1
2
3        Op: A Flexible Tool for Restricted Superuser
4                           Access
5
6                      Tom Christiansen
7
8                CONVEX Computer Corporation
9                         POB 833851
10                   3000 Waterview Parkway
11                 Richardson, TX  75083-3851
12
13             {uunet,uiucdcs,sun}!convex!tchrist
14                     tchrist@convex.com
15
16                          ABSTRACT
17
18          The op tool provides  a  flexible  means  for
19     system   administrators  to  grant  trusted  users
20     access to certain root operations  without  having
21     to give them full superuser privileges.  Different
22     sets of users may access different operations, and
23     the  security-related  aspects  of  environment of
24     each operation can be carefully controlled.
25
26     One sure way to render a UNIX  system  unstable  is  to
27distribute  the  root  password  to everyone who thinks they
28need it.  Well-meaning and experienced though  these  people
29may  be,  they will inevitably introduce anomalies into your
30system that will cause it to malfunction in mysterious ways.
31You  may  spend  hours or even days trying to determine what
32was changed, by whom, and for  what  reason.   This  problem
33occurs even when all parties involved are experienced system
34administrators.
35
36     Furthermore, large sites often have computer  operators
37who  attend  to  the routine tasks of system administration,
38such as dumps and restores, tape handling, system  shutdown,
39and  so  on.   These people may not be sophisticated and you
40may not wish them to have complete system privileges  to  do
41their  jobs.  Denying the superuser password to your cowork-
42ers or management is difficult,  if  not  impossible.   This
43difficulty  is  particularly true in a technical environment
44where programmers may be competent, but insensitive  to  the
45management of a complex system.
46
47     The op program, a standard utility provided by  CONVEX,
48is  specifically  designed  to address this problem.  The op
49program gives the system manager a means to grant a user  or
50
51                        July 2, 1991
52
53                           - 2 -
54
55group of users limited access to specific superuser commands
56without granting access to all superuser privileges.   Care-
57ful control of the environment provides both flexibility and
58security.
59
60     To set up your system, the op  program,  you  begin  by
61finding  out  the specific tasks for which system privileges
62are deemed necessary when  a  user  requests  the  superuser
63password.  Complete access to every command on the system is
64usually not required.  Using  op,  the  system  manager  can
65designate  a set of privileged commands and access lists for
66these commands; the system manager,  in  effect,  can  grant
67limited system privileges beyond those normally available to
68a normal user without giving away full superuser privileges.
69
70     The op program is not interactive; it  functions  as  a
71prefix  command,  similar to time or nice, whose side-effect
72is to alter the user's  environment  in  some  fashion.  The
73functions  (or  mnemonics)  understood by the op program are
74listed in the configurable ascii data  file  /etc/op.access.
75This file describes what commands can be performed by the op
76program, how they are to be performed, and who is allowed to
77perform  them.   For  security  reasons, this file should be
78owned and readable only by the superuser.   Each  invocation
79of  op  is logged using syslog(3) with the LOG_AUTH facility
80class.
81
82     The restrictions can be made  as  tight  as  each  site
83demands,  as determined by the system administrator who cus-
84tomizes the op.access file.  This file contains a mapping of
85mnemonics,  or  operator functions, to the full pathnames of
86programs that should be invoked and the arguments  that  are
87allowed,  if any.  The arguments to the executed program can
88be a combination of literal and variable arguments, and res-
89trictions  can be placed on which values are valid substitu-
90tions for the variable arguments.   Because  some  syntactic
91checking  of the command arguments is possible, running com-
92mands under op can be safer than running them directly  from
93a  superuser's  shell.  This safety feature can prevent pit-
94falls like accidentally transposing the file system and tape
95device  arguments  to  the  dump  program  (eg.  dump  0uf /
96/dev/rmt16), which would destroy the file system.
97
98     The following set of attributes can be  controlled  for
99each mnemonic by the op program:
100
101	o    the user id to set
102
103	o    the group vector to set
104
105	o    the directory to chdir(2) to
106
107	o    the root directory to set with chroot(2)
108
109                        July 2, 1991
110
111                           - 3 -
112
113	o    the umask to set
114
115	o    a list of groups allowed to execute this function
116
117	o    a list of users allowed to execute this function
118
119	o    the range of valid arguments for the command,  both  in
120	     number and value
121
122	o    any environment variable settings
123
124     The fields of the entries in op.access are separated by
125white  space.  Each entry may span several lines and contin-
126ues until the next  alphanumeric  string  is  found  at  the
127beginning of a line (which is taken to be the next mnemonic,
128and thus the beginning of a new  entry).   Comments  may  be
129embedded  beginning  with  a  #  character.   Each  entry in
130op.access has the following form:
131
132     mnemonic     command  [ arg ... ]  ;  [ option ... ]
133
134where the fields are interpreted in the following manner:
135
136mnemonic    a  unique,  alphanumeric  identifier  for   each
137            operator function.
