![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
FINAL EDIT: Since this idea seems to be more trouble than it's worth, I'm scrapping it in favour of just using VMs to control access. My original thread on UbuntuForums is still open though if anyone wants to add something! http://ubuntuforums.org/showthread.php?t=1290826
(Sorry in advance for the long post, just skip down to the code section if you don't care about the back story
)
OK, this is a bit of a pickle I've gotten myself into. Basically, I run small (and in the future, hopefully bigger) LAN parties, and I'm setting up a server for use at those parties, in order to run dedicated game servers. Now, our LANs are (at least now), kinda free-for-all, in that we play a lot of different games at different times. Our single biggest complaint is setup time, including setting up the game servers, so I want to be able to offload that duty to whoever wants to set that particular game up.
Now, I want to be able to go hands-off with this, giving a volunteer access to an account that lets them set up a game server, but logging their root access attempts, which is where my dilemma comes in. As a lot of you know, running game servers on Linux tends to require root access to at least start the server, and sometimes to make modifications to it (and to install it). I don't want to be giving people my root password, but I do want to be hands-off to setting this up as I said, letting me focus on more important things (like my guests, the food, other things hosts worry about).
What I had in mind was a script that does the following:
1. Replaces "sudo" for a given user.
2. Displays a warning to the user (easy enough) and asks them for some information (Who you are, who authorized you, and the password).
3. Log that information, as well as the IP of the computer they're currently logged in from (headless server, accessed via SSH), to a root-readable only log in /var
4. Execute the command (passed as an argument to the script) as root (obviously), but using their password (i.e. like sudo).
Now, I know this isn't an ideal solution, but I can't think of a better one that lets me have a hands-off approach to individual game servers, while remaining portable (that is, I can use it with any game server software on any machine, without having to do major configuration changes like setting other aliases, setting file permissions, etc.). I DO somewhat trust the people I'd be giving this account to (friends of friends mostly), but I'd like a log just in case that account is compromised or something, or they turn out to be dicks. Clearly if we get bigger I won't be using this kind of script (I'll get trusted people to help me full-time), but I want something for our next few parties that lets me be a host and not just the server admin for a change!
Now, I have a mostly-functional script, but there are still a few problems (as I've pointed out above).
So to recap: I've got that script, to replace sudo, but I have the following problems:
1. Must find a way to force this on the user, i.e. find a way to stop them manually running /usr/bin/sudo
2. (Ties in to 1) If needed, somehow eliminate using "sudo" in the script (due to 1), but let them authenticate with their own password (since obviously I don't want to give out the server's root password).
SOLVED 3. Log the IP of their remote SSH session (only missing feature, really). Didn't realize "who" gave your hostname/IP as well, and with --ips it gives the IP all the time, so that solves this issue.
I thank you for your time and ideas. Mods, I thought this forum would get the most views and help but feel free to move it as needed!
(Sorry in advance for the long post, just skip down to the code section if you don't care about the back story
)OK, this is a bit of a pickle I've gotten myself into. Basically, I run small (and in the future, hopefully bigger) LAN parties, and I'm setting up a server for use at those parties, in order to run dedicated game servers. Now, our LANs are (at least now), kinda free-for-all, in that we play a lot of different games at different times. Our single biggest complaint is setup time, including setting up the game servers, so I want to be able to offload that duty to whoever wants to set that particular game up.
Now, I want to be able to go hands-off with this, giving a volunteer access to an account that lets them set up a game server, but logging their root access attempts, which is where my dilemma comes in. As a lot of you know, running game servers on Linux tends to require root access to at least start the server, and sometimes to make modifications to it (and to install it). I don't want to be giving people my root password, but I do want to be hands-off to setting this up as I said, letting me focus on more important things (like my guests, the food, other things hosts worry about).
What I had in mind was a script that does the following:
1. Replaces "sudo" for a given user.
2. Displays a warning to the user (easy enough) and asks them for some information (Who you are, who authorized you, and the password).
3. Log that information, as well as the IP of the computer they're currently logged in from (headless server, accessed via SSH), to a root-readable only log in /var
4. Execute the command (passed as an argument to the script) as root (obviously), but using their password (i.e. like sudo).
