Re: mdo(1) run as another user without setuid bit

From: Tomek CEDRO <tomek_at_cedro.info>
Date: Tue, 14 May 2024 13:04:57 UTC
On Tue, May 14, 2024 at 9:17 AM Baptiste Daroussin wrote:
> Hello everyone,
> This is an idea that I have been thinking about for a while (actually since
> 2015) and that I have been trying to implement a couple of days ago.
> On server usage of FreeBSD one thing which often happen is we segregate services
> with their own users (service_user).
> We also give access to the administrators of those services via their own ssh
> keys on their own user (foo) account and of course we want to allow "foo" to run
> some commands as "service_user" or get "service_user" privileges.
> Usually this is done via some sudo or some doas configuration which both
> involved first become root via the setuid bit.
> In many cases doas or sudo are overkill for this sole purpose. To cover this
> need, I thought we could write a very simple tool which will leverage the mac
> framework to make sure we could switch credentials without the need of the
> setuid root.
> Here comes the idea of mac_do(4) policy.
> This is a kernel module policy which allows calling setuid and setgroup from a
> non root user, according to some policy root and if the request comes from the
> /usr/bin/mdo binary.
> (..)

So when I have several users / client accounts to manage I can use my
standard non-root user to perform actions on behalf of enabled users..
just like su client1 but without providing password? Env will be also
switched to that target user? :-)

--
CeDeROM, SQ7MHZ, http://www.tomek.cedro.info