Create limited Linux user

mvogel4949 · July 13, 2020, 8:02pm

Is there a way to create a limited Linux user and decide on the commands they could run? For example only allow them to run a list of commands found in a certain file?

fwconsole chown
yum update -y
fwconsole ma upgradeall

To list a few I might include.

cynjut · July 13, 2020, 9:34pm

I think ‘sudo’ is the “right” way to solve that.

dicko · July 13, 2020, 11:32pm

sudo is indeed the recommended way to elevate the privilege of any linux user,

Do you need the user to have blind access (very dangerous) or would the privilege be conditional on a successful password?

mvogel4949 · July 14, 2020, 12:32pm

I envision the privilege being protected by password. Once logged in they could run a list of approved commands such as

fwconsole ma upgradeall
date
yum update -y
fwconsole chown

But they would only be able to run the commands that are specified.

dicko · July 14, 2020, 1:21pm

fred ALL= /usr/sbin/fwconsole chown,/usr/bin/yum,/usr/sbin/fwconole ma upgradeall

this adds privileges to ‘privileged’ commands, date is ‘unprivileged’

mvogel4949 · July 14, 2020, 2:06pm

Very interesting. I’m unfamiliar with the fred command but will run through some testing. Thank you

dicko · July 14, 2020, 2:09pm

hehe , fred is not a command, he is a user of your system and that line is to be added with the visudo command

mvogel4949 · July 14, 2020, 2:11pm

well that is embarrassing. explains why my google search of the command yielded no results!

mvogel4949 · July 14, 2020, 2:34pm

visudo tech ALL= /usr/sbin/fwconsole chown,/usr/bin/yum,/usr/sbin/fwconole ma upgradeall

usage: visudo [-chqsV] [-f sudoers]

It seems to indicate I need to include the -f sudoers in my command. I tried visudo -f sudoers tech …

dicko · July 14, 2020, 2:37pm

a)

visudo

(this opens the /etc/sudoers file and won’t save stupid mistakes, (it no longer uses vi) )

b)

fix my typos

c)
paste at the end

tech ALL= /usr/sbin/fwconsole chown,/usr/bin/yum update,/usr/sbin/fwconsole ma upgradeall

d)
(never blindly copy and paste)

mvogel4949 · July 14, 2020, 2:55pm

lesson learned. I’ll do some testing. Thank you

mvogel4949 · July 14, 2020, 4:53pm

Do I need an asterisk restart for this to take place you think? At the bottom of /etc/sudoers I have the following:

tech ALL= /usr/sbin/fwconsole chown,/usr/bin/yum update,/usr/sbin/fwconsole ma upgradeall

but when I run one of the commands logged in as tech I see the following:

[tech@freepbx ~]$ fwconsole chown
PHP Warning:  include_once(/etc/freepbx.conf): failed to open stream: Permission                             denied in /var/lib/asterisk/bin/fwconsole on line 12
PHP Warning:  include_once(): Failed opening '/etc/freepbx.conf' for inclusion (                            include_path='.:/usr/share/pear:/usr/share/php') in /var/lib/asterisk/bin/fwcons                            ole on line 12
PHP Fatal error:  Class 'Symfony\Component\Console\Application' not found in /va                            r/www/html/admin/libraries/FWApplication.class.php on line 11

[tech@freepbx ~]$ fwconsole ma upgradeall
PHP Warning:  include_once(/etc/freepbx.conf): failed to open stream: Permission                             denied in /var/lib/asterisk/bin/fwconsole on line 12
PHP Warning:  include_once(): Failed opening '/etc/freepbx.conf' for inclusion (                            include_path='.:/usr/share/pear:/usr/share/php') in /var/lib/asterisk/bin/fwcons                            ole on line 12
PHP Fatal error:  Class 'Symfony\Component\Console\Application' not found in /va                            r/www/html/admin/libraries/FWApplication.class.php on line 11

dicko · July 14, 2020, 5:00pm

from a shell

sudo -U tech -l

should list the sudo raised privileges of the user tech.

no, nothing to do with FrePBX

mvogel4949 · July 14, 2020, 5:02pm

Matching Defaults entries for tech on freepbx:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User tech may run the following commands on freepbx:
    (root) /usr/sbin/fwconsole chown, /usr/bin/yum update, /usr/sbin/fwconsole ma upgradeall

dicko · July 14, 2020, 5:05pm

Looks good and would WFM, but I’m not a RedHat kinda guy.

you might need to add rights to /etc/freepbx.conf

tech ALL= /usr/sbin/fwconsole chown,/usr/bin/yum update,/usr/sbin/fwconsole ma upgradeall,/etc/freepbx.conf

,

mvogel4949 · July 14, 2020, 5:07pm

Ok, I appreciate your help getting this far. I’ll keep digging and let you know what I find.

sorvani · July 14, 2020, 6:42pm

He did not execute it with sudo.

@mvogel4949 you gave the user “tech” rights to use “sudo” for those commands.
as tech:

sudo yum update -y
sudo fwconsole chown
sudo fwconsole ma upgrade all

mvogel4949 · July 14, 2020, 6:51pm

Can I mark two answers as solutions? It is working now. Thank you to the both of you!

mvogel4949 · July 14, 2020, 7:00pm

As a heads up to anyone else that might be interested I also had to add the following to the list:

/etc/freepbx.conf,/var/lib/asterisk/bin/fwconsole

so in the end it looked like this:

tech ALL= /usr/sbin/fwconsole chown,/usr/bin/yum update,/usr/sbin/fwconsole ma upgradeall,/etc/freepbx.conf,/var/lib/asterisk/bin/fwconsole

dicko · July 14, 2020, 8:19pm

Please be VERY careful with sudo, giving access to

/var/spool/asterisk/voicemail/default/INBOX/*

also gives implicit access to /var/spool/asterisk/voicemail/default/INBOX/…/…/…/…/…/… which is a really bad thing.

giving access to ‘vi’ or ‘less’ also exposes the ability of those binaries to ‘exit to shell’ possibly to your detriment

(you have been warned)