peff.net
tinysu
tinysu is a featureless replacement for su and
sudo. tinysu is installed setuid root and executable by
members of a particular group. It is intended to be used in situations where
an unprivileged user is being granted full root access, but wants the
convenience of a sudo-style log.
What does tinysu do?
- execute programs as root for authorized users
- write a message describing the command to syslog
What does tinysu not do?
- parse and check a complex authorization scheme while running setuid
root; this is a potential source of errors which can cause unauthorized
root access by local users
- ask for the root password, as su does; permission is granted
by membership in a group, so no password is necessary
- ask for the user's password, as sudo does; since a malicious
program must already be running as the user, it can easily trojan the sudo
program, capture the password, and then use sudo as it pleases
- attempt to clean up the execution environment; because tinysu
is granting full root access to arbitrary programs, there is no security
benefit
- attempt to log for security reasons; because tinysu
is granting full root access to arbitrary programs, the resulting program
can typically rewrite the log (or even win a race condition and prevent the
log from being written in the first place)
When is tinysu not appropriate?
tinysu is not appropriate for some situations where su or
sudo are used. If you want the small amount of extra security
provided by requiring an attacker to set up a trojan and steal the root or
user password, do not use tinysu. If you want a flexibile
authorization scheme based on users, commands, and/or hosts, do not use
tinysu.
Releases
Latest version:
Installation
Unpack the tinysu package:
gunzip -c tinysu-VERSION.tar.gz | tar -xf -
cd tinysu-VERSION
Edit the conf-* files for your installation.
- conf-home contains the installation prefix; tinysu will be
installed in .../bin (default: /usr/local)
- conf-user contains the name or uid of the user whose
privileges will be granted (default: root)
- conf-group contains the name or gid of the group that is
allowed to execute tinysu (default: 0)
Compile the tinysu package:
make
As root, install tinysu:
make setup check
Contact
Questions or bug reports to peff@peff.net.