2006 07 Easy Root Assigning Root Privileges with Op


Assigning root privileges with Op
Easy Root
The versatile Op utility is a simple tool for managing user privileges.
By Hans-Georg Eßer
www.sxc.hu
Linux is a multiple user system, and access to the privileged root account is well-protected on many machines.
Normal user privileges are typically insufficient to mount a CD or hot-plug a memory stick. Some
distributions even require root privileges for Internet access.
If the main user is also the administrator, which is quite normal for privately owned PCs, you can just type su
and enter the root password to assume the required privileges - but once you have assumed these privileges
with su, all subsequent commands will have the power of root, as if you are simply working under the root
account: small typos can have a devastating effect.
One solution to this problem is a scenario in which a user can assume only a narrower set of root-level
privileges specified by the administrator. For instance, a user may be allowed to assume the power to mount a
USB stick without having access to other types of root-level commands.
The legacy sudo tool is the traditional means for assigning administrative privileges to a user without giving
the user the root password, but an alternative tool called Op makes this process easier for both the
administrator and the user.
Easy Root 1
Figure 1: The sudo website has detailed information on the configuration.
Sudo: The Legacy Tool
The sudo command [2] gives you a legacy approach to the problem of letting normal users run a set of
root-level commands specified by the administrator.
Some Linux distributions (for example, Ubuntu and Knoppix) use sudo today to make the standard user the
administrator, adding an entry of the form username ALL = (root) ALL to the /etc/sudoers configuration file.
In this case, any user can run arbitrary commands as root by typing the sudo keyword in front of the command
syntax; for example, the command sudo killall -9 command kills all processes called command. When you
enter a command like this, sudo asks you for your own password before launching commands with root
privileges.
If you prefer a more granular approach to specifying who is allowed to run which commands, sudo can help.
Imagine you want to grant a user called abc the right to run the command tail -f /var/log/messages; just add
the following line to the /etc/sudoers file:
abc ALL = (root) /usr/bin/tail -f /var/log/messages
Of course, the user will need to type the command exactly as it is shown here, although sudo will not object if
the command contains a few blanks. But if you were to leave out the -f parameter, or change the order, you
would see the following error message:
[abc@kira ~]$ sudo /usr/bin/tail/var/log/messages -f
Sorry, user abc is not allowed to
execute '/usr/bin/tail /var/log/
messages -f' as root on kira.
With proper syntax, there are no complaints:
[abc@kira ~]$ sudo /usr/bin/tail-f /var/log/messages
Mar 31 14:13:39 kira -- MARK --
Mar 31 14:33:39 kira -- MARK --
[...]
Users with sudo privileges must remember the precise syntax of any commands they are authorized to run - or
they could run sudo -l to check their options:
[abc@kira ~]$ sudo -l
User abc may run the following commands on this host:
(root) /usr/bin/tail -f /var/log/messages
Each incorrect sudo call generates a log entry, and on some machines, sudo will even mail the system
administrator.
Easy Root 2
Figure 2: The Op website provides extensive configuration information.
Alternative Op
The Op tool is a little known sudo replacement with the added benefit of simpler configuration and a more
intuitive approach to running commands.
A one-liner is all you need for simple commands: the general syntax of an Op config file entry is as follows:
command_shortcut command; options
For example, if you want to allow the user abc to shutdown a machine by running the halt command, the
following line would do the trick:
halt /sbin/halt; users=abc
If you would prefer the user to type his own password to authorize the command (following the traditional
sudo approach), just add the password option to the line:
halt /sbin/halt; users=abc password
This lets you configure Op for critical tasks in a matter of minutes. Note that you need to specify the full path
to the commands in question (for instance, /sbin/halt rather than just halt in our example). The user abc can
then type op halt in the shell to shutdown the PC.
Building the Tool
You can follow standard procedures for the Op build; but don't forget to pass these two options on to
configure:
./configure --prefix=/usr --sysconfdir=/etc
make
make install
Without the prefix option, the program will install below /usr/local/; and if you leave out the --sysconfdir
option, it will look for configuration files in $PREFIX/etc/.
We had no trouble installing the current version (1.32) of Op on a Suse Linux 9.3 machine in our lab; on
Debian Sarge we needed to apt-get install flex before running make.
Easy Root 3
Examples
Type mkdir -p /etc/op.d to create a configuration directory for Op, then create a sample /etc/op.d/log.conf file,
as shown in Listing 1, and give the command chmod 600 /etc/op.d/log.conf to modify the privileges. Read and
write access to this file is restricted to the root user. If you forget to run chmod, the program will not work
(and it will additionally display a confusing error message stating that it can't find the configuration file).
