-
Notifications
You must be signed in to change notification settings - Fork 5
Home
The op tool provides a flexible means for system administrators to grant access to certain root operations without having to give them full superuser privileges. Different sets of users may access different operations, and the security-related aspects of each operation can be carefully controlled.
It was originally written around 1990 by Tom Christiansen and Dave Koblas. Further updates and porting were performed by Howard Owen. The last version of this vintage is available here. The current version is maintained by Alec Thomas.
I first came into contact with op whilst working at Access Gaming Systems, where op was used extensively to control developer and administrator access to resources.
Discussion relating to the development of op can be found here. Feel free to log in and add your ideas and comments.
Some kind op users have contributed patches that add extra features which others might find useful. You can get them here.
Report bugs or feature requests or view active tickets.
The op/changelog contains the history of releases and their changes.
The man page included with op is the authoritative source of information for configuration and usage of op, but some of its more interesting features are documented briefly below.
The main attraction of op over sudo is its use of mnemonics rather than true commands. This allows an administrator to present users with more intuitive commands.
For example, instead of requiring the user to do something like this:
$ sudo /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom
op allows the following:
$ op mount cd
Each command in the op configuration file has a number of keywords and key/value pairs associated with it. Each of these modifies the default behaviour. The keyword environment, for example, passes the original users environment on to the final command.
op has a short name and as any Unix head should know, this can only be a Good Thing (tm).
I have added quite a few features since encountering version 1.11 of op. Some of the more basic additions are PAM support and various security fixes. Other more interesting additions follow.
Host-based access control is particularly useful for environments where a single op.conf is used among multiple servers.
Here is an example of host based restriction. The user athomas can only execute xine on host cavern.
xine /usr/bin/xine;
users=athomas@cavern
environment
$DISPLAY
The ability to restrict access by host also required the addition of basic variable expansion to ease in the management of large access control lists.
The following example shows the expansion of a user/host list. It allows the user athomas to obtain a root shell on all servers, while the user dcooper may only obtain root on the internal servers cavern and seraph.
DMZ_SERVERS=blink|iris
INTERNAL_SERVERS=cavern|seraph
ALL_SERVERS=DMZ_SERVERS|INTERNAL_SERVERS
ACL=athomas@(ALL_SERVERS),dcooper@(INTERNAL_SERVERS)
shell /bin/su -; users=ACL environment password
The final line would be expanded to the following, which is matched as a regular expression against user@hostname.
shell /bin/su -; users=athomas@(blink|iris|cavern|seraph),dcooper@(cavern|seraph)
op has the ability to expire access to arbitrary commands at a specific time.
This example lets the users admin and operator start/stop/restart Apache, however the operator users access will expire at midnight on the 20th of January 2004.
apache /usr/sbin/apachectl $1;
users=admin,operator/20040120
environment
$1=start|stop|restart
op arguments can now be quoted multi-line strings, which allows small scripts to be defined directly in the op.conf:
mount /bin/sh -c '
case $1 in
cdrom) /bin/mount /mnt/cdrom ;;
dvd) /bin/mount -o ro /dev/dvd /mnt/dvd ;;
burner) /bin/mount -o ro /dev/burner /mnt/burner ;;
*) echo "op: you do not have permission to mount \'$1\'" 1>2 ;;
esac
';
users=ROOT_USERS environment
Netgroups can be used to restrict access to mnemonics:
reboot /sbin/reboot;
netgroup=administrators
All configuration files in /etc/op.d with the extension .conf are read. This reduces administration overhead in enterprise environments.
