Best way of arranging admin of permissions?

From: hugoat_private
Date: Thu May 24 2001 - 15:41:42 PDT

  • Next message: Michael Brown: "Re: Best way of arranging admin of permissions?"

       Hi,
    
       I am in the process of designing a program which performs a form of
    task scheduling. Briefly, the system will execute tasks based on
    system events (I'm thinking dial-up networking, here) rather than at a
    given time (as cron does).
    
       However, I have come up with a problem about the best (most secure)
    way of managing user permissions for this program.  Basically, what
    I'm after is something which behaves rather like crontab: There is a
    "system" repository of tasks (like /etc/crontab), and "per-user" tasks
    (like /var/spool/cron/<user>, or whatever).
    
       The "per-user" tasks are executed (under the users own identity)
    when the scheduler is triggered. These tasks are placed in an
    otherwise write-protected area by a suid program, in a similar manner
    to crontab.
    
       This is fine, and (I think) I could do this without too much
    difficulty. However, there is one additional twist: there are two
    types of task -- transient and permanent. The transient tasks are
    executed once (on the next trigger event) and then deleted; the
    permanent tasks are executed at every trigger event. I think that
    there should be a directory structure looking something like this:
    
    /var/spool/taskscheduler/
                             permanent/
                                       user1/<files...>
                                       user2/<files...>
                                       ...
                             transient/
                                       user1/<files...>
                                       ...
    
       What I'd like is to have a nested set of permissions:
    
    Set (A): Some subset of all users -- able to set transient events 
    
    Set (B): Some subset of (A) -- able to set permanent events
    
       I can see a couple of ways of achieving this:
    
    1) Have two groups (say, tsperm and tstemp) which grant access to the
    appropriate configuration directory (the dirs are root.ts(perm|temp)
    drwxrwx--t). -- This allows the user to edit directly their
    configuration files.
    
    2) Have two groups granting access, and check users' membership of the
    appropriate group before allowing them access to the spool dirs (which
    are root.root drwx------). -- This requires a suid-root program.
    
    3) Have two lists of users in a configuration file, allowing access to
    the spool dirs (root.root drwx------ as above). -- This also requires
    a suid-root program.
    
       I *think* that option 2 is the one to go for, but I'm not sure.
    
       So... my questions are:
    
       Which of the above options is the best in terms of secure design?
       Are there any other sensible options I've missed?
       What pitfalls should I try to avoid in implementing this design?
    
       I'd appreciate comments on this. Thanks,
       Hugo.
    
    -- 
        ---- Hugo Mills --- The Creature from the Black Logon ----
    hugoat_private     hugoat_private     hugoat_private
         ---- "We did a risk management review. We concluded ----
                that there was no risk of any management."
    



    This archive was generated by hypermail 2b30 : Fri May 25 2001 - 11:04:13 PDT