LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-15-2018, 11:07 AM   #1
imthenachoman
LQ Newbie
 
Registered: Nov 2018
Posts: 3

Rep: Reputation: Disabled
OS level role/command based privileged escalation for use with automation via a front-end/back-end process with additional authentication


I want to develop a LAMP web app/solution and after a fair amount of searching I am starting to think it is not possible to do what I want. Not sure how to explain this succinctly so I apologize for the verbosity.

And before I start, I want to stay away from expensive enterprise grade solutions. Hoping for something I can either develop myself (if someone can help with the logic/algorithm of the code I'd need) or something that is free/open-source. At worst, if I have to pay a license for personal use that is fine too. Basically looking for something for personal use.

Let me explain the desired end result:
  • User accounts (that do not map/tie to an OS account) will be created on the web app
  • Typical web app authentication/authorization (with 2FA/MFA)
  • User accounts will map to read/write file-system permissions tied to an OS account
    • This mapping should be maintained and administered on the server outside of the web app
    • This is something a server admin would do somewhere **on the OS**
  • The idea being that users will be able to read/write files on the server as though they are the associated OS account
  • The hope is the user will have two security gates they'll have to authorize through: the web app and the OS (**something the web app doesn't know**)
Here is a more detailed example:
  • OS has two human interactive accounts: osuser1 and osuser2
  • OS has one non-human non-interactive account that Apache will run as: www-data
  • web app has three human interactive accounts that users will log in with (using their web browser): webuser3, webuser4, webuser5
  • the accounts in the web app are permissioned on the OS level like this:
    • webuser3 can:
      • read files in /home/osuser1 as osuser1
      • read and write files in /home/osuser2 as osuser2
    • webuser4 can:
      • read and write files in /home/osuser1 as osuser1
    • webuser5 can:
      • write files in /home/osuser2 as osuser2
  • this web app user to OS user permission mapping should be maintained on the OS, outside of the web app
How I would like it to work:
  • user logs in to web app (webuser3, webuser4, webuser5)
  • user interacts with the UI to list files or create a file in some folder
  • the web app will ask for additional authentication/authorization information, like a PW and/or 2FA/MFA code
  • the web app will send information to the OS:
    • the additional authentication/authorization information
    • the ID of the web app user
    • what they want to do (read or create)
  • the OS will authorize the action and send it back to the web app
Now, Apache is running as www-data so it won't, by default and without messing with file/folder permissions, have any access to /home/osuser#. One way I can think of accomplishing the above is to give www-data passwordless sudo privileges (either as root or the OS accounts osuser1 and osuser2) so it can do things as the OS accounts. I don't like this because if the system is compromised and a bad actor gains access to www-data account then they will also be able to use sudo to do things as the OS accounts /home/osuser#. And also, this way would require the web app to maintain the web app user to OS user permission mapping.

Obviously the OS is not aware of the web app accounts (webuser3, webuser4, webuser5) and I don't want to have to create matching accounts on the OS. The hope is to use some OS tool/library to do the mapping. Something that would have an internal configuration of external accounts (the ones coming from the web app). Maybe using roles or profiles. So on the OS, in this tool/library, a role/profile/account is created that matches the web app accounts and then given permissions.

And, the tool/library should support additional authentication/authorization. Something that could be passed, securely, using an API or via command line parameter. This breaks authorization/authentication into two places: the OS and the web app, each having half the key.

I realize this is one hell of an absurd ask but I don't want to give up the idea without fully vetting the possibility.
 
Old 11-17-2018, 01:20 AM   #2
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 19,872
Blog Entries: 12

Rep: Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053
does it need to be a GUI?
because this sounds a lot like ssh.
maybe gui frontends to ssh exist?
 
Old 11-17-2018, 01:55 AM   #3
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.9.2009
Posts: 5,708

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
Having users log in to web apps and then have permissions in OS /home directories is probably do-able, but, if the /home directories are also accessible by the "real" OS users via ssh or sftp, then things get pretty complicated.

Usermin is a web application (with it's own built-in webserver) that gives administrative control of functionality to do things like up and download user-owned files, change passwords, pretty much whatever the admin wants to allow. Login is as the OS user. Authentication is already built-in. The administration is done from Webmin. It may provide what you're asking for already. I could say better if we knew why you're asking.

Otherwise Webmin itself can be configured to allow certain tasks. We use it to give one customer access to add and delete email accounts for their domain. Again, if we knew what problem you're trying to solve (as opposed to helping you with your idea of a solution) we could say better.

Don't get me wrong. What you suggest is probably doable...but I'd want to first see if Usermin or Webmin could do what you want, first.
 
Old 11-25-2018, 05:08 PM   #4
imthenachoman
LQ Newbie
 
Registered: Nov 2018
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by ondoho View Post
does it need to be a GUI?
because this sounds a lot like ssh.
maybe gui frontends to ssh exist?
Sort of but something web-based where there are users specific to the web interface that map to OS users. So the web interface may have users that are not OS users.
 
Old 11-25-2018, 05:09 PM   #5
imthenachoman
LQ Newbie
 
Registered: Nov 2018
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by scasey View Post
Having users log in to web apps and then have permissions in OS /home directories is probably do-able, but, if the /home directories are also accessible by the "real" OS users via ssh or sftp, then things get pretty complicated.

Usermin is a web application (with it's own built-in webserver) that gives administrative control of functionality to do things like up and download user-owned files, change passwords, pretty much whatever the admin wants to allow. Login is as the OS user. Authentication is already built-in. The administration is done from Webmin. It may provide what you're asking for already. I could say better if we knew why you're asking.

Otherwise Webmin itself can be configured to allow certain tasks. We use it to give one customer access to add and delete email accounts for their domain. Again, if we knew what problem you're trying to solve (as opposed to helping you with your idea of a solution) we could say better.

Don't get me wrong. What you suggest is probably doable...but I'd want to first see if Usermin or Webmin could do what you want, first.
Thank you! I will try both of them to see if they do what I need.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Myth TV back end or front end. thedoctor Linux - Newbie 1 05-20-2010 07:58 PM
gui read out of back end command lines from gui front end activation? how? Siljrath Linux - General 0 10-24-2008 10:11 AM
Mythbuntu front-end and back-end questions... Liambiscuit Linux - Software 4 09-28-2008 05:11 PM
Multiple Apache - Front-end & Back-end in one server grant-skywalker Linux - Server 3 08-27-2008 02:04 PM
emacs in run level 3 then switch to X (level 7) then back to level 3 dsoliver Slackware 3 09-01-2006 03:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration