subdo

File List
Login

Files of check-in [504f1c80c4] in the top-level directory


subdo

Separates privileges for each program.

Presentation summary slide (uv/summary.pdf, discussed later in this page) rendered as an image file

(introduction video)

Each program gets its own user, and communication is through doas, sudo, or ssh. An example subdo permissions graph, built from the file subdo.dot

subdo protects against many bugs and naive malwares, but it is easily defeated by a targeted attack.

Overview

Subdo installs packages such that your main user (the "super") has the right to run the program through doas, sudo, or ssh as a user dedicated to the particular program (the "sub"). The super and the sub are appended to each others' groups so that you can configure filesystem access appropriately.

Here are some reasons you might want to do this.

It presently supports these user management backends,

and these package formats/managers.

A more detailed introduction is in subdo(7). There is a summary for use in presentations. The source code is in "summary.svg".

Example

Here is what changes when we add sxiv (an image viewer) with subdo.

doas.conf starts like this. (sudoers or ~/.ssh/authorized_keys would be similar.)

tlevine$ cat /etc/doas.conf
permit nopass setenv { SUDO_USER=tlevine PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin } tlevine cmd subdo_add
permit nopass setenv { SUDO_USER=tlevine PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin } tlevine cmd subdo_delete

subdo_add creates a user and grup.

tlevine$ doas subdo_add sxiv
tlevine$ tail -n1 /etc/group /etc/passwd
==> /etc/group <==
tlevine_sxiv:*:1010:tlevine
==> /etc/passwd <==
tlevine_sxiv:*:1009:1000:sxiv for tlevine:/home/tlevine_sxiv:/bin/ksh

The sxiv executable wraps the system sxiv executable.

tlevine$ which sxiv
/home/tlevine/.subdo/usr/local/bin/sxiv
tlevine$ cat `which sxiv`
if test -n "$XAUTHORITY"; then chmod g=u "${XAUTHORITY}"; fi
doas -u 'tlevine_sxiv' '/usr/local/bin/sxiv' "${@}"

And it creates the associated doas (or sudo or ssh) rules.

tlevine$ cat /etc/doas.conf
permit nopass setenv { SUDO_USER=tlevine PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin } tlevine cmd subdo_add
permit nopass setenv { SUDO_USER=tlevine PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin } tlevine cmd subdo_delete
permit nopass setenv { SUDO_USER=tlevine } tlevine cmd /usr/local/libexec/subdo-chown
permit nopass setenv { PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin SUDO_USER=tlevine } tlevine as tlevine_sxiv cmd chmod
permit nopass keepenv setenv {XAUTHORITY LOGNAME=tlevine_sxiv HOME=/home/tlevine_sxiv } tlevine as tlevine_sxiv cmd /usr/local/bin/sxiv

Installation

With make

Subdo is written in sh, and no compilation is required. Run this to unpack the subdo files into the appropriate directories under /usr/local.
make install

Or set the PREFIX to wherever you want to install it.

make install PREFIX=/usr/local

Or just run from the present directory.

Without make

Rather than downloading the full source repository, you can just download the distribution and extract it to the PREFIX, like this.
wget https://www.subdo.spacetechnology.net/uv/subdo-0.3.tar.gz
tar -xvz -f subdo-0.3.tar.gz -C ${PREFIX:-/usr/local}

Documentation

Subdo

Things subdo uses

Known vulnerabilities

News and discussion

Two email lists are dedicated to subdo.
announce@subdo.spacetechnology.net
This list receives announcements of new versions and similarly significant news. Send mail to announce-subscribe@subdo.spacetechnology.net to subscribe.
discuss@subdo.spacetechnology.net
This is for any other discussion about subdo or about things that people interested in subdo may also be interested in. discuss-subscribe@subdo.spacetechnology.net to subscribe.

Ideas for future work

Avoid providing X server access.

SSH communication

Virtual machines

Desired features

Porting

Design