:
Allow users of a certain group to run a command without sudo
Hope it helps.
NOTE: Commands may differ between different linux/unix distros.
I can see at least two possibilities:
Wrap it in a script (an alias is also possible, but if users can use different shells or just start them manually, it can turn into a maintenence hell)
Set the suid bit on tcpdump, but that means everyone who can invoke tcpdump always does so as the owner.
You might want to explore using sudoers file.
Using CentOS as an example (should be similar for Debian), create a file within sudoers.d with the relevant name, e.g. tcpdump and include the following:
user ALL=NOPASSWD: /usr/bin/tcpdump command
Replace the user and command to suit your purpose. You can find out more here.
This coupled with a alias tcpdump='sudo tcpdump for the user should fit your use case.
Scenario:
bob owns directory x
bob has set permissions on x to 777
jim can't write to x. Why?
Actual output:
ls -la .pip/
total 12
drwxrwxrwx 2 user1 user1 4096 May 5 12:03 .
drwx------ 5 user1 user1 4096 May 6 11:34 ..
-rw-rw-rw- 1 user1 user1 2054 May 5 12:48 pip.log
sudo -S -p 'sudo password:' -u "apache" /bin/bash -l -c "mkdir .pip/monkey"
/bin/bash: /home/user1/.bash_profile: Permission denied
mkdir: cannot create directory `.pip/monkey': Permission denied
Ultimately I'm trying to pip install as apache user and that user is not allowed to write the install log, so the process fails. I need to write the log as apache user, but it lives in my user space. I could change the owner, but this process is supposed to work for any user, even new ones, so it's somewhat confusing what I'm supposed to do to achieve this.
UPDATE:
I understand from http://linux.die.net/man/2/path_resolution that it is the fact that apache does not own user1's home directory, so the directory search won't work. Is this the case?
Disclaimer: At the time this answer was composed, the question did not clearly identify working directories. If assumptions documented in the answer are incorrect, the folders mentioned in the answer may need to be adapted accordingly.
It appears that the question asks why user apache cannot operate under:
/home/user1/
It also appears that /home/user1 may have permissions set to drwx------ as these permissions are typically used to help secure private data that can accumulate in the root of the user's home directory.
If the above is true, then it is normal for apache to not be able to work under /home/user1/ because it does not have traversal rights to /home/user. Such rights can be added in various ways. The simplest, but not particularly safe way to do it is something like:
sudo chmod o+x /home/user1
It would then be possible for /home/user1 sub-folder permissions to be tightened and loosened to fit the need. It would be better to use group permissions than world permissions, but you should probably create a special group for this purpose rather than making apache a member of the user1 group. An even better solution would be to use an ACL that grants apache traversal rights to /home/user1 without opening the user's home directory up to a wider audience.
Be careful. Loosening permissions with the aforementioned command can give all users on the box access to sub-directories of the user's home directory if their permissions are not suitably tight.
Note: Security mechanisms on some systems might get annoyed by loosening of user home directory permissions and interfere with manual overrides. This could happen, for example, on a distribution that has msec configured to a relatively high security level. Without more detail given about the system configuration, it is somewhat difficult to anticipate potential problems. For example, unless an exception has been made for particular file system areas, on an msec managed system with high security set, msec will periodically rewrite directory permissions that it monitors if it does not consider the permissions compatible with the configured security level.
I'm studing Set-UID Privileged Programs, and it seems that a program executes with a its own owner privilegies.
Example: passwd can read/write the shadow file because it belongs to a root user. How can i find this kind of information for other programs?
When you set user identification (the 4755 mode) permission to an executable file, a process that runs this file is granted access based on the owner of the file.
In this case you copy /bin/zsh as root user and then set the 4755 mode, /tmp/zsh so will give root privileges to the user that will run the file rather than user privileges.
This special permission allows a user to access files and directories that are normally only available to the owner.
Have you tried to make what you have been asked?
Use getuid(2), geteuid(2), getresuid(2) and the corresponding setuid(2), setreuid(2) appropriately. See also capabilities(7) and credentials(7) & carefully execve(2). Read about proc(5)
Read the Setuid wikipage. A process running a setuid executable can call seteuid to gain privilege.
I'm a little bit confused with Linux permissions. I'm configuring a Git Central Repository that the users access by SSH. I'm using Filesystem ACLs(link) and regular linux permissions. What I intend to do is:
Find a way in that only the users that I want will be able to list/read/write/execute the dir "/var/github" (in a way that I assign a group to the user that I want to give this kind of permissions)
The user "git" is the only user that can create new folders in "/var/github"
This is possible to do? Somes clues on how to do it?
Best Regards,
chown git:git /var/github; chmod 750 !$
Now only the group git can read the folder and only the user git can modify it.
You can use access control lists to grant access to multiple groups. Here's an example session (using Ubuntu, but it should be the same for CentOS) that gives the grp1 group read access and the grp2 group read, write and execute access:
$ touch foo
$ setfacl -m "g:grp1:r--,g:grp2:rwx" foo
$ getfacl foo
# file: foo
# owner: me
# group: me
user::rw-
group::r--
group:grp2:rwx
group:grp1:r--
mask::rwx
other::r--
Make sure that along with the user "git" that there is a "git" group. Add all the users to the group that you will give access to. Change the ownership properties of your directory to user and group git, and then the permission of 750. The ownership and mode commands are as follows:
chown git:git /var/github
chmod 750 /var/github
The permission of 750 lets the user do pretty much anything in the folder and only the members of the group "git" read and possibly execute in that folder. What programs and commands you use for your user management is up to you.