1 2 3 Op: A Flexible Tool for Restricted Superuser 4 Access 5 6 Tom Christiansen 7 8 CONVEX Computer Corporation 9 POB 833851 10 3000 Waterview Parkway 11 Richardson, TX 75083-3851 12 13 {uunet,uiucdcs,sun}!convex!tchrist 14 tchrist@convex.com 15 16 ABSTRACT 17 18 The op tool provides a flexible means for 19 system administrators to grant trusted users 20 access to certain root operations without having 21 to give them full superuser privileges. Different 22 sets of users may access different operations, and 23 the security-related aspects of environment of 24 each operation can be carefully controlled. 25 26 One sure way to render a UNIX system unstable is to 27distribute the root password to everyone who thinks they 28need it. Well-meaning and experienced though these people 29may be, they will inevitably introduce anomalies into your 30system that will cause it to malfunction in mysterious ways. 31You may spend hours or even days trying to determine what 32was changed, by whom, and for what reason. This problem 33occurs even when all parties involved are experienced system 34administrators. 35 36 Furthermore, large sites often have computer operators 37who attend to the routine tasks of system administration, 38such as dumps and restores, tape handling, system shutdown, 39and so on. These people may not be sophisticated and you 40may not wish them to have complete system privileges to do 41their jobs. Denying the superuser password to your cowork- 42ers or management is difficult, if not impossible. This 43difficulty is particularly true in a technical environment 44where programmers may be competent, but insensitive to the 45management of a complex system. 46 47 The op program, a standard utility provided by CONVEX, 48is specifically designed to address this problem. The op 49program gives the system manager a means to grant a user or 50 51 July 2, 1991 52 53 - 2 - 54 55group of users limited access to specific superuser commands 56without granting access to all superuser privileges. Care- 57ful control of the environment provides both flexibility and 58security. 59 60 To set up your system, the op program, you begin by 61finding out the specific tasks for which system privileges 62are deemed necessary when a user requests the superuser 63password. Complete access to every command on the system is 64usually not required. Using op, the system manager can 65designate a set of privileged commands and access lists for 66these commands; the system manager, in effect, can grant 67limited system privileges beyond those normally available to 68a normal user without giving away full superuser privileges. 69 70 The op program is not interactive; it functions as a 71prefix command, similar to time or nice, whose side-effect 72is to alter the user's environment in some fashion. The 73functions (or mnemonics) understood by the op program are 74listed in the configurable ascii data file /etc/op.access. 75This file describes what commands can be performed by the op 76program, how they are to be performed, and who is allowed to 77perform them. For security reasons, this file should be 78owned and readable only by the superuser. Each invocation 79of op is logged using syslog(3) with the LOG_AUTH facility 80class. 81 82 The restrictions can be made as tight as each site 83demands, as determined by the system administrator who cus- 84tomizes the op.access file. This file contains a mapping of 85mnemonics, or operator functions, to the full pathnames of 86programs that should be invoked and the arguments that are 87allowed, if any. The arguments to the executed program can 88be a combination of literal and variable arguments, and res- 89trictions can be placed on which values are valid substitu- 90tions for the variable arguments. Because some syntactic 91checking of the command arguments is possible, running com- 92mands under op can be safer than running them directly from 93a superuser's shell. This safety feature can prevent pit- 94falls like accidentally transposing the file system and tape 95device arguments to the dump program (eg. dump 0uf / 96/dev/rmt16), which would destroy the file system. 