OS level role/command based privileged escalation for use with automation via a front-end/back-end process...











up vote
0
down vote

favorite












I want to develop a LAMP web app/solution and after a fair amount of searching I am starting to think it is not possible to do what I want. Not sure how to explain this succinctly so I apologize for the verbosity.



And before I start, I want to stay away from expensive enterprise grade solutions. Hoping for something I can either develop myself (if someone can help with the logic/algorithm of the code I'd need) or something that is free/open-source. At worst, if I have to pay a license for personal use that is fine too. Basically looking for something for personal use.



Let me explain the desired end result:




  • User accounts (that do not map/tie to an OS account) will be created on the web app

  • Typical web app authentication/authorization (with 2FA/MFA)

  • User accounts will map to read/write file-system permissions tied to an OS account


    • This mapping should be maintained and administered on the server outside of the web app

    • This is something a server admin would do somewhere on the OS



  • The idea being that users will be able to read/write files on the server as though they are the associated OS account

  • The hope is the user will have two security gates they'll have to authorize through: the web app and the OS (something the web app doesn't know)


Here is a more detailed example:




  • OS has two human interactive accounts: osuser1 and osuser2

  • OS has one non-human non-interactive account that Apache will run as: www-data

  • web app has three human interactive accounts that users will log in with (using their web browser): webuser3, webuser4, webuser5

  • the accounts in the web app are permissioned on the OS level like this:



    • webuser3 can:


      • read files in /home/osuser1 as osuser1

      • read and write files in /home/osuser2 as osuser2




    • webuser4 can:


      • read and write files in /home/osuser1 as osuser1




    • webuser5 can:


      • write files in /home/osuser2 as osuser2





  • this web app user to OS user permission mapping should be maintained on the OS, outside of the web app


How I would like it to work:




  • user logs in to web app (webuser3, webuser4, webuser5)

  • user interacts with the UI to list files or create a file in some folder

  • the web app will ask for additional authentication/authorization information, like a PW and/or 2FA/MFA code

  • the web app will send information to the OS:


    • the additional authentication/authorization information

    • the ID of the web app user

    • what they want to do (read or create)



  • the OS will authorize the action and send it back to the web app


Now, Apache is running as www-data so it won't, by default and without messing with file/folder permissions, have any access to /home/osuser#. One way I can think of accomplishing the above is to give www-data passwordless sudo privileges (either as root or the OS accounts osuser1 and osuser2) so it can do things as the OS accounts. I don't like this because if the system is compromised and a bad actor gains access to www-data account then they will also be able to use sudo to do things as the OS accounts /home/osuser#. And also, this way would require the web app to maintain the web app user to OS user permission mapping.



Obviously the OS is not aware of the web app accounts (webuser3, webuser4, webuser5) and I don't want to have to create matching accounts on the OS. The hope is to use some OS tool/library to do the mapping. Something that would have an internal configuration of external accounts (the ones coming from the web app). Maybe using roles or profiles. So on the OS, in this tool/library, a role/profile/account is created that matches the web app accounts and then given permissions.



And, the tool/library should support additional authentication/authorization. Something that could be passed, securely, using an API or via command line parameter. This breaks authorization/authentication into two places: the OS and the web app, each having half the key.



I realize this is one hell of an absurd ask but I don't want to give up the idea without fully vetting the possibility.










share|improve this question


























    up vote
    0
    down vote

    favorite












    I want to develop a LAMP web app/solution and after a fair amount of searching I am starting to think it is not possible to do what I want. Not sure how to explain this succinctly so I apologize for the verbosity.



    And before I start, I want to stay away from expensive enterprise grade solutions. Hoping for something I can either develop myself (if someone can help with the logic/algorithm of the code I'd need) or something that is free/open-source. At worst, if I have to pay a license for personal use that is fine too. Basically looking for something for personal use.