138
139command     the full pathname of the executable to be run by
140            op when the associated mnemonic is chosen.
141
142arg(s)      any  arguments,  either  literal  or   variable,
143            needed by command.  Literal arguments are simply
144            specified  directly,   like   specific   command
145            options  (0Gun) or files (/dev/rmt20).  Variable
146            arguments are specified here as $1, $2  ...  $n;
147            these  are  described  more fully in the options
148            section below.  $* indicates any number trailing
149            arguments.
150
151option(s)   a set of optional parameters to specify settings
152            or  restrictions  for  the  particular mnemonic,
153            define variable arguments specified for the com-
154            mand,  and define environment variable settings.
155            Options are separated by white space and are  of
156            the   form  keyword=value.   The  absence  of  a
157            specific option means the default is sufficient.
158            The  value  can  be  a single value or a list of
159            values separated by commas,  where  appropriate.
160            There  should  be no white space in each element
161            of the value string unless quoted.  The  keyword
162            is any of the following types:
163
164            uid     Set the user id to the value  specified.
165                    The  value can be a numeric user ID or a
166
167                        July 2, 1991
168
169                           - 4 -
170
171                    login name.  The default is root.
172
173            gid     Set the group ids to the  values  speci-
174                    fied.  Each value can be a numeric group
175                    ID or a group name.
176
177            dir     Change the current working directory  to
178                    the path specified.
179
180            chroot  Change the root directory  to  the  path
181                    specified using chroot.
182
183            umask   Set the file creation umask to the octal
184                    value  specified.  The default is to set
185                    it to 022.
186
187            groups  Allow any user who belongs  to  a  group
188                    listed here to execute this op function.
189                    The default is not to allow any specific
190                    group.
191
192            users   Allow any user listed  here  to  execute
193                    this op function.  The default is not to
194                    allow any specific users.  You  may  use
195                    the  regular  expression  .* to indicate
196                    that all users may use this mnemonic.
197
198            $n      defines the nth variable argument speci-
199                    fied in the command arg list.  The value
200                    for this type may be  a  comma-separated
201                    list   of   regular   expressions  using
202                    regex(3).  option defines the  range  of
203                    values  allowed  for  the variable argu-
204                    ments.  A variable argument specified as
205                    a  command  arg but not described in the
206                    options section may take on  any  value.
207                    If an argument does not match any of its
208                    permitted values, then a  diagnostic  is
209                    printed and the command is not executed.
210
211            $*      is used in the options section to  place
212                    restrictions  on  the trailing arguments
213                    specified as $* in the args section.  If
214                    any  of  these (possibly many) arguments
215                    do  not  match,  then  a  diagnostic  is
216                    printed,  and  the  command  is not exe-
217                    cuted.
218
219            $VAR    where VAR is the name of an  environment
220                    variable.    The  specified  environment
221                    variable  is  set  to  the  value  given
222                    before  the  command  is executed.  As a
223                    special case, simply using $VAR with  no
224                    =  part  (as  in  $USER) means that this
225
226                        July 2, 1991
227
228                           - 5 -
229
230                    environment   variable   is    inherited
231                    unchanged from the caller's shell.
232
233     There can also be a special entry in the file beginning
234at the first non-comment line that can define default values
235to override the builtin defaults listed here, yet  still  be
236overridden  by  any  entry that wants to redefine any of the
237keyword fields described above.  It should have the  follow-
238ing format:
239
240     DEFAULT      keyword_option ...
241where keyword_option is a  keyword=value  strings  mentioned
242above under options.
243
244     It should be noted that if any regular  mnemonic  entry
245defines  its own option, the value given for that entry must
246explicitly include the item from the  DEFAULT  line  if  the
247default  value  is  to  be  included.   That is, the options
248definitions completely override any defaults;  they  do  not
249add  to  them.   In  this  way,  if a value specified on the
250DEFAULT line for users or groups (for example) needs  to  be
251"erased"  without redefining new values (that is, we want no
252users or groups to be allowed to run  this  mnemonic),  then
253the  default  value  must  be overridden with nothing (as in
254users=).  For the users and groups fields, such a null  set-
255ting  has  the effect of setting the list of allowable users
256or groups to be empty.  For the other  keywords  (uid,  gid,
257dir,  chroot,  and umask), a null setting leaves that attri-
258bute as it is upon invocation of the op program,  overriding
259any defaults.