97 98 The following set of attributes can be controlled for 99each mnemonic by the op program: 100 101 o the user id to set 102 103 o the group vector to set 104 105 o the directory to chdir(2) to 106 107 o the root directory to set with chroot(2) 108 109 July 2, 1991 110 111 - 3 - 112 113 o the umask to set 114 115 o a list of groups allowed to execute this function 116 117 o a list of users allowed to execute this function 118 119 o the range of valid arguments for the command, both in 120 number and value 121 122 o any environment variable settings 123 124 The fields of the entries in op.access are separated by 125white space. Each entry may span several lines and contin- 126ues until the next alphanumeric string is found at the 127beginning of a line (which is taken to be the next mnemonic, 128and thus the beginning of a new entry). Comments may be 129embedded beginning with a # character. Each entry in 130op.access has the following form: 131 132 mnemonic command [ arg ... ] ; [ option ... ] 133 134where the fields are interpreted in the following manner: 135 136mnemonic a unique, alphanumeric identifier for each 137 operator function. 138 139command the full pathname of the executable to be run by 140 op when the associated mnemonic is chosen. 141 142arg(s) any arguments, either literal or variable, 143 needed by command. Literal arguments are simply 144 specified directly, like specific command 145 options (0Gun) or files (/dev/rmt20). Variable 146 arguments are specified here as $1, $2 ... $n; 147 these are described more fully in the options 148 section below. $* indicates any number trailing 149 arguments. 150 151option(s) a set of optional parameters to specify settings 152 or restrictions for the particular mnemonic, 153 define variable arguments specified for the com- 154 mand, and define environment variable settings. 155 Options are separated by white space and are of 156 the form keyword=value. The absence of a 157 specific option means the default is sufficient. 158 The value can be a single value or a list of 159 values separated by commas, where appropriate. 160 There should be no white space in each element 161 of the value string unless quoted. The keyword 162 is any of the following types: 163 164 uid Set the user id to the value specified. 165 The value can be a numeric user ID or a 166 167 July 2, 1991 168 169 - 4 - 170 171 login name. The default is root. 172 173 gid Set the group ids to the values speci- 174 fied. Each value can be a numeric group 175 ID or a group name. 176 177 dir Change the current working directory to 178 the path specified. 179 180 chroot Change the root directory to the path 181 specified using chroot. 182 183 umask Set the file creation umask to the octal 184 value specified. The default is to set 185 it to 022. 186 187 groups Allow any user who belongs to a group 188 listed here to execute this op function. 189 The default is not to allow any specific 190 group. 191 192 users Allow any user listed here to execute 193 this op function. The default is not to 194 allow any specific users. You may use 195 the regular expression .* to indicate 196 that all users may use this mnemonic. 197 198 $n defines the nth variable argument speci- 199 fied in the command arg list. The value 200 for this type may be a comma-separated 201 list of regular expressions using 202 regex(3). option defines the range of 203 values allowed for the variable argu- 204 ments. A variable argument specified as 205 a command arg but not described in the 206 options section may take on any value. 207 If an argument does not match any of its 208 permitted values, then a diagnostic is 209 printed and the command is not executed. 210 211 $* is used in the options section to place 212 restrictions on the trailing arguments 213 specified as $* in the args section. If 214 any of these (possibly many) arguments 215 do not match, then a diagnostic is 216 printed, and the command is not exe- 217 cuted. 218 219 $VAR where VAR is the name of an environment 220 variable. The specified environment 221 variable is set to the value given 222 before the command is executed. As a 223 special case, simply using $VAR with no 224 = part (as in $USER) means that this 225 226 July 2, 1991 227 228 - 5 - 229 230 environment variable is inherited 231 unchanged from the caller's shell. 232 233 There can also be a special entry in the file beginning 234at the first non-comment line that can define default values 235to override the builtin defaults listed here, yet still be 236overridden by any entry that wants to redefine any of the 237keyword fields described above. It should have the follow- 238ing format: 239 240 DEFAULT keyword_option ... 241where keyword_option is a keyword=value strings mentioned 242above under options. 243 244 It should be noted that if any regular mnemonic entry 245defines its own option, the value given for that entry must 246explicitly include the item from the DEFAULT line if the 247default value is to be included. That is, the options 248definitions completely override any defaults; they do not 249add to them. In this way, if a value specified on the 250DEFAULT line for users or groups (for example) needs to be 251"erased" without redefining new values (that is, we want no 252users or groups to be allowed to run this mnemonic), then 253the default value must be overridden with nothing (as in 254users=). For the users and groups fields, such a null set- 255ting has the effect of setting the list of allowable users 256or groups to be empty. For the other keywords (uid, gid, 257dir, chroot, and umask), a null setting leaves that attri- 258bute as it is upon invocation of the op program, overriding 259any defaults. 260 261 This file format may seem complex at first glance, but 262is actually intuitive and flexible. An example op.access 263file might look like: 264 265 July 2, 1991 266 267 - 6 - 268 269# first, define the site defaults we want to use here 270# we would like the people in `operator' group to be able to execute 271# almost everything, so it is easier to put it here than on every line... 272# set up default envariables 273# 274DEFAULT groups=operator $USER $TERM $PATH=/usr/ucb:/usr/bin:/bin 275# 276# find out who's filled up the disk; anyone may do this 277# 278full /usr/etc/quot $1; users=.* 279# 280# filesystem backups 281# 282daily /etc/dump 5Gun $1; $1=/,/usr[0-9]*,/project 283weekly /etc/dump 0Gun $1; $1=/,/usr[0-9]*,/project 284# 285# tape handling commands 286# must include `operator' if we want them to be allowed as well 287# 288tape /etc/tpc $1 $2; groups=tapeopers,operator users=boss 289 $1=enable,disable,stop,restart $2=all,unit[01] 290# 291mounted /etc/tpc mounted unit$1 $2; $1=[0-3] 292# 293# taking the system down 294# $1 shows a good use of regular expressions; 295# $2 can be anything, but is required; no instant shutdowns 296# 297shutdown /etc/shutdown -h $1 $2; $1=+[1-9][0-9]*,[0-9]*:[0-9]* 298reboot /etc/shutdown -r $1 $2; $1=+[1-9][0-9]*,[0-9]*:[0-9]* 299# 300# start up disco daemon 301disco /etc/opbin/start_disco; uid=disco gid=proj dir=/scratch 302 umask=027 groups=geo,disco users=snoopy,linus 303 $USER=disco $SHELL=/bin/shell 304# 305# let certain people mount and unmount the removable drive 306# 307rdsmount /etc/mount $1 $2; groups=operator,swdev,disco users=bob,steve $1=/dev/dd0[a-g] $2=/.* 308rdsumount /etc/umount $1; groups=operator,swdev,disco users=bob,steve $1=/dev/dd0[a-g] 309# 310# allow operators to give files away; notice that they 311# they must give at least two args, but may give more 312# 313chown /etc/chown $1 $2 $*; $1=[a-z0-9][a-z0-9]* 314# 315# permit development personnel to run install 316# 317inst /usr/bin/install -o root -g system $1 $2; groups=devel 318 $2=/bin,/usr/bin,/usr/ucb,/usr/new,/usr/local 319# 320nfsmount /etc/mount -o timeo=100,hard,intr $1 $2; groups=devel,operator 321 $1=\([a-zA-Z0-9_]*\):\(.*\) $2=/remote/\1\2 322 323 July 2, 1991 324 325 - 7 - 326 327 Some example command lines using op, given the above 328op.access file, might be: 329 330 % op full /usr1 331 % op weekly /usr1 332 % op tape disable unit0 333 % op reboot 17:30 "We have to fix our network." 334 % op disco 335 % op rdsmount /dev/dd0c ~/mystuff 336 % op mounted 3 8688 337 % op chown jim /tmp/bill/* 338 % op inst less /usr/local 339 % op nfsmount convexs:/usr/src /remote/convexs/usr/src 340 341 Note that the following commands would not work because 342they would not match the back-reference specifications in 343the nfsmount mnemonic: 344 345 op nfsmount convexs:/usr/src /remote/foobar/usr/src 346 op nfsmount convexs:/usr/src /remote/convexs/src 347 348 In summary, the op program allows the system manager to 349give out limited system privileges without compromising the 350root password. The system can be easily tuned to the needs 351of a specific site. The environment in which these commands 352execute can be tightly controlled and their arguments 353checked for valid values. For security reasons, a log is 354kept of all commands run. Careful application of the op 355program can result in a stabler system. 356 357 July 2, 1991 358 359