A server applicaton I wrote is running as root at the moment and authenticates local system users with getspnam() and crypt() which requires root privilege to access the shadow file. Now I want that application not to run as root in a production system. What are the alternatives without ever requiring root for authenticating local users? The application is running under debian at the moment but is written portable in general.
None of those files you read are supposed to be read by a userspace application. They are system files. The administrator is free to leave the files in place but inhibit their contents - a perfectly valid scenario - and there may well be user information that goes beyond what's in those files. Say, if the machine is joined to an Active Directory domain, or otherwise uses LDAP for authentication: the user list will come from the directory, with passwd having just the local system accounts and nothing else. System services need those files in /etc, and that's that - specifically, the PAM module that provides local accounts :)
Thus: use Pluggable Authentication Modules (PAM). You'll be using the public interface to PAM. Since PAM is cross-platform, it will work on other unices, say Solaris.
Related
I'm a bit puzzled by this: someone who no longer works at our company told our client before leaving that what I'm about to describe is feasible, but I'm at a loss for how.
Our client is getting an smb share as read-only from one of their partners. I have absolutely no control over this. This share is mounted on one of our file servers at /mnt/share.
My task is to set up a share from /mnt/share to the clients active directory users, which i have done sucessfully, but I also need to set permissions on certain sensitive subfolders that should be accessible by only certain active directory groups. (for example, only users in the Accounting group should be able to read the "Accounting" subfolder)
According to all documentation I've read, this is impossible because the files "on disk" are read-only (since they are really just a mounted smb share). Attempts to set permissions anyway have been met with no feedback.
The file server is RHEL 7.x (it is in the correct AD realm) and I also have Admin access to Active Directory.
To summarize:
Partner SMB share (read only) -----> File server | SMB share -------[This is where I need to set permissions]-------> user machines.
• Since the SMB share itself has read-only permissions on the RHEL 7.X file server, they define the on-disk permissions set for that share on the file server as well as the other network resources that access it. Thus, as the file server has authority of the SMB share and only read-only access has been defined on it for all other users that access it, so even if you try to map it on other systems that run Windows, it will only be a read-only folder without any other permissions on it.
Hence, to set file and folder level ACL permissions on it, you will have to enable read, write, and execute permissions to all the users on that share and then map it on a Windows system by logging in it with AD administrator credentials and set custom permissions accordingly in its directory as per the requirement. In this way, you would be able to assign the correct permissions to a user/group or a resource on a file/folder or a directory in that share.
Thus, to change the permissions of the ‘/mnt/share’ on RHEL 7.X file server, please execute the below command in the terminal by logging as the root user.
Browse to the SMB share on linux terminal and run ‘ls -dl’, it will show all the permissions set for the share. Then run ‘chmod a=rwx’, this will set ‘Read, write and execute’ permissions on the share to all the users. Then, run ‘ls -l’ again on the terminal to check the newly modified permissions on the share. It should display as ‘drwxrwxrwx’ which means the permissions have been set correctly.
Please refer the below link for more reference: -
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/assembly_managing-file-permissions_configuring-basic-system-settings
I've had confirmation from a seasoned veteran that what i'm trying to do cannot be done. Since the "disk" that i'm sharing is mounted read-only, neither linux nor windows will let me apply permissions to specific folders inside the share, unless this was done from the original share, which i cannot control.
the only access control i've managed to apply was by pointing compmgmt.msc to the linux share server, and managing the "share access" security options to only allow a certain group to access the entire share.
I need to create a directory in /var/log using a C program which does NOT run with superuser rights.
This linked question didn't help me!
I understand that the file permissions of /var/log does not allow us to write in it nor do I want to change it.
I use mkdir() to create the directory which fails for obvious reasons.
So, is it possible for a normal (with no root rights) C program to create a directory in /var/log?
My goal: To create a directory using a C program in /var/log without changing the parent's file permission. Should I run my program as root? But I would prefer not to.
Kindly help.
TIA
You cannot programmatically overturn the filesystem's access control.
What you could try to do instead is to use an existing logging mechanism that is provided by the system. For example, journald that comes with systemd allows for per-user logging.
If your program runs as a user, it should only use the user's home directory to store files, wether it being configuration or logging. Think about it this way: What happens if several users want to use your program at the same time?
If your program really is a system daemon, have a look at other software that runs under their own user. They could either have their own logging directory be prepared by the init script that calles them (running the daemon itself as a different user), or they purge their priviledges during startup. An example is httpd, which needs root priviledges to listen on port 80.
