manifest - check a proposed escalation program against a list
manifest [-P pid] [-C config] [-f file] [-g group] [-R root] [-u user]
mnemonic program euid:egid cred_type:cred
This helmet is intended to allow a list of approved commands (or
scripts) to be grouped under a single op mnemonic. A file provided to
the helmet contains a list of the allowed commands, each non-comment
line contains a perl regular expression, possibly prefixed by an exit
code. If that RE matches the proposed program, then the proposed exit
code represents the exit status of manifest.
As either the escalated login's or the client's home directory may dif-
fer across instances, the REs list allows the replacement of 2 special
leading strings. A leading tilde slash (~/) is replaced by the pro-
posed euid's home directory prefixed with a circumflex (^). A leading
dot slash (./) is replaced by the escalated uid's home directory pre-
fixed with a circumflex (^). This allows a match against files which
may be rooted at different places on various client machines.
In the list of REs leading hash (#) to end of line comments are
ignored. This allows revision identification and mk(1l) markup within
each file. Blank lines are also ignored.
This program takes all the op provided options, but actually doesn't
look at any of them (other than -P, and the program path). It does
sanity check them, just the same.
Like any helmet, most of the configuration is passed from op via the
Every path listed as a value of a matching environment variable
is searched for a matching RE. The files are consulted in lexi-
cal order of the name's.
The warning message to replace the common "Sorry" denial mes-
sage. If there is not a matching name, then the empty name is
consulted as a better default.
The standard reveal logic, see op-jacket(7).
All of these are deleted from each cmd's environment: $IFS, $CDPATH,
$ENV, $BASH_ENV to prevent perl(1) from refusing to run any commands.
There is no way to set them, but we do not fork(2) any processes.
These are example from the command-line:
Output only the version of the program, then exit.
Output only a summary of the environment expected.
All of these are snips from the op access.cf file. Note that you must
allow any referenced environment variables into the escalated environ-
ment, and it is a really good idea to include a $PATH.
Consult the proposed login's home directory for an allowed list,
which starts with a dot (.) to hide it from ls(1).
Consult the escalated login's home directory for an allow list
based on the client login's user name.
With no in-scope manifest list this helmet always fails.
Allow any system shell, since the /etc/shells file happens to
look just like a list of expressions to this program.
The regular expression list to allow 2 harmless commands, and forbid
the date(1) command:
# $Id... revision control markup $
# date can set the system clock, never allow that --ksb
The date program is excluded with the code CANTCREAT (73), since we do
not want escalated mortals setting the system clock. That's a good
code for "you are not the superuser", while NOPERM (77) is better for a
Always allow the internal echo command, if that is a possible match.
This pseudo-command is the only string presented (by op) without a
leading slash (/), as op doesn't really execve(2) another executable
file. For example:
# Either echo is fine
There is a hackish way to set the default exit code: use a negative
number with an empty RE. For example -63= sets the code for any
unmatched program to 63 (which is in the range of an application spe-
This jacket trusts that the op configuration won't allow a malicious
shell command in the the regular expression list. Since those lists
could be writable by others than the superuser, you should take care to
audit and protect them.
Manifest should check the permissions of the manifest file, but we
really don't know what they should be.
We do not check the options to the command. It is possible to code
another helmet for that purpose. More often a fixed parameter list is
provided to each listed script (or shell).
K S Braunsdorf, from the Non-Player Character Guild
op at-not-a-spammer ksb dot npcguild.org.nopinks
op(1l), op-jacket(7l), stampctl(8l), getpeereid(3), perl(1), shells(5)