Path: utzoo!utgpu!jarvis.csri.toronto.edu!clyde.concordia.ca!uunet!tut.cis.ohio-state.edu!zaphod.mps.ohio-state.edu!mips!excelan!crdgw1!montnaro From: montnaro@spyder.crd.ge.com (Skip Montanaro) Newsgroups: comp.sys.hp Subject: Re: How can I give users root-like privs. w/o the passwd ? Message-ID: Date: 27 Dec 89 14:33:20 GMT References: <2643@umbc3.UMBC.EDU> <3140011@hpldsla.HP.COM> Sender: news@crdgw1.crd.ge.com Reply-To: (Skip Montanaro) Organization: GE Corporate Research & Development, Schenectady, NY Lines: 155 This topic is certainly of wider interest than to just HP folks. Be that as it may, you might be interested in Tom Christiansen's paper in the USENIX LISA III workshop entitled "Op: A Flexible Tool for Restricted Superuser Access". You can probably get Tom (tchrist@convex.com) to send you a reprint. The man page for op(8), taken from our Convex, appears below. Don't ask me how you're going to get op(8) running on your HP. Perhaps you can convince HP to include it in HPUX 10.5 :-). ------------------------------------------------------------------------------ NAME op - operator interface tool for giving restricted access to privileged commands SYNOPSIS /etc/op mnemonic [ arg ... ] /etc/op -h [ -u username ] [ mnemonic ] DESCRIPTION The op tool provides a flexible means for system administra- tors to grant to any set of trusted users permission, or access, to execute certain root operations without having to give them full superuser privileges. It is a non- interactive command interpreter that places restrictions on which users are allowed to execute which privileged com- mands. The functions (or mnemonics) understood by the op program are listed in the configurable data file /etc/op.access, along with the meaning of each mnemonic (an exact UNIX com- mand that will accomplish the desired result) and who is allowed to execute it. The restrictions can be made as tight as each site demands, as determined by the system administrator who customizes the op.access file. The format of the access database file is fully described in op.access(5). In summary, it contains a mapping of mnemon- ics, or operator functions, to the full pathnames of pro- grams that should be invoked and the arguments that are allowed, if any. The arguments to the executed program can be a combination of literal and variable arguments, and res- trictions can be placed on which values are valid substitu- tions for the variable arguments. The args given on the op command line are only necessary to specify any variable arguments the mnemonic may need. While the superuser does not have access permissions checked (root can run anything), each arg's validity is verified. The following set of attributes can also be controlled for each mnemonic by the op program: o the uid to set (root by default) o the gid to set (not changed, by default) o the directory to chdir(2) to (not changed, by default) o the root directory to set with chroot(2) (not changed, by default) o the umask to set (022 by default) o a list of groups allowed to execute this function (none by default) o a list of users allowed to execute this function (none by default, except the superuser) o the range of valid arguments for the command (any value per variable argument by default) o any number of environment variable settings (none by default). The following options are recognized: -h [ mnemonic ] This option requests help and informs the operator of the commands he or she is allowed to run and how they are to be run. The operator is not allowed to view the access file directly for security reasons. Without an argument, this option will display a list of mnemonics which the invoking user is allowed to execute. If a specific mnemonic is given, and if that mnemonic is defined in the access file and the user has permission to execute it, then a "usage" message is output, describing the valid arguments accepted by that mnemonic and the order in which they should be given (if there are any variable arguments to that mnemonic at all). -u username Use the specified username when checking for permission to execute the mnemonics listed in the /etc/op.access file. This option may only be used by the superuser and in conjunction with the -h option. If the -h flag (for help) is not given, the op program veri- fies that the invoking user is allowed to run a particular command, validates any variable arguments, and properly sets up any of the above-specified attributes before executing the associated program. Security measures such as clearing out the vector of group permissions and clearing all but the specified environment variables are taken before the command is executed. Attempted executions of op (whether successful or not) are logged via syslog(3). The information logged includes when and by whom op was executed and with which command-line arguments. Invalid users or variables are especially noted. Many messages written to the log file contain the user's login name, which will be contained within square brackets ([]). All op logging is done using syslog's LOG_AUTH facility. The usage information will be logged with a syslog level of LOG_INFO, usage errors (such as invalid or wrong number of arguments) use the LOG_NOTICE level, an unauthorized user will be noted with the LOG_WARNING level, and a failed execve of the command will be logged with the LOG_ERR level. The log files to which this syslog information is written can be customized within the /etc/syslog.conf file; see syslogd(8) for information on how to configure this file. EXAMPLES The following line in the op.access file gives the user bruce and any member of the opers group permission to run weekly dumps on any of the named file systems by simply typ- ing op weekly valid_filesys_name, where valid_filesys_name is one of /, /usr, or /mnt. Because no other attributes are defined for this mnemonic, the defaults are used: the dump program runs as root, but the gid, current working direc- tory, and root directory remain unchanged. The umask is 022, and the group and environment vectors are cleared. weekly /etc/dump 0Gun $1; users=bruce groups=opers $1=/,/usr,/mnt For more examples of the access file format and usage, see the op.access(5) manual page. FILES /usr/etc/op.access list of operator mnemonics and restric- tions enforced by op SEE ALSO op.access(5), syslog(3), "Operator Interface" chapter in the CONVEX System Manager's Guide WARNINGS It is up to each individual system administrator to assure that the programs listed within the op.access file are secure. It is recommended that the access file not contain shell scripts that run as root. Also, caution should be taken in including any interactive programs in the access database. ------------------------------------------------------------------------------ -- Skip (montanaro@crdgw1.ge.com)