| === scoobydoob is now known as scoobydoo | ||
| patdk-lap | seems overly complex, why not use the ipv6 space that is already mapped for ipv6 | 01:03 |
|---|---|---|
| === scoobydoob is now known as scoobydoo | ||
| PeGaSuS | hello guys! so, I'm opening a public BNC service and I'd need that the `bnc` user to be able to edit the netplan config file to add the IPs from where each ZNC would would connect (the bindhost IP) and also use `netplan apply`. what would the the best way to achieve this? | 07:36 |
| rfm | PeGaSuS, sudo was designed to allow fine tuned control like this. best thing I can think of is to write a couple scripts, one that adds an IP to the list in netplan, one that does the netplan apply, and then use sudoers to grant the bnc user the right to run them. | 07:44 |
| PeGaSuS | the IP adding and applying would be done via this script would be automatically done by this script (it does work as root):https://0bin.xyz/paste/r4atJxjljPgw0+U8#mtq4cs5vxypSUewVsjVI+ubRdmk7J2WE3HEOSNCEKSS | 07:44 |
| PeGaSuS | right. I'll need to read about how to give permissions to certain commands via sudoers file | 07:45 |
| PeGaSuS | I'm wondering how accurate is this: https://kifarunix.com/run-only-specific-commands-with-sudo-in-linux/#:~:text=So%20it%20is%20possible%20to,under%20the%20%2Fetc%2Fsudoers. | 07:48 |
| rfm | PeGaSuS, certainly looks ok to me at a first glance | 07:48 |
| rfm | PeGaSuS, you might want to grind through the sudoers(6) man page to make sure you know what you are doing before you make the edits | 07:50 |
| PeGaSuS | I mean, I kinda know how things works but I'm always afraid of messing up. but there's no success without failure :) | 07:51 |
| PeGaSuS | this looks nice too: https://serverfault.com/questions/206827/sudoers-config-to-allow-edit-of-files-in-particular-directory-and-children | 07:54 |
| PeGaSuS | I'll get into it as soon as I arrive home and see what I can cook ;) | 07:54 |
| tomreyn | PeGaSuS: If those are user supplied inputs (specifically, theUser), and you don't fully trust them, some form of input validation is probably also a good idea. Bash isn't ideal for this, but even there it's possible to some degree. E.g. you wouldn't want someone to take the username of "`echo '...' >> /root/.ssh/authorized_keys`" or similar. | 08:47 |
| PeGaSuS | those are supplied inputs but only by the staff (those that will have access to the shell account). that's why I want to limit them to edit the netplan file and apply the new config | 10:48 |
| PeGaSuS | I do trust the people that "work" with me but we never know ¯\_(ツ)_/¯ | 10:49 |
| PeGaSuS | can someone point me to "for stupid people" tutorial about setfacl? | 20:21 |
| sarnold | hah, cute, our wiki page doesn't seem to have examples of adding facls.. https://help.ubuntu.com/community/FilePermissionsACLs | 20:22 |
| sarnold | ah, well, it does, but for groups. maybe that makes sense.. | 20:23 |
| PeGaSuS | I'm relly having a brain stroke today -_- | 20:23 |
| sarnold | aha, "Creating ACLs" on https://linuxgazette.net/152/prestia.html has nice short example :) | 20:24 |
| ahasenack | I feel sad that ACLs are not leveraged as much in normal linux systems | 20:37 |
| ahasenack | same thing for capabilities | 20:37 |
| ahasenack | squid is one package I know of which drops the suid bit on an executable in favor of capabilities | 20:38 |
| ahasenack | https://pastebin.ubuntu.com/p/w3vMNhQgws/ | 20:38 |
| sarnold | it's *really* unfortunate that packages have to go through this kind of hassle in maintainer scripts to use them | 20:40 |
| sarnold | but systemd service files make it easy to grant just specific caps to a program, and then only when started in the expected environment, rather than when run by any old process that can find it in the filesystem | 20:41 |
| sarnold | of course, other systemd things means even the caps aren't nearly as important as they used to be -- when systemd can do socket activation, or change uid and gid for the program, or set resource limits, etc etc etc | 20:41 |
| PeGaSuS | pls tell me that this only allow user root and user bnc to edit the `/etc/netplan/50-cloud-init.yaml`: https://0bin.xyz/paste/kYVSNeMUA25q8d3E#6NP1I+PvF8UhuTj91qELUECvsgO33dCOq25PnwJNb8f | 20:42 |
| sarnold | PeGaSuS: yeah, that's what it looks like; bnc can also *execute* the file, which might be surprising | 20:44 |
| ahasenack | I don't even know what that squid pinger is used for, I'm guessing it's started by squid itself, and will thus inherit the capabilities and such from the squid main systemd service file | 20:45 |
| ahasenack | I just checked and the main squid apparmor file has rules because of pinger, instead of switching to a child profile | 20:46 |
| sarnold | it's been ages, but I think the pinger is used when you've got a network of squids acting in concert to provide multi-level caching | 20:46 |
| PeGaSuS | I tried only rw but that gave me a `./userip.sh: line 4: /etc/netplan/50-cloud-init.yaml: Permission denied`. the script is: https://0bin.xyz/paste/rXqqzQpZ7MRYz+LE#Zz9g+xMzK9R5tOD9mn7Sdkxt4UyfymkdAfwCrNWFG2x | 20:48 |
| sarnold | PeGaSuS: the directory needs the 'x', the file doesn't | 20:48 |
| sarnold | PeGaSuS: so, what happens when someone uses the username `touch /tmp/hello` or $(shutdown -r now) or similar? | 20:49 |
| blackboxsw | PeGaSuS: as non-root user I don't think you can append output via >> some-root-readonlyfile | 20:49 |
| sarnold | blackboxsw: https://0bin.xyz/paste/kYVSNeMUA25q8d3E#6NP1I+PvF8UhuTj91qELUECvsgO33dCOq25PnwJNb8f has some setfacl things | 20:50 |
| PeGaSuS | oh. so, `setfacl -m u:bnc:rwx /etc/netplan` and `setfacl -m u:bnc:rw /etc/netplan`? also, the username that i pass as `theUser` must be a valid IRC nickname with only [a-zA-Z0-9] | 20:51 |
| PeGaSuS | erm.. `setfacl -m u:bnc:rw /etc/netplan/50-cloud-init.yaml`? | 20:51 |
| sarnold | PeGaSuS: I think some "" around the variables in the script would help; I'm a big fan of belts and suspenders :) | 20:52 |
| sarnold | PeGaSuS: I like those setfacls more, yeah | 20:52 |
| blackboxsw | ahh sarnold sry did't have context there | 20:53 |
| sarnold | blackboxsw: yeah, it'd be easy to miss :) hehe | 20:53 |
| PeGaSuS | sarnold: I have the $theUser and $theIP variables inside quotes though xD | 20:53 |
| sarnold | PeGaSuS: I'm rusty enough on shell scripts that this scares me regardless :) | 20:54 |
| PeGaSuS | well guys, the important is that all works as expected so I can give staff the password for the shell account so we can start our public ZNC service | 20:56 |
| PeGaSuS | thanks for all the help folks :D | 20:56 |
| sarnold | thanks for giving each user their own ipv6 :) that's a big help in dealing with abuse :) | 20:57 |
| PeGaSuS | thats exactly the major reason to give each user their own IPv6 address (especially since I own a /64 block) along with proper identd responses :D | 20:58 |
| PeGaSuS | I'm a network owner and I know how hard is to fight with spam and abusers. although changing the network policy to only allow TLS connections help dropping drone attacks and such | 21:00 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!