Wiki Navigation

op - controlled privilege escalation

About

The op tool provides a flexible means for system administrators to grant access to certain root operations without having to give them full superuser privileges. Different sets of users may access different operations, and the security-related aspects of each operation can be carefully controlled.

It was originally written around 1990 by Tom Christiansen and Dave Koblas. Further updates and porting were performed by Howard Owen. The last version of this vintage is available here. The current version is maintained by Alec Thomas.

I first came into contact with op whilst working at Access Gaming Systems, where op was used extensively to control developer and administrator access to resources.

Development

Discussion relating to the development of op can be found here. Feel free to log in and add your ideas and comments.

Extra Feature Patches

Some kind op users have contributed patches that add extra features which others might find useful. You can get them here.

Bugs/Feature Requests

Report bugs or feature requests or view active tickets.

News

Old news is available at op/oldnews.

Change Log

The op/changelog contains the history of releases and their changes.

Documentation

The man page included with op is the authoritative source of information for configuration and usage of op, but some of its more interesting features are documented briefly below.

Original Features

Mnemonics

The main attraction of op over sudo is its use of mnemonics rather than true commands. This allows an administrator to present users with more intuitive commands.

For example, instead of requiring the user to do something like this:

$ sudo /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom

op allows the following:

$ op mount cd

Fine-grained Per-Command Control

Each command in the op configuration file has a number of keywords and key/value pairs associated with it. Each of these modifies the default behaviour. The keyword environment, for example, passes the original users environment on to the final command.

A Really Short Name

op has a short name and as any Unix head should know, this can only be a Good Thing (tm).

New Features

I have added quite a few features since encountering version 1.11 of op. Some of the more basic additions are PAM support and various security fixes. Other more interesting additions follow.

Host-based Access Control

Host-based access control is particularly useful for environments where a single op.conf is used among multiple servers.

Here is an example of host based restriction. The user athomas can only execute xine on host cavern.

xine    /usr/bin/xine;
        users=athomas@cavern
        environment
        $DISPLAY

Variable Expansion

The ability to restrict access by host also required the addition of basic variable expansion to ease in the management of large access control lists.

The following example shows the expansion of a user/host list. It allows the user athomas to obtain a root shell on all servers, while the user dcooper may only obtain root on the internal servers cavern and seraph.

DMZ_SERVERS=blink|iris
INTERNAL_SERVERS=cavern|seraph

ALL_SERVERS=DMZ_SERVERS|INTERNAL_SERVERS

ACL=athomas@(ALL_SERVERS),dcooper@(INTERNAL_SERVERS)

shell /bin/su -; users=ACL environment password

The final line would be expanded to the following, which is matched as a regular expression against user@hostname.

shell /bin/su -; users=athomas@(blink|iris|cavern|seraph),dcooper@(cavern|seraph)

Command Expiration

op has the ability to expire access to arbitrary commands at a specific time.

This example lets the users admin and operator start/stop/restart Apache, however the operator users access will expire at midnight on the 20th of January 2004.

apache  /usr/sbin/apachectl $1;
        users=admin,operator/20040120
        environment
        $1=start|stop|restart

Multi-line Arguments

op arguments can now be quoted multi-line strings, which allows small scripts to be defined directly in the op.conf:

mount   /bin/sh -c '
        case $1 in
                cdrom) /bin/mount /mnt/cdrom ;;
                dvd) /bin/mount -o ro /dev/dvd /mnt/dvd ;;
                burner) /bin/mount -o ro /dev/burner /mnt/burner ;;
                *) echo "op: you do not have permission to mount \'$1\'" 1>2 ;;
        esac
        ';
        users=ROOT_USERS environment

Netgroups

Netgroups can be used to restrict access to mnemonics:

reboot   /sbin/reboot;
         netgroup=administrators

Config Directory (new in 1.26)

All configuration files in /etc/op.d with the extension .conf are read. This reduces administration overhead in enterprise environments.

