2

A shell script (myscript) will be run as root, by cron. It reads IP addresses from a configuration file, and updates iptables to whitelist those IPs for inbound connections.

myscript uses a regexp (regular expression) to parse the configuration file for IP addresses at the beginning of lines. There is no obvious risk of a buffer overflow or a privilege escalation, because anything that doesn't match the structure and length of an IP address is ignored.

For operational reasons, this configuration file must be updatable by a specific, trusted person whose only access is via SFTP from an old-fashioned GUI SFTP program that is incapable of authenticating to sudo. (Think CyberDuck, FileZilla, WinSCP.) This person should not do anything else on the machine. Clearly, they should log in via a non-root account. Let's call their account sftp-user.

If the configuration file had root:root as owner and group, as most GNU/Linux configuration files do, then AFAIK the only way for sftp-user to edit them would be if the sftp-user account had passwordless sudo privileges. This would be dangerous: it would give the account much more power than necessary. So, a less risky alternative is needed.

My question is: of the following, which is the least risky set of permissions for that configuration file to have, and why?

permissions  owner      group
----rw----   root       sftp-user
-rw-------   sftp-user  root
-rw-------   sftp-user  sftp-user

Edit in response to David's helpful answer: Yes, in normal circumstances, the permissions above are equivalent. Assuming the only member of the sftp-user group is sftp-user, then each of them allows read-write access only to sftp-user and to root. But what about extraordinary circumstances: does one of the configurations then pose less risk than the others? E.g. have there been cases of privilege escalation via file ownership alone, such that mixing a root owner and non-root group (or vice versa) is a bad idea?

sampablokuper
  • 1,961
  • 1
  • 19
  • 33

2 Answers2

2

Assuming the only member of the sftp-user group is sftp-user, all of the permissions you have listed would be equivalent. The only users that would be able to read or write the file would be sftp-user and root.

I would personally choose to create a "role group" for this (perhaps fwadmins for firewall admins) in case you ever need to have more than one person with access to this. Then I would set the permissions as 0660 with owner root and group fwadmins:

-rw-rw----   root     fwadmins

I suggest explicitly setting the permission bits for root as well. Yes, root can still edit it either way, but it's just a little cleaner to be explicit about it.

David
  • 15,814
  • 3
  • 48
  • 73
  • Thanks. I considered a role group and agree it's probably the way to go, but I didn't want to clutter the question :) I want to focus on the part about which you said, "all of the permissions you have listed would be equivalent". My core question is: *is that **really** true*? In normal circumstances, of course it is. But what about extraordinary circumstances: does one of the configurations then pose less risk than the others? E.g. have there been cases of privilege escalation via file ownership alone, such that mixing a root owner and non-root group (or vice versa) is a bad idea? – sampablokuper Jan 20 '18 at 05:50
  • Question now updated to clarify this accordingly. And your answer upvoted. Thanks again :) – sampablokuper Jan 20 '18 at 06:05
1

That myscript runs as root is an issue. Root privileges are required for iptables but this could be implemented via privilege separation. As it stands there is significant risk of the config maintainer gaining root access.

If it were me I'd go with -rw-r--r-- sftp-user as owner and the group/other privilege providing access to the runtime user (not root)

symcbean
  • 18,278
  • 39
  • 73
  • Thanks. Upvoted because I happen to agree with you about running cron jobs as root, and that the point you made about it was a point worth making. (Others [disagree](https://askubuntu.com/a/173930/), though.) About the permissions, I guess you meant `-rw-r-x--- sftp-user myscript-cron`? That's a fair suggestion :) It doesn't really answer my question, though ;) – sampablokuper Jan 21 '18 at 07:24
  • I was talking about the permissions on the config file (in your description you have a seperate script and config file, and this does provide some isolation between what sftp-user uploads and root executes) – symcbean Jan 21 '18 at 16:06
  • I was also talking about the permissions on the config file :) Alas, I wrote my comment in haste. My `x` in that comment was (very!) erroneous. I meant to write `-rw-r-----` :) What's your rationale for making the configuration file world-readable, given that readability for `myscript-cron` can be achieved by using a suitable group? (OT: IMO, `-r--rw---- myscript-cron myscript-conf` looks like the best option, with `sftp-user` as part of the `myscript-conf` group.) – sampablokuper Jan 21 '18 at 21:27
  • Making it world readable is an alternative approach to giving the runtime user read access in the absence of a shared group. Obviously this is not to be desired if the config file also contains secrets. – symcbean Jan 22 '18 at 01:10