What is CaclMgr?
CaclMgr stands for Command Access Control List Manager. It is an easily manageable security package which enables Linux users to have control over which user will get which Linux command or SHELL script to be executed with my privilege.
Why need CaclMgr?
On most UNIX systems, there are a lot of system maintenance jobs can only be done by root. For example, when doing a proper shutdown of UNIX system, the shutdown procedure will use kill command to kill all the application processes, but for security reason, all users except root can only kill their own processes, so, no user (if not, then all users) can do proper shutdown of UNIX machine without root privilege. Other common jobs like system backup/restore, mount/umount file systems, system software maintenance, etc., all need root privileges. Because root can do almost everything on UNIX systems, it is very dangerous for other users to get unlimited access to root privileges. It is also very important to not directly use root to do daily maintenance jobs on mission critical UNIX servers: with the power, a simple typo error could become a disaster for the whole system.
There are several ways to create a daily maintenance account which has reduced (in some way) root privileges.
Develop a menu script in which define all the tasks the account is authorized to do. Create the account, make his/her UID=0, and modify his/her login profiles to make sure when the account is logged on, he/she can only do tasks defined by that menu script.
Create the account, setuid on commands which are needed by the account for daily operation, develop C programs for those scripts (because UNIX doesn't allow setuid on scripts for security reason)which are also needed and setuid on these C executables. May use ACL to assign execution permission on these setuid programs to specific users.
In method 1, the problem is it is very difficult to make sure that account can't be used to get other system access. In some cases it is even impossible.
In method 2, many executables need be setuid and C programs need be developed and setuid for each scripts to grant the account root privilege on those commands. The difficulty is it requires the programmers who develop such C programs having very good knowledge on UNIX system programming and UNIX security, otherwise such a wrapper can easily result in security holes. Another problem is it is very difficult to maintain/manage/control all these setuid executables reside here and there. For example, it may not be easy to find out all setuid commands a specific user has execution permission, or remove an user from all sensitive commands.
CaclMgr provides a full set of carefully designed commands to ease privilege management on commands. For example, to grant user staff1 the privilege to run shutdown command:
As root, run
cacl -a staff1 /usr/sbin/shutdown
This command will create a record in CaclMgr's database, saying thatstaff1 is allowed to su root when execute /usr/sbin/shutdown. Next time, staff1 can shutdown the server by running
cacl -e root /usr/sbin/shutdown
Here, cacl will check CaclMgr's database to verify that the user who running this command is really trusted to su root to run /usr/sbin/shutdown and the /usr/sbin/shutdown file is the original as recorded.
By using CaclMgr, privileged users can easily manage their privileges to be used by others. For example, to verify what commands you have granted to user U, just run
cacl -c U
If you want to know who have the right to use your ID to run command cmd, call
cacl -c /the-path-to/cmd
To revoke user U's right to use your ID to execute command cmd, simply run
cacl -r U cmd
To show who have used your ID to run commands, type
cacl -p
Compared with other similar software, CaclMgr is more user friendly: every user can easily control his or her uid to be used by others by himself or herself, and each user can easily check the whole status: What commands have been executed by other users using my uid? What commands have I given my uid for user B to run?
CaclMgr also provides more helps to system administrators and other privileged users to maintain good security in privilege granting.
First, CaclMgr provides the most advanced control over which environment variables are allowed be passed on to a command executed under it. Uncontrolled environment variable setting is the biggest security threat for letting other users to use your privilege to run commands.
Second, when you using CaclMgr to grant a command for some other users to run using your uid, CaclMgr will record down the checksum of the command file so that when a user tries to execute the command using your uid, CaclMgr will verify again and refuse to run if that command has been changed.
System administrators and users without very good UNIX security knowledge will also be benefited from the system wide warnning feature:
/etc/CaclMgr/CaclMgr.warn
When you try to grant others the permission to use your uid to execute a command listed in this file, CaclMgr will give you a warnning as the commands listed in the file are considered very dangerous: for example, if you grant a user to use your uid to execute the "view" command, what could happen? You think the "view" command will only allow the user to read your files right? No!!!
Experienced system administrators and security officers could also update this file when they find some more commands are dangerous to be executed under different UID.Please read the CaclMgrVersion.readme file included in the package for more security features of CaclMgr.
You can download the software and apply for a free DEMO license from our Home Page
For more info, please contact us.