- https://github.com/downloads/dagwieers/op/op-1.32.tar.gz 795b0ffabd305d48288aff46542fe3bf
- https://github.com/downloads/dagwieers/op/op-1.31.tar.gz 3dba3286cfab5b91e7e90a84b0305cbd
- https://github.com/downloads/dagwieers/op/op-1.30.tar.gz 3cdf2a171a99df7e96f302dd54b2d96b
- https://github.com/downloads/dagwieers/op/op-1.29.tar.gz 5b73d3c341f46eb7ff4b515a0b3f7864
- https://github.com/downloads/dagwieers/op/op-1.28.tar.gz d356e366ecf111ae170ac76f058207cf
- https://github.com/downloads/dagwieers/op/op-1.27.tar.gz cb247040de0f1754a7a7bcc4e9640ad8
- https://github.com/downloads/dagwieers/op/op-1.26.tar.gz e03f9449126a932139334050e131fc1d
- https://github.com/downloads/dagwieers/op/op-1.25.tar.gz 82f4a1f885e7d0c87a559e4d70c6e47f
- https://github.com/downloads/dagwieers/op/op-1.24.tar.gz 4cd2a5e0e7ccb16560d20d9582852a59
- https://github.com/downloads/dagwieers/op/op-1.23.tar.gz 8c7d354bc6f38fb67bbdcbb2016b871a
- https://github.com/downloads/dagwieers/op/op-1.22.tar.gz b5ef422dcd7ff52dcf0ed6d2674d6424
- https://github.com/downloads/dagwieers/op/op-1.21.tar.gz f439d5736c811151d9326b527a19709f
- https://github.com/downloads/dagwieers/op/op-1.20.tar.gz 725bc3e54044de1d9181a6f1bcc6365f
- https://github.com/downloads/dagwieers/op/op-1.1.10.tar.gz a83d1f1d5f8ed23b5b66952a2984600b
- https://github.com/downloads/dagwieers/op/op-1.1.9.tar.gz d811f5b10ca24d74f5b9c66b4c630f7d
- https://github.com/downloads/dagwieers/op/op-1.11.tar.gz
- https://github.com/downloads/dagwieers/op/op-1.1.tar.gz
Things tagged op:
- wiki/Development Discussion regarding the development of op
- wiki/OldNews op - Old news
- wiki/Patches op patches
# Host definitions
SWAPOFF_ORG=(blink|iris|seraph|cavern)
FAILOVER_ORG=(thoth|ash|oak|widow)
SELLICK_ID_AU=(beholder|kraken)
ASN=(SWAPOFF_ORG|FAILOVER_ORG|SELLICK_ID_AU)
# User definitions
SWAPOFF_ORG_USERS=(athomas)
SELLICK_ID_AU_USERS=(psellick)
FAILOVER_ORG_USERS=(dcooper)
ASN_USERS=(SWAPOFF_ORG_USERS|SELLICK_ID_AU_USERS|FAILOVER_ORG_USERS)
# ACL definitions
FAILOVER_ORG_ACL=FAILOVER_ORG_USERS@FAILOVER_ORG
SWAPOFF_ORG_ACL=SWAPOFF_ORG_USERS@SWAPOFF_ORG
SELLICK_ID_AU_ACL=SELLICK_ID_AU_USERS@SELLICK_ID_AU
ASN_ACL=root|FAILOVER_ORG_ACL|SWAPOFF_ORG_ACL|SELLICK_ID_AU_ACL
# Group definitions
ASN_GROUPS=asn
# Actions requiring authentication
shell /bin/su -; users=ASN_ACL environment password
sh /bin/su -; users=ASN_ACL environment password
vi /usr/bin/vi $*; users=ASN_ACL password
reboot /sbin/reboot; users=ASN_ACL environment password
# Password-less commands
shutdown /sbin/shutdown -h $1; users=ASN_ACL environment
$1=now|[2[0-3 0-1]?[0-9]:[0-9][0-9]]:[0-5][0-9]|\+[0-9]+
ethereal /usr/bin/ethereal $*; users=ASN_ACL environment
nomad /usr/bin/nomad $*; users=ASN_ACL environment
tcpdump /usr/sbin/tcpdump $*; users=ASN_ACL environment
nmap /usr/bin/nmap $*; users=ASN_ACL environment
updatedb /usr/bin/updatedb; users=ASN_ACL environment
makewhatis /bin/sh -c '
/usr/sbin/makewhatis &
echo makewhatis running in the background
';
users=ASN_ACL environment
cdrom /sbin/mount /mnt/cdrom; users=ASN_ACL
eject /usr/bin/eject; users=ASN_ACL
nmap /usr/bin/nmap $*; users=ASN_ACL environment
grip /bin/sh -c '/usr/bin/nice -n 19 /usr/bin/grip &';
users=ASN_ACL
user=athomas
group=audio
umask=007
environment
# Cavern local commands
gtkam /usr/bin/gtkam; users{{{athomas environment $DISPLAY $GTKRC}}}/home/athomas/.gtkrc
drip /usr/bin/drip; users{{{athomas environment $DISPLAY $GTKRC}}}/home/athomas/.gtkrc
evms /bin/sh -c 'PATH{{{/sbin:/usr/sbin:$PATH /sbin/evmsgui &'; users}}}athomas environment $DISPLAY $GTKRC=/home/athomas/.gtkrc
xine /usr/bin/xine; users=athomas environment $DISPLAY
# An example of scripts within an op command
mount /bin/sh -c '
case $1 in
cdrom) /bin/mount /mnt/cdrom ;;
dvd) /bin/mount -o ro /dev/dvd /mnt/dvd ;;
burner) /bin/mount -o ro /dev/burner /mnt/burner ;;
*) echo "op: you do not have permission to mount \'$1\'" ;;
esac
';
users=athomas environment
apache /usr/sbin/apachectl $1;
users=athomas
environment
$1=start|stop|restart
umount /bin/sh -c '
case $1 in
cdrom) /bin/umount /mnt/cdrom ;;
dvd) /bin/umount /mnt/dvd ;;
burner) /bin/umount /mnt/burner ;;
*) echo "op: you do not have permission to unmount \'$1\'" ;;
esac
';
users=athomas environment
tail /usr/bin/tail -f $1; users=athomas