Now, I know this isn't an ideal solution, but I can't think of a better one that lets me have a hands-off approach to individual game servers, while remaining portable (that is, I can use it with any game server software on any machine, without having to do major configuration changes like setting other aliases, setting file permissions, etc.). I DO somewhat trust the people I'd be giving this account to (friends of friends mostly), but I'd like a log just in case that account is compromised or something, or they turn out to be dicks. Clearly if we get bigger I won't be using this kind of script (I'll get trusted people to help me full-time), but I want something for our next few parties that lets me be a host and not just the server admin for a change!
Now, I have a mostly-functional script, but there are still a few problems (as I've pointed out above).
Code:
#!/bin/bash
#
# This script replaces the standard "sudo" command on the public LanNET servers.
# It requests the full name of the user requesting the authorization, as well
# as who gave them permission to make this modification. The entered data,
# along with a record of who is logged in at the time and from where, is
# stored in a root-viewable text file at /var/lannet/sudoauth.log
#
# This script is hereby released under the GNU GPL v3. For details of the license,
# please see http://www.gnu.org/licenses/gpl
#
#
# FUNCTIONS
#
# Exits the script when the Ctrl+C interrupt is called
exit_script()
{
clear
exit 1
}
#
# MAIN SCRIPT
#
# Start: Trap Ctrl+C and display the warning message
trap exit_script 2
dialog --title "NOTICE! PLEASE READ BEFORE CONTINUING" --backtitle "LanNET 'sudo' Policy" --msgbox "Modification of this server requires express permission from a LanNET administrator. FAILURE TO OBTAIN THIS PERMISSION BEFORE MAKING ANY CHANGES TO THIS MACHINE, OR MAKING ANY MALICIOUS CHANGES TO THIS MACHINE, WILL BE PUNISHABLE BY EXPULSION FROM THE EVENT WITHOUT REFUND. ALL LOGIN AND SUDO ATTEMPS TO THIS MACHINE ARE LOGGED. If you wish to continue, press \"OK\"." 13 50
# Clear the screen and ask for the username
clear
echo "Please enter your full name as shown on your ID:"
# Get the first input, which is the name of the person making the change
read AUTHUSER
# Clear the screen again and ask for the administrator
echo ""
echo "Please enter the name of the authorizing administrator:"
# Get the second input, which is the name of the authorizing administrator
read AUTHADMIN
# Temporarially get rid of the 'sudo' alias to this script so it won't call itself
unalias sudo
echo ""
# Ask for the sudo password and clear the screen
sudo -k
sudo false # This command does absolutely nothing except ask for the sudo password here, instead of later
clear
# Log the information to /var/lannet/sudoauth.log, root viewable only
echo '------------------------' | sudo tee -a /var/lannet/sudoauth.log
echo 'LOGGED ATTEMPT AT SUDO' | sudo tee -a /var/lannet/sudoauth.log
echo 'User: ' `whoami` | sudo tee -a /var/lannet/sudoauth.log
echo 'Participant: ' $AUTHUSER | sudo tee -a /var/lannet/sudoauth.log
echo 'Authorization: ' $AUTHADMIN | sudo tee -a /var/lannet/sudoauth.log
echo '"who" data: ' `who --ips` | sudo tee -a /var/lannet/sudoauth.log
echo "" | sudo tee -a /var/lannet/sudoauth.log
echo "Authorization successful. Command executing."
echo ""
# Double-check/reset permissions of that log file, so that only root can see it
sudo chown root:root /var/lannet/sudoauth.log
sudo chmod 700 /var/lannet/sudoauth.log
# Execute the command
sudo $@
# Reenable the 'sudo' alias and exit
alias sudo='/sbin/sudoauth.sh'
exit 0So to recap: I've got that script, to replace sudo, but I have the following problems:
1. Must find a way to force this on the user, i.e. find a way to stop them manually running /usr/bin/sudo
2. (Ties in to 1) If needed, somehow eliminate using "sudo" in the script (due to 1), but let them authenticate with their own password (since obviously I don't want to give out the server's root password).
SOLVED 3. Log the IP of their remote SSH session (only missing feature, really). Didn't realize "who" gave your hostname/IP as well, and with --ips it gives the IP all the time, so that solves this issue.
I thank you for your time and ideas. Mods, I thought this forum would get the most views and help but feel free to move it as needed!
Last edited: