summaryrefslogtreecommitdiff
path: root/README.md
blob: b2a8195a6f0c6cb9265c51f0b339b137057f85a3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
PrivExec is an attempt to provide administrators with a way to allow privelige
escalation in a manner similar to `sudo`, but in a more resilient way by
splitting different stages of the escalation process into separate binaries.

PrivExec consists of three binaries:

- `privexec`
- `check`
- `exec`

The first, `privexec`, is the user-facing binary. It should be installed in
a directory that is part of the global `$PATH`. In order to function properly,
`privexec` must be installed SETGID (*NOT* SETUID) to a group that contains
not actual users (we suggest `_privexec` for this purpose).

The other two binaries should be installed with group ownership set to the
same group, and permissions set to allow user and group execution for both,
with other execution disabled, as well as `root` ownership and SETUID for
`exec`. In summary, you should have something like:

    $ ls -l /usr/local/bin/privexec /usr/local/lib/privexec/check /usr/local/lib/privexec/exec
    -rwxr-sr-x 1 root _privexec 19888 Feb  1 10:32 /usr/local/bin/privexec
    -r-xr-x--- 1 root _privexec 19888 Feb  1 10:33 /usr/local/lib/privexec/check
    -r-sr-x--- 1 root _privexec 19456 Feb  1 10:13 /usr/local/lib/privexec/exec

The front-end binary is responsible for calling the `check` binary to verify
whether the user is authorized to execute the given command, and then calling
the `exec` binary to execute the command with elevated privileges if and only
if the `check` command positively confirms authorization. The `exec` command
is obviously SETUID to enable privilege escalation. The `privexec` command is
SETGID to restrict the execution of the other two commands. The `check` command
is largely unprivileged (though administrators may wish to restrict its
configuration file to be readable only by the `_privexec` group to prohibit
casual inspection of which accounts are allowed to elevate privileges), and
is the location of all complexity. It is responsible for parsing
`/etc/privexec.conf` and determining whether the given user is authorized to
run the given command.

Configuration is done via `/etc/privexec.conf`. The format is intentionally
strict. Each may be blank, a comment (beginning with a '#' character in the
first column), or a directive. Directives are of the form:

    <keyword> <principal> [command]

Where `<keyword>` is one of `authorized`, `authenticate`, or `deny`;
`<principal>` is either a username or a group name prepended with ':', and
`[command]` is an optional command. Tokens must be separated by exactly one
space. Additional white space is not allowed.

The entire configuration file is parsed whenever `privexec` invokes `check`.
Any syntax errors will result in failure. Privilege checking is performed so
as to be most restrictive. In order from least to most:

    `authorized` - The user is authorized to execute the associate command
    without further interaction.

    `authenticate` - The user must authenticate themself before the command
    is executed. This is handled by PAM with the service name `privexec`.

    `deny` - The user is not permitted to execute the command.

A user name match has higher precedence than a group match, and a match
containing a program name has higher precedence than a match without the
program name. So the total ordering of precedence (from least to most) is:

    authorized :group
    authenticate :group
    deny :group
    authorized :group command
    authenticate :group command
    deny :group command
    authorized user
    authenticate user
    deny user
    authorized user command
    authenticate user command
    deny user command