added two files, TODO: things that still need to be taken care of that may be too long to write in the source code config.template: mockups of the config filenoproxy
parent
5ef9bd4200
commit
eefd0545cd
@ -0,0 +1,5 @@ |
||||
- Modify the following environment variables: (listed in environ(7)) |
||||
* USER -> to target user |
||||
* LOGNAME -> to target user |
||||
* SHELL -> to the target user's SHELL |
||||
* HOME -> to the target user's HOME |
||||
@ -0,0 +1,96 @@ |
||||
SECURITY CONSIDERATIONS |
||||
======================= |
||||
|
||||
1. commands must be given by absolute path, that's because if you do otherwise |
||||
nopassword commands could be hijacked: |
||||
|
||||
in the config: |
||||
nopass badguy as root cmd zzz |
||||
in the shell: |
||||
~ $ export PATH=/home/badguy/test:$PATH |
||||
~ $ mkdir test |
||||
~ $ printf '#!/bin/sh\nrm -rf --no-preserve-root' > test/zzz |
||||
~ $ chmod +x test/zzz |
||||
~ $ us zzz #this deletes the filesystem without password! |
||||
|
||||
IDEA 1 |
||||
====== |
||||
|
||||
# this is a comment |
||||
# rules are goruped by user/group |
||||
# rules are structured somewhat like json, example: |
||||
|
||||
# Only 'command' is allowed to run without a password, all the rest is blocked |
||||
ale { |
||||
allow { |
||||
command nopass |
||||
} |
||||
|
||||
deny { |
||||
/.*/ |
||||
} |
||||
} |
||||
|
||||
IDEA 2 - THE DOAS WAY |
||||
===================== |
||||
|
||||
# this is a comment |
||||
# every line is a rule |
||||
# rules are structured like this: |
||||
|
||||
permit|deny [options] identity [as target] [cmd command [args ...]] |
||||
|
||||
# look at doas.conf(5) for more information |
||||
|
||||
IDEA 2-3 |
||||
======== |
||||
|
||||
# reverse-doas way |
||||
-> identity permit|deny [command [args ...]] [options] |
||||
|
||||
# but how would I distinguish between command and options? |
||||
-> identity [options] permit|deny [command [args ...]] |
||||
|
||||
# spaces are not a very good separatow when in comes to commands |
||||
-> identity,[options],permit|deny,[command [args ...]] |
||||
|
||||
# |
||||
# this is kinda similar to a crontab, basically options are required |
||||
# |
||||
|
||||
# config structure: |
||||
-> identity options as action [command [args ...]] |
||||
^ ^ ^ ^ |
||||
can be * | | permit, deny |
||||
can be nil (NULL) | |
||||
can be * |
||||
|
||||
# permit user "ale" to execute command "shutdown" as root without password: |
||||
-> ale nopass root permit shutdown |
||||
# permit members of the wheel group to execute any comands as any user: |
||||
-> :wheel nil * permit |
||||
# deny users of the wheel group to execute commands that begin with "sys": |
||||
# this could be circumvented by having the command inside a shell script |
||||
-> :wheel nil * deny /sys.*/ |
||||
# deny all users to execute all comands as any other user |
||||
-> * nil * deny |
||||
# |
||||
# let's scramble things up to make more sense |
||||
# |
||||
[action] options identity as [command [args ...]] |
||||
^ ^ ^ ^ |
||||
| | can both be * (any) |
||||
| can be none, comma separated |
||||
none: permit |
||||
'!': deny (negate rule) |
||||
|
||||
# allow users of the wheel group to execute any command as root: |
||||
-> none :wheel root |
||||
# deny all users to execute commands that start with "sys" |
||||
-> ! none * * /sys.*/ |
||||
|
||||
IDEA 3 - THE SUCKLESS WAY |
||||
========================= |
||||
|
||||
configuration should happen inside a source file called config.h, to apply |
||||
changes to the configuration the program has to be recompiled |
||||
Loading…
Reference in new issue