OS level role/command based privileged escalation for use with automation via a front-end/back-end process with additional authentication
 

I want to develop a LAMP web app/solution and after a fair amount of searching I am starting to think it is not possible to do what I want. Not sure how to explain this succinctly so I apologize for the verbosity.

And before I start, I want to stay away from expensive enterprise grade solutions. Hoping for something I can either develop myself (if someone can help with the logic/algorithm of the code I'd need) or something that is free/open-source. At worst, if I have to pay a license for personal use that is fine too. Basically looking for something for personal use.

Let me explain the desired end result:

• User accounts (that do not map/tie to an OS account) will be created on the web app
• Typical web app authentication/authorization (with 2FA/MFA)
• User accounts will map to read/write file-system permissions tied to an OS account
  • This mapping should be maintained and administered on the server outside of the web app
  • This is something a server admin would do somewhere **on the OS**
• The idea being that users will be able to read/write files on the server as though they are the associated OS account
• The hope is the user will have two security gates they'll have to authorize through: the web app and the OS (**something the web app doesn't know**)

Here is a more detailed example:

• OS has two human interactive accounts: osuser1 and osuser2
• OS has one non-human non-interactive account that Apache will run as: www-data
• web app has three human interactive accounts that users will log in with (using their web browser): webuser3, webuser4, webuser5
• the accounts in the web app are permissioned on the OS level like this:
  • webuser3 can:
    • read files in /home/osuser1 as osuser1
    • read and write files in /home/osuser2 as osuser2
  • webuser4 can:
    • read and write files in /home/osuser1 as osuser1
  • webuser5 can:
    • write files in /home/osuser2 as osuser2
• this web app user to OS user permission mapping should be maintained on the OS, outside of the web app

How I would like it to work:

• user logs in to web app (webuser3, webuser4, webuser5)
• user interacts with the UI to list files or create a file in some folder
• the web app will ask for additional authentication/authorization information, like a PW and/or 2FA/MFA code
• the web app will send information to the OS:
  • the additional authentication/authorization information
  • the ID of the web app user
  • what they want to do (read or create)
• the OS will authorize the action and send it back to the web app

Now, Apache is running as www-data so it won't, by default and without messing with file/folder permissions, have any access to /home/osuser#. One way I can think of accomplishing the above is to give www-data passwordless sudo privileges (either as root or the OS accounts osuser1 and osuser2) so it can do things as the OS accounts. I don't like this because if the system is compromised and a bad actor gains access to www-data account then they will also be able to use sudo to do things as the OS accounts /home/osuser#. And also, this way would require the web app to maintain the web app user to OS user permission mapping.

Obviously the OS is not aware of the web app accounts (webuser3, webuser4, webuser5) and I don't want to have to create matching accounts on the OS. The hope is to use some OS tool/library to do the mapping. Something that would have an internal configuration of external accounts (the ones coming from the web app). Maybe using roles or profiles. So on the OS, in this tool/library, a role/profile/account is created that matches the web app accounts and then given permissions.

And, the tool/library should support additional authentication/authorization. Something that could be passed, securely, using an API or via command line parameter. This breaks authorization/authentication into two places: the OS and the web app, each having half the key.

I realize this is one hell of an absurd ask but I don't want to give up the idea without fully vetting the possibility.

does it need to be a GUI?
because this sounds a lot like ssh.
maybe gui frontends to ssh exist?

Having users log in to web apps and then have permissions in OS /home directories is probably do-able, but, if the /home directories are also accessible by the "real" OS users via ssh or sftp, then things get pretty complicated.

Usermin is a web application (with it's own built-in webserver) that gives administrative control of functionality to do things like up and download user-owned files, change passwords, pretty much whatever the admin wants to allow. Login is as the OS user. Authentication is already built-in. The administration is done from Webmin. It may provide what you're asking for already. I could say better if we knew why you're asking.

Otherwise Webmin itself can be configured to allow certain tasks. We use it to give one customer access to add and delete email accounts for their domain. Again, if we knew what problem you're trying to solve (as opposed to helping you with your idea of a solution) we could say better.

Don't get me wrong. What you suggest is probably doable...but I'd want to first see if Usermin or Webmin could do what you want, first.

Sort of but something web-based where there are users specific to the web interface that map to OS users. So the web interface may have users that are not OS users.

Thank you! I will try both of them to see if they do what I need.