The two lines in Listing 1 create two new command shortcuts, messages and syslog, allowing the user abc to
access the two logfiles by running the op messages and op syslog commands. The Listing specifies the full
path for cat, /bin/cat, as Op will not be able to find the utility if you do not provide the full path.
Listing 1: Getting Started with Op
01 messages /bin/cat /var/log/messages; users=abc
02 syslog /bin/cat /var/log/syslog; users=abc
Op Scripts
One of Op's most useful features is the ability to add shell scripts to the configuration file. Listing 2 shows an
example that defines the Op command, log, which in turn allows authorized users to read the
/var/log/messages and /var/log/syslog files. Scripts can parse and evaluate arguments; like normal scripts, they
use the $1, $2, etc. environmental variables to do this. The second command shortcut in Listing 2, apache,
allows a user to start and stop Apache services. The script for the command shortcut log defines the $TERM
variable to allow the less command to work.
Listing 2: Starting and Stopping Apache
01 log /bin/sh -c '
02 export TERM=xterm
03 case $1 in
04 messages) less /var/log/messages ;;
05 syslog) less /var/log/syslog ;;
06 *) echo "op: You are not allowed to read the logfile \'$1\' " ;;
07 esac
08 ';
09 users=abc
10 help="View logfiles (messages and syslog only)"
11
12 apache /bin/sh -c '
13 case $1 in
14 start|stop) /etc/init.d/apache $1 ;;
15 *) echo "op: apache only understands start and stop" ;;
16 esac
17 ';
18 users=abc
19 help="Start and stop the Apache server"
Store the new command definitions in files below /etc/op.d/ (again, read access must be restricted to root
only); as an alternative, you can store all your definitions in a single file.
Op's -l flag shows you the command shortcuts you can run - the program hides command shortcuts for other
users. The script catches input errors and tells users that they can only view the messages and syslog logfiles:
abc@amd64:~> op -l
apache Start and stop Apache
log View logfiles (messagesand syslog only)
abc@amd64:~> op log security
op: You are not allowed to view the 'security' logfile
Op scripts are one advantage that Op has over sudo: to achieve the same results with the legacy tool, you
would need to write a script, store it on the filesystem (for example, in /usr/local/bin), and then allow users to
call the script in /etc/sudoers. In case of changes, you would need to modify both the script and the sudo
configuration file.
Easy Root 4
External Users
It is easy to verify the fact that Op only lets the users specified in users= run privileged commands; to do so,
run the command working as nobody:
amd64:# su - nobody
nobody@amd64:~> op -l
nobody@amd64:~> op log messages
log: permission denied by op
The list of permitted Op commands for nobody is empty, and the tool issues a warning when nobody tries to
view the logfiles, generating an entry in the /var/log/auth.log logfile or /var/log/messages:
Feb 8 14:56:52 amd64 op[4716]:
nobody log messages: Both user,
group and netgroup authentication
failed
User Groups
Just like sudo, Op can group multiple users, and then grant or revoke group privileges. Let's assume you have
three users, abc, def, and ghi, who you want to perform various system tasks; you can add these users to an
ADMINS group with an entry such as the following:
ADMINS=(abc|def|ghi)
For all command shortcuts that you want to assign to these users, just specify users=ADMINS. If you need to
add a fourth administrator, jkl, to the group, or define a new command for the group later, you just have to
change one line in the config file.
More Features
Op can manage multiple machines (by reference to the machine names), allowing administrators to configure
the behavior of several computers in a central Op configuration file.
Op has a particularly flexible approach to passing environmental variables to programs launched with root
privileges. If you do not specify any other parameters, Op deletes all environmental variables before running a
command.
The environment option prevents this and passes all variables in. As an alternative, you can manually specify
a set of variables you want to keep by adding their name entries in the form of $Name (with a leading dollar
sign). Listing 3 gives an example of using variables.
The test command shortcut simply calls the env program, which outputs a list of all environmental variables.
Listing 3: Op with Variables
01 test /usr/bin/env;
02 users=abc
03 $LANG $TERM $SHELL $PATH
Conclusions
Op is a powerful tool with similar functionality to sudo, but with simpler configuration and more intuitive
commands that make life easier for the administrator and the user - even if they happen to be the same person.
INFO
Easy Root 5
[1] Op homepage: http://svn.swapoff.org/op/
[2] Sudo homepage: http://www.sudo.ws/sudo/
Easy Root 6


Wyszukiwarka