Sudo to the user not to root for readhome#526
Conversation
In scenarios with user home directories in NFS and root_squash active, in this case root accesses the user home directory as user "nobody" and can not read the `~/.opk/auth_id` file. As the username is known, the sudo is using this username to read the file as the user instead of root.
In scenarios with user home directories in NFS and root_squash active, in this case root accesses the user home directory as user "nobody" and can not read the `~/.opk/auth_id` file. As the username is known, the sudo is using this username to read the file as the user instead of root. Signed-off-by: Marco Schmidt <[email protected]>
|
I planned to review this tonight, but I can't quite wrap my head around it at this late hour. I'll have to look at it tomorrow. |
|
Take your time. Opkssh is a security application. It's crucial to examine it carefully ! From my point of view, doing sudo to a user is more secure than sudo to root. |
|
I looked into why we use root and not the username since I wanted to do this back in March 2025. It seems like the user is that:
I think your approach can be made to work, but to keep backwards compatibility we can fall back to using root: If you change it to try username and the fallback to root and then add some unittests. I'll merge your PR. Thanks for looking into this @Kunzol |
|
Thanks for checking. I have never seen a sudo without "-u", but of course, I don't know all systems in the world. In sudoers file the part in the bracket is telling as which user a command can be run. This implies the existence of "-u". It might be worth considering if the sudoers line should be like this, to prevent the opksshuser to get root: Unfortunately I have no clue of programming "go". I work like a AI and check the existing code for something I need and use it. I will try ... |
|
I just tried and found another aspect: If sudo returns an error, it is not clear if the error comes from sudo or from the command which was run by sudo. The returned error code "1" could have these causes:
Only in (1) it makes sense to run sudo again without With But what about (2) and (3) ? I will think about it ... |
|
@Kunzol I don't think we need to determine the exact error. The |
|
I don't like the idea to do sudo again with higher level of access in case of any failure. Additionally I would like to use the timeout option of sudo, to prevent a nasty user with a large auth_id file or other nasty things. Maybe enable "-u" and "-T" only if opkssh was compiled with CGO_ENABLED? |
To differentiate between sudo error and opkssh error I added a special exit code for failure of ```opkssh readhome username``` With the exit code it is possible to choose to start another sudo (on sudo error) or not (on opkssh error)
The constant ExitcCodeReadHome needs to be available in Linux and Windows builds.
|
After reading the sudo manual more carefully, I noticed, that the The timeout for the sudo command needs to be implemented in go, most probably with |
In scenarios with user home directories in NFS and root_squash active, in this case
root accesses the user home directory as user "nobody" and can not read the
~/.opk/auth_idfile. As the username is known, the sudo is using this usernameto read the file as the user instead of root.