Download

Example Configuration File

# Host definitions
SWAPOFF_ORG=(blink|iris|seraph|cavern)
FAILOVER_ORG=(thoth|ash|oak|widow)
SELLICK_ID_AU=(beholder|kraken)
ASN=(SWAPOFF_ORG|FAILOVER_ORG|SELLICK_ID_AU)

# User definitions
SWAPOFF_ORG_USERS=(athomas)
SELLICK_ID_AU_USERS=(psellick)
FAILOVER_ORG_USERS=(dcooper)
ASN_USERS=(SWAPOFF_ORG_USERS|SELLICK_ID_AU_USERS|FAILOVER_ORG_USERS)

# ACL definitions
FAILOVER_ORG_ACL=FAILOVER_ORG_USERS@FAILOVER_ORG
SWAPOFF_ORG_ACL=SWAPOFF_ORG_USERS@SWAPOFF_ORG
SELLICK_ID_AU_ACL=SELLICK_ID_AU_USERS@SELLICK_ID_AU
ASN_ACL=root|FAILOVER_ORG_ACL|SWAPOFF_ORG_ACL|SELLICK_ID_AU_ACL

# Group definitions
ASN_GROUPS=asn

# Actions requiring authentication
shell /bin/su -; users=ASN_ACL environment password
sh /bin/su -; users=ASN_ACL environment password
vi /usr/bin/vi $*; users=ASN_ACL password
reboot /sbin/reboot; users=ASN_ACL environment password

# Password-less commands
shutdown /sbin/shutdown -h $1; users=ASN_ACL environment
	$1=now|[2[0-3 0-1]?[0-9]:[0-9][0-9]]:[0-5][0-9]|\+[0-9]+
ethereal /usr/bin/ethereal $*; users=ASN_ACL environment
nomad /usr/bin/nomad $*; users=ASN_ACL environment
tcpdump /usr/sbin/tcpdump $*; users=ASN_ACL environment
nmap /usr/bin/nmap $*; users=ASN_ACL environment
updatedb /usr/bin/updatedb; users=ASN_ACL environment
makewhatis /bin/sh -c '
		/usr/sbin/makewhatis &
		echo makewhatis running in the background
	';
	users=ASN_ACL environment
cdrom /sbin/mount /mnt/cdrom; users=ASN_ACL
eject /usr/bin/eject; users=ASN_ACL
nmap /usr/bin/nmap $*; users=ASN_ACL environment
grip /bin/sh -c '/usr/bin/nice -n 19 /usr/bin/grip &';
	users=ASN_ACL
	user=athomas
	group=audio
	umask=007
	environment

# Cavern local commands
gtkam	/usr/bin/gtkam; users{{{athomas environment $DISPLAY $GTKRC}}}/home/athomas/.gtkrc
drip	/usr/bin/drip; users{{{athomas environment $DISPLAY $GTKRC}}}/home/athomas/.gtkrc
evms	/bin/sh -c 'PATH{{{/sbin:/usr/sbin:$PATH /sbin/evmsgui &'; users}}}athomas environment $DISPLAY $GTKRC=/home/athomas/.gtkrc
xine	/usr/bin/xine; users=athomas environment $DISPLAY

# An example of scripts within an op command
mount	/bin/sh -c '
	case $1 in
		cdrom) /bin/mount /mnt/cdrom ;;
		dvd) /bin/mount -o ro /dev/dvd /mnt/dvd ;;
		burner) /bin/mount -o ro /dev/burner /mnt/burner ;;
		*) echo "op: you do not have permission to mount \'$1\'" ;;
	esac
	';
	users=athomas environment

apache	/usr/sbin/apachectl $1;
	users=athomas
	environment
	$1=start|stop|restart

umount	/bin/sh -c '
	case $1 in
		cdrom) /bin/umount /mnt/cdrom ;;
		dvd) /bin/umount /mnt/dvd ;;
		burner) /bin/umount /mnt/burner ;;
		*) echo "op: you do not have permission to unmount \'$1\'" ;;
	esac
	';
	users=athomas environment

tail	/usr/bin/tail -f $1; users=athomas

Download in other formats:

Plain Text