LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 07-18-2009, 12:37 PM   #1
RaptorX
Member
 
Registered: Jun 2009
Location: Emden, Germany
Distribution: Slackware 12.2, Slax 6.1
Posts: 254

Rep: Reputation: 37
sudoers specific permission


I was wondering if it is possible to specify a specific command to run as root without asking for password while any other su command asks for password as usual...

I am creating a little bash script but for running correctly I have to run modprobe.

I dont want to modprobe that at system startup I just want to do it when my script runs.

Is there a way that i can make my script run without asking for the password?

I was thinking about sudo but then I dont want to have all the other commands run without password , just modprobe WHEN MY SCRIPT RUNS, after that it should ask for su password as usual.

if I do visudo ... %wheel ALL=/sbin/modprobe NOPASSWD: ALL that command will be run all the time without password and thats not what i want.

Last edited by RaptorX; 07-18-2009 at 12:40 PM.
 
Old 07-18-2009, 12:50 PM   #2
niels.horn
Senior Member
 
Registered: Mar 2007
Location: Rio de Janeiro - Brazil
Distribution: Slackware64-current
Posts: 1,004

Rep: Reputation: 90
Not in a very safe way, I guess, but...

You might specify a single user that can run the sudo modprobe without asking for the password, but then you need to specify that user in your script, or run that script as this user.

Anyone who reads the script will find out.
 
Old 07-18-2009, 05:39 PM   #3
RaptorX
Member
 
Registered: Jun 2009
Location: Emden, Germany
Distribution: Slackware 12.2, Slax 6.1
Posts: 254

Original Poster
Rep: Reputation: 37
yeah, I guess thats the only option then... thanks for the help
 
Old 07-18-2009, 06:10 PM   #4
rg3
Member
 
Registered: Jul 2007
Distribution: Fedora
Posts: 527

Rep: Reputation: Disabled
Wouldn't it be acceptable enough to give permissions via sudoers for a specific user or user group to run a specific modprobe command? sudoers allows you to specify that. So, basically, you can give permissions to a given user to run /sbin/modprobe foomodule without password, but not /sbin/modprobe in general.
 
Old 07-19-2009, 08:11 AM   #5
RaptorX
Member
 
Registered: Jun 2009
Location: Emden, Germany
Distribution: Slackware 12.2, Slax 6.1
Posts: 254

Original Poster
Rep: Reputation: 37
Quote:
Originally Posted by rg3 View Post
Wouldn't it be acceptable enough to give permissions via sudoers for a specific user or user group to run a specific modprobe command? sudoers allows you to specify that. So, basically, you can give permissions to a given user to run /sbin/modprobe foomodule without password, but not /sbin/modprobe in general.
actually thats exactly what i want to do but im not sure how to do it because im fairly "fresh" to linux.

I did saw that i could modify sudoers but i am not sure how to allow just a specific command as in "modprobe foo" but not allow "modprobe bar"

can you help me with that?
 
Old 07-19-2009, 10:54 AM   #6
niels.horn
Senior Member
 
Registered: Mar 2007
Location: Rio de Janeiro - Brazil
Distribution: Slackware64-current
Posts: 1,004

Rep: Reputation: 90
You could put something like this in sudoers:

Code:
raptorx  ALL=NOPASSWD: /sbin/modprobe foo
This means that the user raptorx can execute "sudo /sbin/modprobe foo" w/o typing a password.
If raptorx types "sudo /sbin/modprobe bar" he will be asked for a password.

Now, there is a small problem to solve still.
/sbin/modprobe is executable by anyone (755) so in fact you do not need to use sudo.
To protect it from execution, you'll need to do a
Code:
chmod 744 /sbin/modprobe
 
Old 07-19-2009, 12:34 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Quote:
Originally Posted by niels.horn View Post
Now, there is a small problem to solve still. /sbin/modprobe is executable by anyone (755) so in fact you do not need to use sudo.
DAC rights are not a problem here because only accounts with the CAP_SYS_MODULE capability may load and unload kernel modules: see 'man 7 capabilities'.
 
