LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-24-2015, 12:24 PM   #1
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 258

Rep: Reputation: Disabled
Protecting /root from user


I need to allow 3 users in user 'extra' the ability to alter a file on my vps. The file is in /root and I changed the file permission to 666 (YIKES!) so that the file can be altered by the 'extra' user.
I remember that there is some kind of trick whereby a user can change permissions or something whereby they can get root privileges. There are supposed to be things that need to be done to prevent this ability. Does anyone know what I am talking about here and the remedy? Thanks.
 
Old 02-24-2015, 12:52 PM   #2
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 14,818

Rep: Reputation: 4873Reputation: 4873Reputation: 4873Reputation: 4873Reputation: 4873Reputation: 4873Reputation: 4873Reputation: 4873Reputation: 4873Reputation: 4873Reputation: 4873
there are several things you need to think about:
1. permission settings (on directory and on files)
2. sudo (privilege handling)
3. selinux
But I do not really know what is your problem and what is your configuration.
 
Old 02-24-2015, 08:28 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
I'm marking this thread "unsolved" as the OP has not indicated what his problem is and why one needs to "remedy" anything when a file has been given such bad DAC rights and resides in the /root directory in the first place. Please explain in detail.
 
Old 02-25-2015, 04:21 AM   #4
fatmac
Senior Member
 
Registered: Sep 2011
Location: Upper Hale, Surrey/Hants Border, UK
Posts: 3,674

Rep: Reputation: Disabled
Those 3 users should be in a group that is allowed to access that file. the file permissions should not allow 'anybody' access to it as in 666, change that at least to 660. (Owner & Group to have read/write permission)
 
Old 02-25-2015, 05:41 AM   #5
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 258

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by fatmac View Post
Those 3 users should be in a group that is allowed to access that file. the file permissions should not allow 'anybody' access to it as in 666, change that at least to 660. (Owner & Group to have read/write permission)
Thanks. Not familiar with setting up groups yet, so I'll do that. I also wasn't sure about the 666 and will change it to 660.
 
Old 02-25-2015, 05:54 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
Quote:
Originally Posted by fatmac View Post
Those 3 users should be in a group that is allowed to access that file.
Lack of knowledge, (with all due respect) laziness and actual requirements are different ways to reach a decision. If it's the first two then we need to correct that as only the third option is a valid reason (if nothing like "--config-file=/other/path" or equivalent exists). So, no, I wouldn't advise that until the OP has given a valid reason why the file should be in /root in the first place.


Quote:
Originally Posted by battles View Post
I remember that there is some kind of trick whereby a user can change permissions or something whereby they can get root privileges. There are supposed to be things that need to be done to prevent this ability. Does anyone know what I am talking about here and the remedy?
While SELinux, as pan64 offered, won't stop anyone from editing that file (as it relies on sane DAC rights among other things) you can use the audit service (or 'rootsh') to create an audit trail of users "movement". As for editing a file, yes: if a user is allowed to 'sudo $EDITOR /path/file' problems arise when the editor in question allows it to escape to a shell or allows arbitrary command execution. See 'man sudoers', the "Secure editing" part.
 
Old 02-25-2015, 06:21 AM   #7
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 258

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
So, no, I wouldn't advise that until the OP has given a valid reason why the file should be in /root in the first place.
A wise OP is not going to voluntarily stick his neck in anyone's noose.
 
Old 02-26-2015, 12:46 PM   #8
ron7000
Member
 
Registered: Nov 2007
Location: CT
Posts: 248

Rep: Reputation: 26
say the file's name is battles.txt,
is it located at /root/battles.txt or /battles.txt ?

if the first, why would you need it located under the root home account?
if the second then with proper file permissions i don't see what harm that location causes versus being under /home/battles.txt or /usr/bin/battles.txt and so on.
In any case the file permission and group permissions are what matter, and like said don't give world permission any access and keep it limited to owner and group.

if you are forced to have the file located within the root home account at /root/battles.txt for whatever reason you can't get around,
the folder /root/ has the owner.group permission of root.root with permissions being 700 => only root (superuser) can get into it.
I would not allow your 3 users to be in the root group, instead create a group of some name and id, like group name = badpractice with some id number in the proper range. then do "chown root.badpractice /root/" to change group ownership of the /root folder and
then do chmod 750 /root/ to allow only users in the group named badpractice to be able to get into the /root/ folder but not write anything new in there. then do "chown root.badpractice /root/battles.txt" and "chmod 770 /root/battles.txt" to allow users in the group badpractice access to that file.
Functionally i don't see much of a problem if the rest of the files under /root/ have proper permissions and aren't changed and you don't put nothing else in there. but hopefully the group name i chose was obvious and you should find a better way to do that.
and if the file battles.txt needs to be an executable, then use 770 for permissions.
based on what you said you need to do, i don't see a need to use sudo for anything you can get by in any case with just file/group permissions.

Last edited by ron7000; 02-26-2015 at 12:49 PM.
 
Old 02-26-2015, 04:09 PM   #9
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180
This is, more or less, just another "XY Problem."

There's really no plausible reason for an externally-modifiable file to be ... to "must be" ... in the /root directory. Therefore, the presented question, "how do I allow three users to modify it there?," is the wrong question to ask.

It's like: "How do I permit exactly three users to shoot me in the foot?"

Put the file into a place that is "ordinary," in a directory that can be made accessible only to specified groups, including one that includes only these three users. Treat this file, and all modifications made to it, as "untrusted." Now, devise a separate mechanism by which versions of this file (in that place ...) can be snapshotted, archived, and transferred to a secure directory where it can be e-v-a-l-u-a-t-e-d by a trusted third-party person, who can choose to install it or not. (Consider a version-control system, like git ...) Consider how that trusted person might be able to instantly and accurately revert any change.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Protecting a multi-user server, per-user limits askest Linux - Software 1 02-08-2010 02:34 PM
How to change a process running in root-user to non-root user ???????????????????? narendra1310 Linux - Software 4 10-29-2009 02:11 AM
LXer: Tip: Protecting the Linux Root Password LXer Syndicated Linux News 0 05-19-2009 09:20 PM
Password Protecting Root User dudeman41465 Linux - Software 1 09-16-2005 02:27 AM
Protecting Root Password ukndoit Linux - Security 10 10-16-2003 09:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration