Re: [systemd-devel] grant users access to certain services only
On Fri, 21.08.15 13:29, Christian Seiler (christ...@iwakd.de) wrote: > On 21.08.2015 12:04, Jóhann B. Guðmundsson wrote: > > Should not the solution for this be tied to the user and group field > > mentioned in the unit so for example the postgresql type service unit > > contains... > > User=postgres > > Group=postgres > > > > Which would mean that the posgres user could start,stop,restart,reload > > the postgresql.service as well as any user that has been added to the > > postgres group? > > For postgres it would probably solve this problem (as long as it's > configurable), the question is whether you'd maybe rather want something > a bit more generic for the future. > > I would suggest a setting like > > UnitControl=alice bob group:foobar > > that would enable alice, bob and everybody in group foobar to control > that specific unit. (The name for the setting is debatable.) > > That would be quite simple but still very flexible and generic. The only > problem I see is that for this to be useful, you'd need to be able to > resolve the names, and you don't want to do that in pid 1. Question is > whether PolicyKit (not pid 1) can do that check for systemd with systemd > just passing along the whitelist somehow. (Don't know too much about > PolicyKit yet to answer that question myself, unfortunately.) The same > problem also applies to the solution of tying it to User=/Group=, however. systemd is not the place to implement ACL policy in. PolicyKit is that place. Hence: we should just pass the unit name to PK, and that's it. If you want to allow specific users access to an action on a unit, then encode that in PK rules. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] grant users access to certain services only
On 21.08.2015 12:04, Jóhann B. Guðmundsson wrote: > Should not the solution for this be tied to the user and group field > mentioned in the unit so for example the postgresql type service unit > contains... > User=postgres > Group=postgres > > Which would mean that the posgres user could start,stop,restart,reload > the postgresql.service as well as any user that has been added to the > postgres group? For postgres it would probably solve this problem (as long as it's configurable), the question is whether you'd maybe rather want something a bit more generic for the future. I would suggest a setting like UnitControl=alice bob group:foobar that would enable alice, bob and everybody in group foobar to control that specific unit. (The name for the setting is debatable.) That would be quite simple but still very flexible and generic. The only problem I see is that for this to be useful, you'd need to be able to resolve the names, and you don't want to do that in pid 1. Question is whether PolicyKit (not pid 1) can do that check for systemd with systemd just passing along the whitelist somehow. (Don't know too much about PolicyKit yet to answer that question myself, unfortunately.) The same problem also applies to the solution of tying it to User=/Group=, however. Just my 2c. Christian signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] grant users access to certain services only
On Fri, Aug 21, 2015 at 01:50:31PM +0300, Mantas Mikulėnas wrote: > On Fri, Aug 21, 2015 at 1:43 PM, Dominick Grift > wrote: > > > On Fri, Aug 21, 2015 at 01:38:28PM +0300, Mantas Mikulėnas wrote: > > > > > > > > Do they have access to `cat /proc/self/mounts`? > > > > Ouch yes... ok that is a dead end i suppose > > > Right. That was my point. Restricting individual commands like `mount` is > no good if you can't restrict the actual mechanism they all use… > > Mount namespaces might help here, as long as you don't use udisks/udisks2 > (which, aside from leaking the same information, wouldn't even function > correctly with per-user namespaces). > > [Though I don't really understand the point of hiding logged-in UIDs at > all... Isn't hidepid=2 enough?] Yes i agree. it is pretty solid. I suppose i wanted to see how far i could do. This is obviously a no-go > > -- > Mantas Mikulėnas -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift pgpGlig2uBZlY.pgp Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] grant users access to certain services only
On Fri, Aug 21, 2015 at 1:43 PM, Dominick Grift wrote: > On Fri, Aug 21, 2015 at 01:38:28PM +0300, Mantas Mikulėnas wrote: > > > > > Do they have access to `cat /proc/self/mounts`? > > Ouch yes... ok that is a dead end i suppose Right. That was my point. Restricting individual commands like `mount` is no good if you can't restrict the actual mechanism they all use… Mount namespaces might help here, as long as you don't use udisks/udisks2 (which, aside from leaking the same information, wouldn't even function correctly with per-user namespaces). [Though I don't really understand the point of hiding logged-in UIDs at all... Isn't hidepid=2 enough?] -- Mantas Mikulėnas ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] grant users access to certain services only
On Fri, Aug 21, 2015 at 01:38:28PM +0300, Mantas Mikulėnas wrote: > > Do they have access to `cat /proc/self/mounts`? Ouch yes... ok that is a dead end i suppose > > -- > Mantas Mikulėnas -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift pgplvuCg2ZlLW.pgp Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] grant users access to certain services only
On Fri, Aug 21, 2015 at 1:29 PM, Dominick Grift wrote: > On Fri, Aug 21, 2015 at 01:10:51PM +0300, Mantas Mikulėnas wrote: > > > > > > > > i think it kind of sucks that systemctl --user list-units can be used > to > > > determine who is currently logged in. ( it shows active mount units for > > > XDG_RUNTIME_DIR and since those have UID as name you can see who is > > > logged in. > > > > > > > Hmm, and `findmnt` doesn't? > > unpriv users do not have access to mount or findmount in my system, and > for example df -h does not list them because the user is not allowed to > get attributes of tmpfs file systems. So /run/user mounts do not show up > in df -h > Do they have access to `cat /proc/self/mounts`? -- Mantas Mikulėnas ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] grant users access to certain services only
On Fri, Aug 21, 2015 at 08:25:56PM +1000, Daurnimator wrote: > On 21 August 2015 at 19:57, Dominick Grift wrote: > > i think it kind of sucks that systemctl --user list-units can be used to > > determine who is currently logged in. > > You can see with `loginctl list-users` too My restricted users currently cannot run loginctl. If they could then there may or may not be a way to transperantly deny access to that info using selinux (not sure i would have to try it) > > I once tried to prevent getting a list of users, but it's hard... I locked > out: > - `w` and `who` (uses /var/run/utmp; do chmod o-r) > - `grep -h '^Uid:' /proc/*/status | sort -u` (prevent with procfs > option hidepid=2) > - ls /run/user (do chmod o-r) I think i do have it working currently (at least mostly). Except for systemctl --user list-units I am basically using SELinux to isolate processes based on roles and types access to wtmp is denied with TE access to process state is isolated using RBACSEP access to df -h is restricted to generic file systems only (tmpfs fs doesnt show up access to pts/ttys and other "files" are isolated using RBACSEP -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift pgprho2Dj9DuW.pgp Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] grant users access to certain services only
On Fri, Aug 21, 2015 at 01:10:51PM +0300, Mantas Mikulėnas wrote: > > > > i think it kind of sucks that systemctl --user list-units can be used to > > determine who is currently logged in. ( it shows active mount units for > > XDG_RUNTIME_DIR and since those have UID as name you can see who is > > logged in. > > > > Hmm, and `findmnt` doesn't? unpriv users do not have access to mount or findmount in my system, and for example df -h does not list them because the user is not allowed to get attributes of tmpfs file systems. So /run/user mounts do not show up in df -h > > `systemd --user` runs with the same privileges as the user, anyway. So if > your SELinux policy is more permissive to systemd than regular programs, > it's a bit weird, not to mention possibly insecure. From an SEinux policy perspective systemd-user has more permissions than the user shell in my policy. However systemd-user will run whatever it can run with the permissions of the user shell and not with its own permissions. So you cannot use systemd-user to escalate privileges (although that is the design. I may have overlooked stuff as it is pretty complex to contain.) I am pretty sure that some bright person can find some "holes" in my policy but its far better than no selinux at all and its better than Fedoras' current selinux policy for restricted users > > -- > Mantas Mikulėnas -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift pgpNZmfN8MOtq.pgp Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] grant users access to certain services only
On 21 August 2015 at 19:57, Dominick Grift wrote: > i think it kind of sucks that systemctl --user list-units can be used to > determine who is currently logged in. You can see with `loginctl list-users` too I once tried to prevent getting a list of users, but it's hard... I locked out: - `w` and `who` (uses /var/run/utmp; do chmod o-r) - `grep -h '^Uid:' /proc/*/status | sort -u` (prevent with procfs option hidepid=2) - ls /run/user (do chmod o-r) ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] grant users access to certain services only
On Fri, Aug 21, 2015 at 12:57 PM, Dominick Grift wrote: > Made a demo because i was bored: > https://www.youtube.com/watch?v=KrK5a7D77l0 > > In practice though this is probably not an option for you. It is very > expensive. however it is (optionally) supported by systemd and i just > wanted to counter > the misinformation. > > i think it kind of sucks that systemctl --user list-units can be used to > determine who is currently logged in. ( it shows active mount units for > XDG_RUNTIME_DIR and since those have UID as name you can see who is > logged in. > Hmm, and `findmnt` doesn't? `systemd --user` runs with the same privileges as the user, anyway. So if your SELinux policy is more permissive to systemd than regular programs, it's a bit weird, not to mention possibly insecure. -- Mantas Mikulėnas ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] grant users access to certain services only
On 08/20/2015 10:02 PM, Lennart Poettering wrote: On Thu, 20.08.15 23:41, Michael Biebl (mbi...@gmail.com) wrote: Hi, say I wanted to grant an unprivileged userA the ability to systemctl start/stop/restart/reload foo.service and only grant this for foo.service. Is there a way to achieve that without resorting to using hacks like sudo or a suid binary? From a cursory look, the existing PolicyKit rules are too coarse grained for this. Correct. This is currently not supported. That said, we could open this up, as PolicyKit allows parameterizing actions. I'd be happy to take a patch for this, and I figure it wouldn't even be a particularly complex patch... (in lieu of a patch, submit a github RFE...) Should not the solution for this be tied to the user and group field mentioned in the unit so for example the postgresql type service unit contains... User=postgres Group=postgres Which would mean that the posgres user could start,stop,restart,reload the postgresql.service as well as any user that has been added to the postgres group? JBG ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] grant users access to certain services only
Made a demo because i was bored: https://www.youtube.com/watch?v=KrK5a7D77l0 In practice though this is probably not an option for you. It is very expensive. however it is (optionally) supported by systemd and i just wanted to counter the misinformation. i think it kind of sucks that systemctl --user list-units can be used to determine who is currently logged in. ( it shows active mount units for XDG_RUNTIME_DIR and since those have UID as name you can see who is logged in. also unpriv users can get status of system services by default? -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] grant users access to certain services only
systemd has a built-in extension to the SELinux MAC framework. If that, and SELinux is enabled. Then you can use the SELinux framework and systemd SELinux extension to configure which services may be controlled by specified processes on a fined grained level using mandatory access control. Policykit to allow unpriv users to manage system services, additional layer of SELinux MAC config to narrow that down to only specified services by labeling the units and systemctl to specifying which labeled unit, a labeled systemctl can control. allow joe_systemctl_t postgresql_unit_t:service { start stop status }; -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] grant users access to certain services only
On Thu, 20.08.15 23:41, Michael Biebl (mbi...@gmail.com) wrote: > Hi, > > say I wanted to grant an unprivileged userA the ability to > systemctl start/stop/restart/reload foo.service > and only grant this for foo.service. > > Is there a way to achieve that without resorting to using hacks like > sudo or a suid binary? From a cursory look, the existing PolicyKit > rules are too coarse grained for this. Correct. This is currently not supported. That said, we could open this up, as PolicyKit allows parameterizing actions. I'd be happy to take a patch for this, and I figure it wouldn't even be a particularly complex patch... (in lieu of a patch, submit a github RFE...) Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] grant users access to certain services only
Hi, say I wanted to grant an unprivileged userA the ability to systemctl start/stop/restart/reload foo.service and only grant this for foo.service. Is there a way to achieve that without resorting to using hacks like sudo or a suid binary? From a cursory look, the existing PolicyKit rules are too coarse grained for this. This was raised as a use case from one of our Debian users, where the postgres user should be able to start/stop/restart/reload the postgresql service Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel