Skip to content

miaowware/iuutils

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

completions

completions

 
 

src

src

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

Cargo.lock

Cargo.lock

 
 

Cargo.toml

Cargo.toml

 
 

LICENCE

LICENCE

 
 

README.md

README.md

 
 

Repository files navigation

iuutils - Infrastructure User Utils

Tool to safely allow running common file utils as a specific user/group using SUID and SGID

Why?

Iuutils is intended to be used for situations where a non-login shared user and group owns "infrastructure" files and directory on a server. It facilitates usage of common file tools while ensuring the permissions are kept and properly set for new files and directories. The sudo equivalent would be sudo -u <user> -g <group> <command>, but it is lengthy, requires entering a password, and requires granting more privileges (sudo access) than actually needed to create files with the right permissions (which is the main goal, after all).

How?

Iuutils is intended to be used as a setuid and setgid binary placed in path. When owned by the "infrastructure" user and its group, any member of that group can execute iuutils and manage files with it. "Others" must not have the execute permission on the binary.

What tools?

Iuutils is hardcoded to only allow running the following tools: ls, cp, mv, rm, ln, mkdir, and touch. Additionally, id can be run to help debug permission issues.

Installation

First, you need to build the binary using cargo in release mode:

$ cargo build --release

The binary should now be present in target/release/iu. Copy it to any location present in PATH.

Change the owner and group of the binary to the user/group that owns the infrastructure.

⚠️ To ensure that only the intended users be able to use it, the iuutils binary MUST NOT be executable by others (chmod o-x iuutils).
We recommend setting the permissions on the binary as ug=rxs,o= or 6550. Both mean the same;

  • user and group can read and execute
  • set id on user and group
  • others can nothing

Custom paths

The default hardcoded path to all tools is /usr/bin/<tool>. If you wish to change it, edit paths.rs, either manually or programmatically. The file shouldn't ever change much at all.

⚠️ Do NOT replace the path to a tool by a different tool.
The "absolutely safe" binary that "can't give a shell" you are now chucking in a privilege excalation system will grant a shell to your favourite attacker.

You know it's going to happen
Don't do it

... or else the evil code pixies will do bad thing to your systems

Copyright

Copyright 2021 0x5c
Released under the BSD 3-Clause License.
See LICENCE for the full license text.

About

Infra User Utils

Resources

Readme

License

BSD-3-Clause license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

1 tags

Sponsor this project

  •  
Learn more about GitHub Sponsors

Packages

No packages published

Languages