非特权，非root用户，用于启动或重新启动没有root或sudo的Web服务器服务器(例如nginx) [英] Non-privileged, non-root, user to start or restart webserver server such as nginx without root or sudo

问题描述

我正在使用capistrano部署Rails Web应用程序.我想给网络服务器上的部署用户尽可能少的特权.除了重新启动Web服务器之外，我还能够以非特权用户身份执行所有操作.

I'm using capistrano to deploy a rails web app. I want to give the deploy user on the webserver as few privileges as I can. I was able to do everything I need to do as a non-privileged user except restart the webserver.

我正在ubuntu服务器上执行此操作，但是此问题并非特定于我的用例(rails，capistrano，部署)，并且我已经看到很多解决此问题的方法，这些方法似乎涉及不良的安全实践.想知道其他人是否可以审查我的解决方案并建议它是否安全?

I'm doing this on an ubuntu server, but this problem is not specific to my use case (rails, capistrano, deployment), and I've seen a lot of approaches to this problem that seem to involve poor security practices. Wondering whether others can vet my solution and advise whether it's secure?

首先，这不是必需的，但是我不知道为什么/etc/init.d/nginx需要其他用户进行任何(甚至读取)访问.如果他们需要阅读它，请使其成为root用户(通过sudo或其他方式)，所以我:

First, not necessary, but I have no idea why /etc/init.d/nginx would need any (even read) access by other users. If they need to read it, make them become root (by sudo or other means), so I:

chmod 750 /etc/init.d/nginx

由于所有权是所有者根，所以组根(或可以使用chown root:root/etc/init.d/nginx进行设置)只能是根，或者被适当地sudo'的用户可以读取，更改或运行/etc/init.d/nginx，并且我不会授予我的部署用户任何此类广泛的权利.相反，我只给部署用户特定的sudo权限来运行控制脚本/etc/init.d/nginx.他们将无法运行编辑器进行编辑，因为他们只能执行该脚本.这意味着，如果有人以部署用户的身份访问我的机器，他们可以重新启动和停止nginx进程等，但是他们不能做更多的事情，例如将脚本更改为执行许多其他邪恶的事情.

Since the ownership is owner root, group root (or can be set such with chown root:root /etc/init.d/nginx) only root, or a user properly sudo'ed, can read, change or run /etc/init.d/nginx, and I'm not going to give my deploy user any such broad rights. Instead, I'm only going to give the deploy user the specific sudo right to run the control script /etc/init.d/nginx. They will not be able to run an editor to edit it, because they will only have the ability to execute that script. That means that if a someone gets access to my box as the deploy user, they can restart and stop, etc, the nginx process, but they cannot do more, like change the script to do lots of other, evil things.

具体来说，我正在这样做:

Specifically, I'm doing this:

visudo

visudo 是用于编辑sudoers文件的特定工具，具有sudoer特权来访问它.

visudo is a specific tool used to edit the sudoers file, and you have to have sudoer privileges to access it.

使用visudo，我添加:

Using visudo, I add:

# Give deploy the right to control nginx
deploy ALL=NOPASSWD: /etc/init.d/nginx

检查 sudo man 页，但是据我所知，第一列是被赋予用户sudo权限的用户，在本例中为"deploy". ALL提供了来自所有类型的终端/登录的部署访问权限(例如，通过ssh).最后，/etc/init.d/nginx仅使部署用户具有运行/etc/init.d/nginx的root访问权限(在这种情况下，NOPASSWD意味着没有密码，我需要无人参与的部署) .部署用户无法编辑脚本使其变得邪恶，他们需要 FULL sudo访问权限才能执行此操作.实际上，除非他们具有root用户访问权限，否则没有人可以这样做，这是一个更大的问题. (我测试了用户部署完成后无法编辑脚本，您也应该这样做！)

Check the sudo man page, but as I understand this, the first column is the user being given the sudo rights, in this case, "deploy". The ALL gives deploy access from all types of terminals/logins (for example, over ssh). The end, /etc/init.d/nginx, ONLY gives the deploy user root access to run /etc/init.d/nginx (and in this case, the NOPASSWD means without a password, which I need for an unattended deployment). The deploy user cannot edit the script to make it evil, they would need FULL sudo access to do that. In fact, no one can unless they have root access, in which case there's a bigger problem. (I tested that the user deploy could not edit the script after doing this, and so should you!)

你们怎么看?这行得通吗?有更好的方法可以做到这一点吗?我的问题类似于此和

What do you guys think? Does this work? Are there better ways to do this? My question is similar to this and this, but provides more explanation than I found there, sorry if it's too duplicative, if so, I'll delete it, though I'm also asking for different approaches.

推荐答案

最佳实践是使用/etc/sudoers.d/myuser

/etc/sudoers.d/文件夹可以包含多个文件，允许用户使用sudo调用文件而无需root用户.

The /etc/sudoers.d/ folder can contain multiple files that allow users to call stuff using sudo without being root.

该文件通常包含一个用户以及用户无需指定密码即可运行的命令列表.如

The file usually contains a user and a list of commands that the user can run without having to specify a password. Such as

sudo service nginx restart

请注意，我们正在使用sudo运行命令.如果没有sudo，将永远不会使用sudoers.d/myuser文件.

Note that we are running the command using sudo. Without the sudo the sudoers.d/myuser file will never be used.

此类文件的一个示例是

myuser ALL=(ALL) NOPASSWD: /usr/sbin/service nginx start,/usr/sbin/service nginx stop,/usr/sbin/service nginx restart

这将允许myuser用户调用Nginx服务的所有启动，停止和重新启动.

This will allow the myuser user to call all start, stop and restart for the nginx service.

您可以在另一行中添加其他服务，或继续将其添加到以逗号分隔的列表中，以控制更多项.

You could add another line with another service or continue to append them to the comma separated list, for more items to control.

还请确保您已运行以下命令以保护事物

Also make shure you have run the command below to secure things

chmod 0440 /etc/sudoers.d/myuser

这也是我启动和停止服务的方式，我自己创建的新贵脚本位于/etc/init中 如果您希望能够轻松运行自己的服务，则值得一试.

This is also the way I start and stop services my own created upstart scripts that live in /etc/init It can be worth checking that out if you want to be able to run your own services easily.

说明:

在所有命令中，将 myuser 替换为您要用于启动，重新启动和停止nginx而不使用sudo的用户的名称.

In all commands, replace myuser with the name of your user that you want to use to start, restart, and stop nginx without sudo.

1. 为您的用户打开sudoers文件:

1. Open sudoers file for your user:

$ sudo visudo -f /etc/sudoers.d/myuser

编辑器将打开.在此粘贴以下行:

Editor will open. There you paste the following line:

$ myusername ALL=(ALL) NOPASSWD: /usr/sbin/service nginx start,/usr/sbin/service nginx stop,/usr/sbin/service nginx restart

通过按 ctrl + o 保存.它将询问您要保存的位置，只需按 enter 确认默认值.然后使用 ctrl + x 退出编辑器.

Save by hitting ctrl+o. It will ask where you want to save, simply press enter to confirm the default. Then exit out of the editor with ctrl+x.

这篇关于非特权，非root用户，用于启动或重新启动没有root或sudo的Web服务器服务器(例如nginx)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！