Old 07-19-2009, 01:06 PM   #8
niels.horn
Senior Member
 
Registered: Mar 2007
Location: Rio de Janeiro - Brazil
Distribution: Slackware64-current
Posts: 1,004

Rep: Reputation: 90
@unSpawn:
You're completely right of course...
I tried '/sbin/modprobe xxxx' as a normal user and it returned with an error that the module could not be found.
After your post I tried with an existing module and it didn't work: "operation not permitted".

Very interesting subject, by the way - "capabilities".
Where could I find some more info on this?
Is it possible to set specific capabilities for a user?
Or should we simply continue using "sudo"?
 
Old 07-19-2009, 01:49 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Quote:
Originally Posted by niels.horn View Post
Very interesting subject, by the way - "capabilities". Where could I find some more info on this? Is it possible to set specific capabilities for a user? Or should we simply continue using "sudo"?
First of all your answer of "raptorx ALL=NOPASSWD: /sbin/modprobe $whateverArgsNecessary" was spot on. That's how Sudo should be used: as specific as possible. And since in the Sudo example the user will run the command as root there is no problem with defining capabilities as root holds them all. In fact it would be detrimental to arbitrarily assign additional capabilities to lesser privileged accounts as this weakens privilege separation. Wrt capabilities itself that's taking the thread a bit OT. I could suggest searching LQ, maybe somebody has written about it a looong time ago. . . . .
 
Old 07-19-2009, 02:22 PM   #10
RaptorX
Member
 
Registered: Jun 2009
Location: Emden, Germany
Distribution: Slackware 12.2, Slax 6.1
Posts: 254

Original Poster
Rep: Reputation: 37
@niels.horn

Thank you very much, is exactly what i need!

@unSpawn

I guess my question is answered completely (and it clarifies more the use of sudo to me cause i needed to separate some other commands the same way)

So going OT now is ok for me, I am actually also interested in being able to assign specific users specific capabilities (if that is understandable!!) D

at least you can point any reading regarding this that you might know... also thanks for your help
 
Old 07-19-2009, 02:32 PM   #11
RaptorX
Member
 
Registered: Jun 2009
Location: Emden, Germany
Distribution: Slackware 12.2, Slax 6.1
Posts: 254

Original Poster
Rep: Reputation: 37
Code:
[~]$ whoami
raptorx

[~]$ sudo /sbin/modprobe kvm-intel

[~]$ sudo /sbin/modprobe -r kvm-intel

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:

Sorry, user raptorx is not allowed to execute '/sbin/modprobe -r kvm-intel' as root on ~~.

[~]$
PERFECT... that is exactly what i wanted to do.
Thanks for your help guys!

I have a small question though, if I want to put more than 1 command in sudoers do I need to separate them with ':'??

as in:

Code:
raptorx ALL=NOPASSWD: /sbin/modprobe foo : /sbin/slackpkg search
or is there other way?
 
Old 07-19-2009, 02:37 PM   #12
niels.horn
Senior Member
 
Registered: Mar 2007
Location: Rio de Janeiro - Brazil
Distribution: Slackware64-current
Posts: 1,004

Rep: Reputation: 90
@unSpawn:
ok, thanks, I don't want to hijack the thread

I am not a great fan of sudo, as I think it is being abused in some other distributions, where all security is abandoned by allowing everyone to do everything. But using it as specific as possible - like you said - it can be useful.
I have some very specific exceptions in my sudoers file and yes, I am a bit paranoid But that comes with the job I have. And that is why I am interested in learning more about "capabilities". I'll do some research here on LQ (following the hidden links ) and other sites.
Thanks for your (as always) valuable information!

Last edited by niels.horn; 07-19-2009 at 02:38 PM.
 
