added two files, TODO: things that still need to be taken care of that may be too long to write in the source code config.template: mockups of the config filenoproxy
parent
5ef9bd4200
commit
eefd0545cd
@ -0,0 +1,5 @@ |
|||||||
|
- Modify the following environment variables: (listed in environ(7)) |
||||||
|
* USER -> to target user |
||||||
|
* LOGNAME -> to target user |
||||||
|
* SHELL -> to the target user's SHELL |
||||||
|
* HOME -> to the target user's HOME |
||||||
@ -0,0 +1,96 @@ |
|||||||
|
SECURITY CONSIDERATIONS |
||||||
|
======================= |
||||||
|
|
||||||
|
1. commands must be given by absolute path, that's because if you do otherwise |
||||||
|
nopassword commands could be hijacked: |
||||||
|
|
||||||
|
in the config: |
||||||
|
nopass badguy as root cmd zzz |
||||||
|
in the shell: |
||||||
|
~ $ export PATH=/home/badguy/test:$PATH |
||||||
|
~ $ mkdir test |
||||||
|
~ $ printf '#!/bin/sh\nrm -rf --no-preserve-root' > test/zzz |
||||||
|
~ $ chmod +x test/zzz |
||||||
|
~ $ us zzz #this deletes the filesystem without password! |
||||||
|
|
||||||
|
IDEA 1 |
||||||
|
====== |
||||||
|
|
||||||
|
# this is a comment |
||||||
|
# rules are goruped by user/group |
||||||
|
# rules are structured somewhat like json, example: |
||||||
|
|
||||||
|
# Only 'command' is allowed to run without a password, all the rest is blocked |
||||||
|
ale { |
||||||
|
allow { |
||||||
|
command nopass |
||||||
|
} |
||||||
|
|
||||||
|
deny { |
||||||
|
/.*/ |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
IDEA 2 - THE DOAS WAY |
||||||
|
===================== |
||||||
|
|
||||||
|
# this is a comment |
||||||
|
# every line is a rule |
||||||
|
# rules are structured like this: |
||||||
|
|
||||||
|
permit|deny [options] identity [as target] [cmd command [args ...]] |
||||||
|
|
||||||
|
# look at doas.conf(5) for more information |
||||||
|
|
||||||
|
IDEA 2-3 |
||||||
|
======== |
||||||
|
|
||||||
|
# reverse-doas way |
||||||
|
-> identity permit|deny [command [args ...]] [options] |
||||||
|
|
||||||
|
# but how would I distinguish between command and options? |
||||||
|
-> identity [options] permit|deny [command [args ...]] |
||||||
|
|
||||||
|
# spaces are not a very good separatow when in comes to commands |
||||||
|
-> identity,[options],permit|deny,[command [args ...]] |
||||||
|
|
||||||
|
# |
||||||
|
# this is kinda similar to a crontab, basically options are required |
||||||
|
# |
||||||
|
|
||||||
|
# config structure: |
||||||
|
-> identity options as action [command [args ...]] |
||||||
|
^ ^ ^ ^ |
||||||
|
can be * | | permit, deny |
||||||
|
can be nil (NULL) | |
||||||
|
can be * |
||||||
|
|
||||||
|
# permit user "ale" to execute command "shutdown" as root without password: |
||||||
|
-> ale nopass root permit shutdown |
||||||
|
# permit members of the wheel group to execute any comands as any user: |
||||||
|
-> :wheel nil * permit |
||||||
|
# deny users of the wheel group to execute commands that begin with "sys": |
||||||
|
# this could be circumvented by having the command inside a shell script |
||||||
|
-> :wheel nil * deny /sys.*/ |
||||||
|
# deny all users to execute all comands as any other user |
||||||
|
-> * nil * deny |
||||||
|
# |
||||||
|
# let's scramble things up to make more sense |
||||||
|
# |
||||||
|
[action] options identity as [command [args ...]] |
||||||
|
^ ^ ^ ^ |
||||||
|
| | can both be * (any) |
||||||
|
| can be none, comma separated |
||||||
|
none: permit |
||||||
|
'!': deny (negate rule) |
||||||
|
|
||||||
|
# allow users of the wheel group to execute any command as root: |
||||||
|
-> none :wheel root |
||||||
|
# deny all users to execute commands that start with "sys" |
||||||
|
-> ! none * * /sys.*/ |
||||||
|
|
||||||
|
IDEA 3 - THE SUCKLESS WAY |
||||||
|
========================= |
||||||
|
|
||||||
|
configuration should happen inside a source file called config.h, to apply |
||||||
|
changes to the configuration the program has to be recompiled |
||||||
Loading…
Reference in new issue