Re: Reverse of promoting to root: downgrade root to unprivileged

To: RVP <rvp%SDF.ORG@localhost>
Subject: Re: Reverse of promoting to root: downgrade root to unprivileged
From: tlaronde%kergis.com@localhost
Date: Wed, 31 Jan 2024 13:09:06 +0100

On Wed, Jan 31, 2024 at 07:19:57AM +0000, RVP wrote:
> On Tue, 30 Jan 2024, tlaronde%kergis.com@localhost wrote:
> 
> > That something can be written is sure. But I wondered if there was
> > some attempt of some library (in whatever language) or some utility
> > that will "fence" a root user, and will, allow, without modifying
> > existing (say, as an example, using pkgsrc compilation and
> > installation procedure), to downgrade root for running and, when
> > hitting the fence (trying to transgress the rights), will consult a
> > list of commands---may be script lines: "make install"---and then
> > respawn the part with updated rights if the commands were listed.
> > 
> 
> Checking for EPERM or EACCESS in a user program (I'm thinking of dtrace
> here) or in an intercepting library and then becoming root and retrying
> would be pretty hairy in userspace. Simpler to make use of the kernel-
> provided features:
> 
> 1. If you only want to write things as root whilst running as a user,
>    you can use mount_umap(8). But, this 1-to-1 remapping won't work
>    for pkgsrc, I think, where the installed files can have arbitrary users.
> 
> 2. Extend secmodel_extensions(9) slightly so that you can do something
>    like:
> 
> ```
> #	rvp & xyz are to be elevated.
> % sysctl -w security.models.extensions.pantheon.uids=$(id -u rvp),$(id -u xyz)
> 
> # 	Go!
> % sysctl -w security.models.extensions.pantheon.enable=1
> 
> #	Kick them out after 1 hour.
> % { sleep 3600; sysctl -w security.models.extensions.pantheon.enable=0; } &
> % cd /usr/pkgsrc/some/pkg && make install
> ```

Interesting, as always!

> 
> > The question arises when I asked (wanting to write something for my
> > own): OK, but _what_ unprivileged user exists that I can safely "su"
> > to and accomplish the unprivileged part as? "nobody" does not seem the
> > answer; "operator" neither. This opened a can of worm-questions ;-)
> > 
> 
> I have a `bld' user for this.

Yes, I have one also. But the question arises for kerTeX, where it can
be installed on whatever system by whoever: was there some defined
Unix user for this, to be found in every system, or at least, one special
defined by each Unix OS? And the answer was, if I'm not mistaken: no.
I would have to ask during installation time the user which user to
use for that (and in a lot of cases, the user will not know what to
answer or even will not understand the purpose of the question) or
create a lambda "kertex" user for this.
-- 
        Thierry Laronde <tlaronde +AT+ kergis +dot+ com>
                     http://www.kergis.com/
                    http://kertex.kergis.com/
Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C

References:
- Reverse of promoting to root: downgrade root to unprivileged
  - From: tlaronde
- Re: Reverse of promoting to root: downgrade root to unprivileged
  - From: RVP
- Re: Reverse of promoting to root: downgrade root to unprivileged
  - From: tlaronde
- Re: Reverse of promoting to root: downgrade root to unprivileged
  - From: Rhialto
- Re: Reverse of promoting to root: downgrade root to unprivileged
  - From: tlaronde
- Re: Reverse of promoting to root: downgrade root to unprivileged
  - From: RVP

Prev by Date: Re: Reverse of promoting to root: downgrade root to unprivileged
Next by Date: Re: bl[ao]cklistd/apache integration
Previous by Thread: Re: Reverse of promoting to root: downgrade root to unprivileged
Next by Thread: Re: Reverse of promoting to root: downgrade root to unprivileged
Indexes:

Home | Main Index | Thread Index | Old Index