    Let me explain the desired end result:




    • User accounts (that do not map/tie to an OS account) will be created on the web app

    • Typical web app authentication/authorization (with 2FA/MFA)

    • User accounts will map to read/write file-system permissions tied to an OS account


      • This mapping should be maintained and administered on the server outside of the web app

      • This is something a server admin would do somewhere on the OS



    • The idea being that users will be able to read/write files on the server as though they are the associated OS account

    • The hope is the user will have two security gates they'll have to authorize through: the web app and the OS (something the web app doesn't know)


    Here is a more detailed example:




    • OS has two human interactive accounts: osuser1 and osuser2

    • OS has one non-human non-interactive account that Apache will run as: www-data

    • web app has three human interactive accounts that users will log in with (using their web browser): webuser3, webuser4, webuser5

    • the accounts in the web app are permissioned on the OS level like this:



      • webuser3 can:


        • read files in /home/osuser1 as osuser1

        • read and write files in /home/osuser2 as osuser2




      • webuser4 can:


        • read and write files in /home/osuser1 as osuser1




      • webuser5 can:


        • write files in /home/osuser2 as osuser2





    • this web app user to OS user permission mapping should be maintained on the OS, outside of the web app


    How I would like it to work:




    • user logs in to web app (webuser3, webuser4, webuser5)

    • user interacts with the UI to list files or create a file in some folder

    • the web app will ask for additional authentication/authorization information, like a PW and/or 2FA/MFA code

    • the web app will send information to the OS:


      • the additional authentication/authorization information

      • the ID of the web app user

      • what they want to do (read or create)



    • the OS will authorize the action and send it back to the web app


    Now, Apache is running as www-data so it won't, by default and without messing with file/folder permissions, have any access to /home/osuser#. One way I can think of accomplishing the above is to give www-data passwordless sudo privileges (either as root or the OS accounts osuser1 and osuser2) so it can do things as the OS accounts. I don't like this because if the system is compromised and a bad actor gains access to www-data account then they will also be able to use sudo to do things as the OS accounts /home/osuser#. And also, this way would require the web app to maintain the web app user to OS user permission mapping.



    Obviously the OS is not aware of the web app accounts (webuser3, webuser4, webuser5) and I don't want to have to create matching accounts on the OS. The hope is to use some OS tool/library to do the mapping. Something that would have an internal configuration of external accounts (the ones coming from the web app). Maybe using roles or profiles. So on the OS, in this tool/library, a role/profile/account is created that matches the web app accounts and then given permissions.



    And, the tool/library should support additional authentication/authorization. Something that could be passed, securely, using an API or via command line parameter. This breaks authorization/authentication into two places: the OS and the web app, each having half the key.



    I realize this is one hell of an absurd ask but I don't want to give up the idea without fully vetting the possibility.










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I want to develop a LAMP web app/solution and after a fair amount of searching I am starting to think it is not possible to do what I want. Not sure how to explain this succinctly so I apologize for the verbosity.



      And before I start, I want to stay away from expensive enterprise grade solutions. Hoping for something I can either develop myself (if someone can help with the logic/algorithm of the code I'd need) or something that is free/open-source. At worst, if I have to pay a license for personal use that is fine too. Basically looking for something for personal use.



      Let me explain the desired end result:




      • User accounts (that do not map/tie to an OS account) will be created on the web app

      • Typical web app authentication/authorization (with 2FA/MFA)

      • User accounts will map to read/write file-system permissions tied to an OS account


        • This mapping should be maintained and administered on the server outside of the web app

        • This is something a server admin would do somewhere on the OS



      • The idea being that users will be able to read/write files on the server as though they are the associated OS account

      • The hope is the user will have two security gates they'll have to authorize through: the web app and the OS (something the web app doesn't know)


      Here is a more detailed example:




      • OS has two human interactive accounts: osuser1 and osuser2

      • OS has one non-human non-interactive account that Apache will run as: www-data

      • web app has three human interactive accounts that users will log in with (using their web browser): webuser3, webuser4, webuser5

      • the accounts in the web app are permissioned on the OS level like this:



        • webuser3 can:


          • read files in /home/osuser1 as osuser1

          • read and write files in /home/osuser2 as osuser2




        • webuser4 can:


          • read and write files in /home/osuser1 as osuser1




        • webuser5 can:


          • write files in /home/osuser2 as osuser2





      • this web app user to OS user permission mapping should be maintained on the OS, outside of the web app


      How I would like it to work:




      • user logs in to web app (webuser3, webuser4, webuser5)

      • user interacts with the UI to list files or create a file in some folder

      • the web app will ask for additional authentication/authorization information, like a PW and/or 2FA/MFA code

      • the web app will send information to the OS:


        • the additional authentication/authorization information

        • the ID of the web app user

        • what they want to do (read or create)



      • the OS will authorize the action and send it back to the web app


      Now, Apache is running as www-data so it won't, by default and without messing with file/folder permissions, have any access to /home/osuser#. One way I can think of accomplishing the above is to give www-data passwordless sudo privileges (either as root or the OS accounts osuser1 and osuser2) so it can do things as the OS accounts. I don't like this because if the system is compromised and a bad actor gains access to www-data account then they will also be able to use sudo to do things as the OS accounts /home/osuser#. And also, this way would require the web app to maintain the web app user to OS user permission mapping.



