Rootless FreeBSD usage

DevTamizhan

DevTamizhan

FreeBSD is Unix based operating system and it follows the same in the users as well.
We have root user which has all the access.
I'm searching for an option where I can opt out permission to the root user and provide it just for some specific user.
For example, If i want to install any application, I can use app_manager user to perform such tasks and not the roor user

Is there any such option available?
 
You can easily restrict the use of an application to one user by simple file permissions.

But that doesn't prevent other users from downloading the same application and run it from their homedir.

Or are you talking about setuid programs?
 
DevTamizhan said:
FreeBSD is Unix based operating system and it follows the same in the users as well.
We have root user which has all the access.
I'm searching for an option where I can opt out permission to the root user and provide it just for some specific user.
For example, If i want to install any application, I can use app_manager user to perform such tasks and not the roor user

Is there any such option available?
Click to expand...
Do you have users or are you the only user?
 
cracauer@ said:
You can easily restrict the use of an application to one user by simple file permissions.

But that doesn't prevent other users from downloading the same application and run it from their homedir.

Or are you talking about setuid programs?
Click to expand...
May be it would be good if I say my idea in my brain
I wanted to try FreeBSD in a way like each user has their own work (like network management is done by one particular user, application installation and update is handled by other and so on)
I want each users can play in their own area but don't need to touch others

Even if the user gains the root access they should not able to break the system
 
DevTamizhan said:
May be it would be good if I say my idea in my brain
I wanted to try FreeBSD in a way like each user has their own work (like network management is done by one particular user, application installation and update is handled by other and so on)
I want each users can play in their own area but don't need to touch others

Even if the user gains the root access they should not able to break the system
Click to expand...
You could port some of Linux' capabilities framework to FreeBSD.

That allows you to break out of that old Unix framework and do what you want. With a lot of work.
 
DevTamizhan said:
May be it would be good if I say my idea in my brain
I wanted to try FreeBSD in a way like each user has their own work (like network management is done by one particular user, application installation and update is handled by other and so on)
I want each users can play in their own area but don't need to touch others

Even if the user gains the root access they should not able to break the system
Click to expand...
Jails.
 
DevTamizhan said:
Even if the user gains the root access they should not able to break the system
Click to expand...
Although, upon rereading your question, I think what SirDice offers you fits your needs, keep in mind the warning: it is complex, you probably don't need it, and it can easily break your system, as that document says.

Perhaps for your use case, simply using sudo or doas is sufficient to divide responsibilities among users, but you can implement a slightly more complex solution with SSH. Check out this good article of Facebook, for example:

* https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/

So you can complicate things even further and deploy VMs/jails that are very restricted even in terms of the services they can access.

The same can be applied to the host, but only users who actually deal with the main system, such as sysadmins, will be able to access it.
 
DevTamizhan said:
I wanted to try FreeBSD in a way like each user has their own work (like network management is done by one particular user, application installation and update is handled by other and so on)
I want each users can play in their own area but don't need to touch others

Even if the user gains the root access they should not able to break the system
Click to expand...

DtxdF said:
Perhaps for your use case, simply using sudo or doas is sufficient to divide responsibilities among users
Click to expand...
That would be my suggestion as well: security/sudo, security/doas, security/opendoas (opendoas may be a better choice, it has the "persist" option available: doas.conf(5)).

Do these tools not meet your requirements? Grant specific users permissions for separate system administration tasks. User A network management permissions, user B permissions to maintain packages, etc.
 
This thread reminds me of one of my customers about 40 years ago. They had a new DEC system (I cannot recall the model) running Tru64 UNIX. It was to be used as a web server at the time.They assigned the machine to a new webmaster. She was new on the job. The first thing she did was chown -R dora / to change ownership of all files on the system to herself. What a mess.

I wasn't involved with the recovery, one of my customer's sysadmins was. The O/S had to be reinstalled and data reloaded, as backups hadn't been set up yet.
 
cy@ said:
This thread reminds me of one of my customers about 40 years ago.
Click to expand...
Wasn't that 20 years ago?
cy@

Solved Post in thread 'How can I change the root shell to csh'

fmc000 said:
When I was consulting for a big Telco firm here in Italy an employee decided that as the root filesystem was filling up on a Solaris E10000 server a good solution would have been to create a new filesystem and move /usr/lib there and link it back under /usr .

I'll let you imagine how much effort it took me and another consultant to recover from the disaster (it was of course a production machine). The top management decided that something needed to be done and, as it was impossibile to discipline the guy because of Italian labour laws, they demoted his manager who of course had no...
Click to expand...
  • Like
Code: 
Yeah, this reminds me of a client of mine about 20-ish years ago. I was on retainer to
provide assistance as required. They had just received a new DEC Alpha running
Tru64 UNIX. I installed and configured the O/S for them. It was to be used as a web
server. After some time their management had decided to promote one of their
clerical staff to webmaster. They provided her the root password.

So... she logged in and changed the ownership of all the files on the system to her account, i.e.
 
Charlie_ said:
Wasn't that 20 years ago?
cy@

Solved Post in thread 'How can I change the root shell to csh'

fmc000 said:
When I was consulting for a big Telco firm here in Italy an employee decided that as the root filesystem was filling up on a Solaris E10000 server a good solution would have been to create a new filesystem and move /usr/lib there and link it back under /usr .

I'll let you imagine how much effort it took me and another consultant to recover from the disaster (it was of course a production machine). The top management decided that something needed to be done and, as it was impossibile to discipline the guy because of Italian labour laws, they demoted his manager who of course had no...
Click to expand...
  • Like
Click to expand...
Nope. That was between 1995 and 2000. And this wasn't in Italy. It was in Canada. I'm in Canada.

As far as I know, there were no serious consequences. They were a union shop. But, every time anyone made a dumb mistake they called it a Dora. Like, "Jerry did a Dora." Additionally people spoke of her in unflattering ways. Her co-workers were brutal and unforgiving even though the union protected her from the serious consequences that probably should have been.

I spoke to the guy who had to rebuild the system a few years ago. He's happily retired. As far as Dora was concerned, she moved on to another department. He mentioned the rumor mill abounded as people speculated.
 
You must log in or register to reply here.
Back
Top