Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I need to allow 3 users in user 'extra' the ability to alter a file on my vps. The file is in /root and I changed the file permission to 666 (YIKES!) so that the file can be altered by the 'extra' user.
I remember that there is some kind of trick whereby a user can change permissions or something whereby they can get root privileges. There are supposed to be things that need to be done to prevent this ability. Does anyone know what I am talking about here and the remedy? Thanks.
there are several things you need to think about:
1. permission settings (on directory and on files)
2. sudo (privilege handling)
3. selinux
But I do not really know what is your problem and what is your configuration.
I'm marking this thread "unsolved" as the OP has not indicated what his problem is and why one needs to "remedy" anything when a file has been given such bad DAC rights and resides in the /root directory in the first place. Please explain in detail.
Distribution: Mainly Devuan, antiX, & Void, with Tiny Core, Fatdog, & BSD thrown in.
Posts: 5,493
Rep:
Those 3 users should be in a group that is allowed to access that file. the file permissions should not allow 'anybody' access to it as in 666, change that at least to 660. (Owner & Group to have read/write permission)
Those 3 users should be in a group that is allowed to access that file. the file permissions should not allow 'anybody' access to it as in 666, change that at least to 660. (Owner & Group to have read/write permission)
Thanks. Not familiar with setting up groups yet, so I'll do that. I also wasn't sure about the 666 and will change it to 660.
Those 3 users should be in a group that is allowed to access that file.
Lack of knowledge, (with all due respect) laziness and actual requirements are different ways to reach a decision. If it's the first two then we need to correct that as only the third option is a valid reason (if nothing like "--config-file=/other/path" or equivalent exists). So, no, I wouldn't advise that until the OP has given a valid reason why the file should be in /root in the first place.
Quote:
Originally Posted by battles
I remember that there is some kind of trick whereby a user can change permissions or something whereby they can get root privileges. There are supposed to be things that need to be done to prevent this ability. Does anyone know what I am talking about here and the remedy?
While SELinux, as pan64 offered, won't stop anyone from editing that file (as it relies on sane DAC rights among other things) you can use the audit service (or 'rootsh') to create an audit trail of users "movement". As for editing a file, yes: if a user is allowed to 'sudo $EDITOR /path/file' problems arise when the editor in question allows it to escape to a shell or allows arbitrary command execution. See 'man sudoers', the "Secure editing" part.
say the file's name is battles.txt,
is it located at /root/battles.txt or /battles.txt ?
if the first, why would you need it located under the root home account?
if the second then with proper file permissions i don't see what harm that location causes versus being under /home/battles.txt or /usr/bin/battles.txt and so on.
In any case the file permission and group permissions are what matter, and like said don't give world permission any access and keep it limited to owner and group.
if you are forced to have the file located within the root home account at /root/battles.txt for whatever reason you can't get around,
the folder /root/ has the owner.group permission of root.root with permissions being 700 => only root (superuser) can get into it.
I would not allow your 3 users to be in the root group, instead create a group of some name and id, like group name = badpractice with some id number in the proper range. then do "chown root.badpractice /root/" to change group ownership of the /root folder and
then do chmod 750 /root/ to allow only users in the group named badpractice to be able to get into the /root/ folder but not write anything new in there. then do "chown root.badpractice /root/battles.txt" and "chmod 770 /root/battles.txt" to allow users in the group badpractice access to that file.
Functionally i don't see much of a problem if the rest of the files under /root/ have proper permissions and aren't changed and you don't put nothing else in there. but hopefully the group name i chose was obvious and you should find a better way to do that.
and if the file battles.txt needs to be an executable, then use 770 for permissions.
based on what you said you need to do, i don't see a need to use sudo for anything you can get by in any case with just file/group permissions.
There's really no plausible reason for an externally-modifiable file to be ... to "must be" ... in the /root directory. Therefore, the presented question, "how do I allow three users to modify it there?," is the wrong question to ask.
It's like: "How do I permit exactly three users to shoot me in the foot?"
Put the file into a place that is "ordinary," in a directory that can be made accessible only to specified groups, including one that includes only these three users. Treat this file, and all modifications made to it, as "untrusted." Now, devise a separate mechanism by which versions of this file (in that place ...) can be snapshotted, archived, and transferred to a secure directory where it can be e-v-a-l-u-a-t-e-d by a trusted third-party person, who can choose to install it or not. (Consider a version-control system, like git ...) Consider how that trusted person might be able to instantly and accurately revert any change.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.