Old 07-19-2009, 02:43 PM   #13
niels.horn
Senior Member
 
Registered: Mar 2007
Location: Rio de Janeiro - Brazil
Distribution: Slackware64-current
Posts: 1,004

Rep: Reputation: 90
Quote:
Originally Posted by RaptorX View Post
I have a small question though, if I want to put more than 1 command in sudoers do I need to separate them with ':'??

as in:

Code:
raptorx ALL=NOPASSWD: /sbin/modprobe foo : /sbin/slackpkg search
or is there other way?
The correct way is to separate the commands with a comma:
Code:
raptorx ALL=NOPASSWD: /sbin/modprobe foo, /sbin/slackpkg search
By the way, slackpkg is located in /usr/sbin/ and the search function can be executed by anyone
But I guess you only used it as an example.

Last edited by niels.horn; 07-19-2009 at 02:47 PM. Reason: typos...
 
Old 07-19-2009, 07:56 PM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Quote:
Originally Posted by niels.horn View Post
ok, thanks, I don't want to hijack the thread
Apparently the OP has no problem with it.


Quote:
Originally Posted by niels.horn View Post
I am not a great fan of sudo, (..) But using it as specific as possible - like you said - it can be useful.
I never understood how using it as a mere conduit (as in 'sudo su root') could actually help strenghten security either...


Quote:
Originally Posted by RaptorX View Post
going OT now is ok for me, I am actually also interested in being able to assign specific users specific capabilities (if that is understandable!!)
I wonder if the capabilities we're talking about and those that you are thinking about are actually the same? If you mean capabilities as in "allowing a user account to perform a specific task" then Sudo should work as you've seen yourself. But if you OTOH mean something along the lines of "how can I grant this process use of privileged sockets without requiring setuid root" (CAP_NET_RAW) then we're talking about the same caps.


Quote:
Originally Posted by niels.horn View Post
I am interested in learning more about "capabilities".
In kernel 2.4 capabilities were implemented rather coarse (system-wide): e.g. if you took away a capability then *nothing* except a reboot would get you that capability back (and there's one that keeps the machine from being /sbin/reboot'ed, LOL). Illustrating the old school way using 'lcap': Taking Advantage of Linux Capabilities. In kernel 2.6 it's fine-grained and you use 'libcap' (not libpcap) to set the ACL. For example you can remove a setuid root bit and grant the binary CAP_NET_RAW. (Note code flux wrt backward compatibility). Although slightly older (2007) IBM DeveloperWorks never fails to provide, here's some examples of reducing caps programmatically, and the ultimate treatise on caps seems to be POSIX Capabilities & File POSIX Capabilities. If your research (which undoubtedly should include a tour of LIDS and GRSecurity) unearths interesting stuff you'd like to share do keep us posted!
 
Old 07-21-2009, 02:56 AM   #15
RaptorX
Member
 
Registered: Jun 2009
Location: Emden, Germany
Distribution: Slackware 12.2, Slax 6.1
Posts: 254

Original Poster
Rep: Reputation: 37
@unSpawn...

Yes I am aware that you are really talking about the capabilities of the kernel regarding security as in "lcap"... The thing is that i was wondering if you can remove specific capabilities just for a selected user... for example removing CAP_SYS_CHOWN but just to a particular user. Or the change is global.

I am starting to get interested in building Linux from scratch and quoting one of the hints :

"(Yes, I know it says 'Advanced', but read it anyway, do you want to be a newbie forever?)"

I know that you are talking about advanced stuff but I am starting to change my mentality...

I am reading the article you linked, very good btw.

Last edited by RaptorX; 07-21-2009 at 02:57 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Require different /etc/sudoers permission on 2 sles 10 x64 box? filex Linux - Server 4 04-15-2009 03:02 AM
permission to a specific user squirrel001 Linux - Newbie 8 02-07-2008 09:10 PM
I deleted /etc/sudoers and creates a new file call sudoers but now it doesnt for visu abefroman Linux - Software 1 11-10-2005 06:03 PM
Why I cannot change permission on /etc/sudoers? mikeshn Linux - Software 1 01-06-2005 12:26 PM
user specific file access permission synna Linux - Security 3 01-14-2004 12:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 10:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration