|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: about the complexity estimate
From: Jim Hebert (jhebert
compu-aid.com)Date: Wed Jun 07 2000 - 19:31:28 CDT
- Next message: Chris Evans: "Things to look out for when auditing"
- Previous message: Marc Esipovich: "Re: about the complexity estimate"
- In reply to: Antonomasia: "about the complexity estimate"
- Next in thread: Antonomasia: "Re: about the complexity estimate"
- Reply: Jim Hebert: "Re: about the complexity estimate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sorry I didn't participate the first time around.
# grep useradd.wrapper /etc/sudoers
jhebert ALL=(root) NOPASSWD: /usr/local/sbin/useradd.wrapper 6[0-9][0-9] [a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z]
# cat /usr/local/sbin/useradd.wrapper
#!/bin/sh
/usr/sbin/useradd -u $1 -g 100 -d /home/$2 -s /bin/bash $2
Note that useradd.wrapper is not setuid or anything.
This example lets me add any user with a uid 600-699, enforces my home
directory "pattern," and forces the uniqueness of the uid (useradd does
that) as well as name (''). The shell patterns in the sudoers file
enforces the gid restriction and describes a valid login name. (Lame
example: forces it to be 5 letters long. You could either use smarter
shell patterns or a few repetitious patterns to get, say, a requirement of
3-8 letter usernames.) You probably could move the input checking into the
wrapper, but I didn't really stop and think about how that might weaken
the security of it.
sudo provides authentication and logging (I used NOPASSWD in my sudoers
file but you don't have to). sudo lets you specify this priv to a group of
people, though my example just gives it to me.
A similar approach could be used to allow users to run sudo passwd but
restrict the users they can change passwords for. A small, unpriveledged
wrapper that only runs /bin/passwd $1 if $1 meets some criteria can be
wrapped by sudo, sudo can enforce additional criteria, handle auth and
logging and so forth.
You might need to enhance the useradd.wrapper to do something which
recorded users added in this fashion, some sort of record which the
passwd.wrapper would then access when determining if it should allow you
to change that passwd. Or some heuristic like their home dir, uid range,
or shell might be enough to indicate that they are legit for getting their
passwd changed. (I gather from your post that only accounts added via THIS
method should be able to be manipulated from the password changer.)
Total time spent thinking about this: about 5 minutes. I'd be interested
in what auditors have to say about this approach. Using the shell seemed
kinda scary, though I suppose these chincy little wrappers could just as
easily be perl, C, or whatever.
jim
PS In retrospect the username pattern should be all lower case, but you
get the idea
- Next message: Chris Evans: "Things to look out for when auditing"
- Previous message: Marc Esipovich: "Re: about the complexity estimate"
- In reply to: Antonomasia: "about the complexity estimate"
- Next in thread: Antonomasia: "Re: about the complexity estimate"
- Reply: Jim Hebert: "Re: about the complexity estimate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]