      Obviously the OS is not aware of the web app accounts (webuser3, webuser4, webuser5) and I don't want to have to create matching accounts on the OS. The hope is to use some OS tool/library to do the mapping. Something that would have an internal configuration of external accounts (the ones coming from the web app). Maybe using roles or profiles. So on the OS, in this tool/library, a role/profile/account is created that matches the web app accounts and then given permissions.



      And, the tool/library should support additional authentication/authorization. Something that could be passed, securely, using an API or via command line parameter. This breaks authorization/authentication into two places: the OS and the web app, each having half the key.



      I realize this is one hell of an absurd ask but I don't want to give up the idea without fully vetting the possibility.










      share|improve this question













      I want to develop a LAMP web app/solution and after a fair amount of searching I am starting to think it is not possible to do what I want. Not sure how to explain this succinctly so I apologize for the verbosity.



      And before I start, I want to stay away from expensive enterprise grade solutions. Hoping for something I can either develop myself (if someone can help with the logic/algorithm of the code I'd need) or something that is free/open-source. At worst, if I have to pay a license for personal use that is fine too. Basically looking for something for personal use.



      Let me explain the desired end result:




      • User accounts (that do not map/tie to an OS account) will be created on the web app

      • Typical web app authentication/authorization (with 2FA/MFA)

      • User accounts will map to read/write file-system permissions tied to an OS account


        • This mapping should be maintained and administered on the server outside of the web app

        • This is something a server admin would do somewhere on the OS



      • The idea being that users will be able to read/write files on the server as though they are the associated OS account

      • The hope is the user will have two security gates they'll have to authorize through: the web app and the OS (something the web app doesn't know)


      Here is a more detailed example:




      • OS has two human interactive accounts: osuser1 and osuser2

      • OS has one non-human non-interactive account that Apache will run as: www-data

      • web app has three human interactive accounts that users will log in with (using their web browser): webuser3, webuser4, webuser5

      • the accounts in the web app are permissioned on the OS level like this:



        • webuser3 can:


          • read files in /home/osuser1 as osuser1

          • read and write files in /home/osuser2 as osuser2




        • webuser4 can:


          • read and write files in /home/osuser1 as osuser1




        • webuser5 can:


          • write files in /home/osuser2 as osuser2





      • this web app user to OS user permission mapping should be maintained on the OS, outside of the web app


      How I would like it to work:




      • user logs in to web app (webuser3, webuser4, webuser5)

      • user interacts with the UI to list files or create a file in some folder

      • the web app will ask for additional authentication/authorization information, like a PW and/or 2FA/MFA code

      • the web app will send information to the OS:


        • the additional authentication/authorization information

        • the ID of the web app user

        • what they want to do (read or create)



      • the OS will authorize the action and send it back to the web app


      Now, Apache is running as www-data so it won't, by default and without messing with file/folder permissions, have any access to /home/osuser#. One way I can think of accomplishing the above is to give www-data passwordless sudo privileges (either as root or the OS accounts osuser1 and osuser2) so it can do things as the OS accounts. I don't like this because if the system is compromised and a bad actor gains access to www-data account then they will also be able to use sudo to do things as the OS accounts /home/osuser#. And also, this way would require the web app to maintain the web app user to OS user permission mapping.



      Obviously the OS is not aware of the web app accounts (webuser3, webuser4, webuser5) and I don't want to have to create matching accounts on the OS. The hope is to use some OS tool/library to do the mapping. Something that would have an internal configuration of external accounts (the ones coming from the web app). Maybe using roles or profiles. So on the OS, in this tool/library, a role/profile/account is created that matches the web app accounts and then given permissions.



      And, the tool/library should support additional authentication/authorization. Something that could be passed, securely, using an API or via command line parameter. This breaks authorization/authentication into two places: the OS and the web app, each having half the key.



      I realize this is one hell of an absurd ask but I don't want to give up the idea without fully vetting the possibility.







      linux apache-http-server php automation pam






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 17 at 2:56









      IMTheNachoMan

      17712




      17712



























          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1376144%2fos-level-role-command-based-privileged-escalation-for-use-with-automation-via-a%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1376144%2fos-level-role-command-based-privileged-escalation-for-use-with-automation-via-a%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Сан-Квентин

          8-я гвардейская общевойсковая армия

          Алькесар