260
261     This file format may seem complex at first glance,  but
262is  actually  intuitive  and flexible.  An example op.access
263file might look like:
264
265                        July 2, 1991
266
267                           - 6 -
268
269# first, define the site defaults we want to use here
270# we would like the people in `operator' group to be able to execute
271# almost everything, so it is easier to put it here than on every line...
272# set up default envariables
273#
274DEFAULT groups=operator $USER $TERM $PATH=/usr/ucb:/usr/bin:/bin
275#
276#    find out who's filled up the disk; anyone may do this
277#
278full            /usr/etc/quot $1; users=.*
279#
280#    filesystem backups
281#
282daily           /etc/dump 5Gun $1; $1=/,/usr[0-9]*,/project
283weekly          /etc/dump 0Gun $1; $1=/,/usr[0-9]*,/project
284#
285#    tape handling commands
286#    must include `operator' if we want them to be allowed as well
287#
288tape            /etc/tpc $1 $2; groups=tapeopers,operator users=boss
289                $1=enable,disable,stop,restart $2=all,unit[01]
290#
291mounted         /etc/tpc mounted unit$1 $2; $1=[0-3]
292#
293#    taking the system down
294#    $1 shows a good use of regular expressions;
295#    $2 can be anything, but is required; no instant shutdowns
296#
297shutdown        /etc/shutdown -h $1 $2; $1=+[1-9][0-9]*,[0-9]*:[0-9]*
298reboot          /etc/shutdown -r $1 $2; $1=+[1-9][0-9]*,[0-9]*:[0-9]*
299#
300#    start up disco daemon
301disco           /etc/opbin/start_disco; uid=disco gid=proj dir=/scratch
302                        umask=027 groups=geo,disco users=snoopy,linus
303                        $USER=disco $SHELL=/bin/shell
304#
305#    let certain people mount and unmount the removable drive
306#
307rdsmount        /etc/mount $1 $2; groups=operator,swdev,disco users=bob,steve $1=/dev/dd0[a-g] $2=/.*
308rdsumount       /etc/umount $1; groups=operator,swdev,disco users=bob,steve $1=/dev/dd0[a-g]
309#
310#    allow operators to give files away; notice that they
311#    they must give at least two args, but may give more
312#
313chown            /etc/chown $1 $2 $*; $1=[a-z0-9][a-z0-9]*
314#
315#    permit development personnel to run install
316#
317inst            /usr/bin/install -o root -g system $1 $2; groups=devel
318                        $2=/bin,/usr/bin,/usr/ucb,/usr/new,/usr/local
319#
320nfsmount        /etc/mount -o timeo=100,hard,intr $1 $2; groups=devel,operator
321                        $1=\([a-zA-Z0-9_]*\):\(.*\) $2=/remote/\1\2
322
323                        July 2, 1991
324
325                           - 7 -
326
327     Some example command lines using op,  given  the  above
328op.access file, might be:
329
330     % op full /usr1
331     % op weekly /usr1
332     % op tape disable unit0
333     % op reboot 17:30 "We have to fix our network."
334     % op disco
335     % op rdsmount  /dev/dd0c  ~/mystuff
336     % op mounted 3 8688
337     % op chown jim  /tmp/bill/*
338     % op inst less  /usr/local
339     % op nfsmount  convexs:/usr/src  /remote/convexs/usr/src
340
341     Note that the following commands would not work because
342they  would  not  match the back-reference specifications in
343the nfsmount mnemonic:
344
345     op nfsmount convexs:/usr/src /remote/foobar/usr/src
346     op nfsmount convexs:/usr/src /remote/convexs/src
347
348     In summary, the op program allows the system manager to
349give  out limited system privileges without compromising the
350root password.  The system can be easily tuned to the  needs
351of a specific site.  The environment in which these commands
352execute  can  be  tightly  controlled  and  their  arguments
353checked  for  valid  values.  For security reasons, a log is
354kept of all commands run.  Careful  application  of  the  op
355program can result in a stabler system.
356
357                        July 2, 1991
358
359