I need to write a C program that will allow me to read/write files that are owned by root. However, I can only run the code under another user. I have the root password, but there are no "sudo" or "su" commands on the system, so I have no way of accessing the root account (there are practically no shell commands whatsoever, actually). I don't know a whole lot about UNIX permissions, so I don't know whether or not it is actually possible to do this without exploiting the system in some way or running a program owned by root itself (with +s or whatever). Any advice?
Thanks!
P.S. No, this isn't anything malicious, this is on an iPhone.
Under the UNIX permissions system, you need to run a file owned by root itself that's marked setuid-root (+s, as you said) or communicate with some process that is already running as root.
If there is no such file, you are out of luck.
You can do this with setting suid bit to application, but if you want from this c application run a some shell this was be runned on local user if you do it normally this is security system.
However you can read/write/execute files owned by root, but if your user is not in group of file your target file must have setted read/write/execute on last 3 bits or when your user is in file owner group you must check/apply this to 3 bits in middle position. (3 first bits setting permission to owner but this may not by a usable information for you).
If you dont have any access to root account. Then if group and other user permissions dont access functions as you must have, you can't do with this anything except trying get some prilveaged user for access this file. In other cases you can do some fixes in file access permissions but not from this system, you must get hard drive from this device and attach to other to change it or load on this device some live system to change this. However you can do this on privleaged system not on this.
More information about SUID bits you can find at:
http://www.codecoffee.com/tipsforlinux/articles/028.html
http://www.everyjoe.com/newlinuxuser/explain-what-is-setuid-and-setgid/
The iPhone SDK doesn't allow this. Your application is sandboxed and it is not allowed to go outside of that sandbox except in very specific ways provided by Apple. The only way to do this on an iPhone is to jailbreak it.
I have written a cgi-bin application in C that runs in a browser and allows the user to open an interactive shell and view & edit files on a Linux machine. It runs as the standard apache "www-data" user. I just added a login screen to it where the user types in their name and password (in a form) but I cannot authenticate the user using getspnam since this function only works when running as root.
What options do I have to check the login credentials of a user when not running as root?
PS: In my interactive shell I can type "su root" and then type in my password and it does elevate to root fine so it obviously can be done interactively.
I think you want to take a look at Pluggable authentication modules. AFAIK, PAM handles all the messy stuff for you and you just need to do a few function calls to authenticate the user on whatever the backend to authenticate users on the Linux host is (be it shadow passwords, nis, ldap, whatever)
Here's a short guide about integrating your C code with them.
With regard to your PS: Well, when you do a su root you're switching to the root user. So yes, of course, root can read the shadow file, you all ready said that.
With regard to your problem: Can't you have your apache processes temporarily elevate to root (by calling setuid or similar) to perform the authentication?
Good luck!
As suggested, I think PAM is the modern way to do this. But if you want to go old school, you need to create a setuid-root program (not a script) to do your authentication.
There are lots of gotchas with setuid-root programs, which is why PAM is likely better.
Here's a link to some good papers on safely writing setuid-root programs.
I don't really understand windows UAC...
I need for my program to be able to update and add files to a specific directory belonging to a program. This directory may be a subdirectory of an application in Program Files, for example c:\Program Files\MyApp\Data or it may be installed elsewhere.
I believe that if it's under Program Files then my program will be prevented from writting there unless it is running as an administrator AND has elevated it's access rights. Is that correct?
I need to be able to update files in that directory preferable without invoking elevated privileges and with the main application still "protected", just allow access to that one directory. I can't move the Data folder elsewhere as this as it's a 3rd party application I need to interface with.
How is it determined that UAC is needed for folders in Program Files? Is Program Files special in some way or is just permissions? If I were to adjust the permissions on that Data subdirectory so that the user account running the program had write access would that allow my application to update files in that directory without special privileges?
Or is there a better way to achieve this that I'm not thinking of? My update program needs to be in java so getting elevated privileges is a pain. I imagine I'll need to write a C++ wrapper to run the java VM so that i can give that wrapper an appropriate manifest. Not impossible but I don't really want to have to do this.
Try changing your application's directory security settings on-install to allow "Authenticated Users" write permissions.
Usually, when you need both protected and unprotected UAC modes you do the following.
Create two executable (one should be the main one and not require privileges for any operation, the second one should be able to perform privileges operations).
Start the first (main) one using limited privileges.
When you need to perform an privileged operation, create a new process with administrative rights (will pop the UAC window) and start the second application in it.
When done with the second application close it and you'll be back to limited mode.
This is how VMWare Workstation does when you change global settings.
Edit: Changing the permissions on a folder is not a good approach. Is just a dirty hack because anybody can write to that folder and this will just invalidate the role of UAC - after all this is the role of UAC: to prevent unprivileged changes in special folders.