Hey is there anyway to apply a separate password to Dansquardian other than the admin password - or to restrict access to only that program or whatever b/c I want to protect myself from the temptation to turn it on/off when I'm on (it's more for me right now than any kids I have b/c.... well I don't have any yet), but I still want to be the one to run system updates and be in charge of the system in general...

ie... I don't want to have to call my wife over to run a simple apt-get update of, say, firefox or something that has nothing to do with dansguardian directly.

Thanks

...

I believe there might be a way of accomplishing this through editing the /etc/sudoers file. I've seen this suggested, but never confirmed. It is possible to limit directories that certain users/groups can access through sudo. See, for example, this (http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch09_:_Linux_Users_and_Sudo) site:

Granting Access To Specific Users To Specific Files
This entry allows user peter and all the members of the group operator to gain access to all the program files in the /sbin and /usr/sbin directories, plus the privilege of running the command /usr/local/apps/check.pl. Notice how the trailing slash (/) is required to specify a directory location:
peter, %operator ALL= /sbin/, /usr/sbin, /usr/local/apps/check.plNotice also that the lack of any username entries within parentheses () after the = sign prevents the users from running the commands automatically masquerading as another user. This is explained further in the next example.

You could add all other directories, except dansguardian's /etc/dansguardian/ and /etc/init.d/dansguardian. You'd still have full rights over all the other (except /etc/) root directories, but I'm not sure though if that would still allow you to install new applications (and create new folders in /etc/).

The sudoers manual (http://www.gratisoft.us/sudo/man/sudoers.html) might also be useful. You get some info on using wildcards, which may or may not be useful for accomplishing this. From that site:

An exclamation point ('!') can be used as a logical not operator both in an alias and in front of a Cmnd. This allows one to exclude certain values. Note, however, that using a ! in conjunction with the built-in ALL alias to allow a user to run ``all but a few'' commands rarely works as intended (see SECURITY NOTES below).

[...]
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd rootThe user pete is allowed to change anyone's password except for root on the HPPA machines. Note that this assumes passwd(1) does not take multiple usernames on the command line.


(There are some limitations to this approach, though, as mentioned later on that page.)

I've never tried any of this, and have no idea whether this would work or screw up your computer (make sure to back up the sudoers file if you will try this out!). But it might be worth a shot. Please let us know whether it works or not.

I really want to know this too. Did the previous post worked for you? Please let me know.

Obviously you would need to create another account that would have the rights to edit the sudoers file. Otherwise you could go right in and remove the line you entered to restrict your access. So along with restricting access to DansGuardian you will also need to restrict access to the sudoers file as well.

I will be working with my wife to nail this down and let you know how it goes.

If anyone has a solution to this I will be interested to know it...

This is EXACTLY what I have been trying to accomplish for the last couple of hours with no success. I mean, I will get to a point I think is foolproof, only to find another way around it. What I want is to allow myself full access to all commands possible while blacklisting anything that has anything to do with Dansguardian. visudo is where I turned.

Here is my current methodology:

first, I give myself full access:


myusername ALL = ALL
OK, now I have all access... so, lets start the blacklisting...

First, disallow the ability to disable, restart, etc, anything to do with DG programs:

Cmnd_Alias D = /etc/init.d/dansguardian,/etc/init.d/firehol,/usr/sbin/service,/etc/init.d/tinyproxy,/sbin/iptables,/sbin/ip6tables, /usr/sbin/service
And modify the user line accordingly:

myusername ALL = ALL, !D
OK... so far so good. Now, we don't want to be able to touch anything in the dansguardian folders. Of course the "*" character doesn't work recursively (I really really wish it did!) so, we have to have multiple declarations for each directory.

So we get :

Cmnd_Alias DG = /bin/* /etc/dansguardian/*,/bin/* /etc/dansguardian/*/*, /bin/* /etc/dansguardian/*/*/*, /bin/* /etc/dansguardian/*/*/*/*
Cmnd_Alias DG2 = /usr/bin/* /etc/dansguardian/*,/usr/bin/* /etc/dansguardian/*/*,/usr/bin/* /etc/dansguardian/*/*/*,/usr/bin/* /etc/dansguardian/*/*/*/*
and again modify the user line accordingly:

myusername ALL = ALL, !D, !DG, !DG2
There are 2 problems to this portion. First, is that you could move an executable, say vim, from there to another path, and use it, like so:

sudo mv /usr/bin/vim ~/Desktop && cd ~/Desktop && sudo vim /etc/dansguardian/exceptionsitelist
To this problem, we add the following:

Cmnd_Alias CP_RENAME = /bin/cp /usr/bin/*,/bin/mv /usr/bin/*,/usr/bin/rename /usr/bin/*
Cmnd_Alias CP_RENAME2 = /bin/cp /bin/*,/bin/mv /bin/*,/usr/bin/rename /bin/*
Such that we cannot use the cp / rename / mv commands to copy another command elsewhere and circumvent the block in the first place.

Modifying the user line thus:

myusername ALL = ALL, !D, !DG, !DG2, !CP_RENAME, !CP_RENAME2
Problem 2 ( and I haven't come up with a solution to this yet ) is that you can always download an executable from the internet and use it. Boom, instant access! (arg)

Next problem is that we don't want to be able to use the root user in any way, or we will have absolute control. So we add:

Cmnd_Alias HIJACK_ROOT = /usr/bin/su *root*,/usr/bin/su [-]*
and the new user line:

myusername ALL = ALL, !D, !DG, !DG2, !CP_RENAME, !CP_RENAME2, !HIJACK_ROOT
but this doesn't address the ability to:

sudo -i
I haven't found a fix for that one yet, either.

Finally, and this is the abolute worst problem of all with this... typically any command when run with sudo automatically gains access to anything it wants. It has now taken on sudo access. One thing you could do is, for example, open vim, and the do what is called a "Shell Escape", which is to execute a command from vim, but this command automatically has root powers. The way to do this is with some special command. In vim it's ":!<command>", such that you could:

:! /etc/init.d/dansguardian restart
or

:! gvim /etc/dansguardian/exceptionsitelist
Well it turns out that visudo (sudoers) has a way to turn that off. It's called NOEXEC, and there are a couple of ways to use it. One is that you can set up NOEXEC for specific commands (say /usr/bin/gvim, for example), or you can disable it all together. Problem with specific commands is that there are so MANY that you could possibly use to shell exec. The other problem is, even if you got them all, you haven't got them all. Consider this set of commands:

cat > newprog
#!/bin/bash
gvim /etc/dansguardian/exceptionsitelist
<Control-C>
chmod +x newprog
sudo ./newprog
With this, how could you ever get NOEXEC on only some specific progs to fit your needs?

OK, so you turn on NOEXEC globally. PROBLEM! Now you can't execute a host of commands that you wanted to access in the first place. Like /etc/init.d/apache2 restart, for example. That command relies on the ability to execute other system processes as a privileged user.

So, what now? You start white-listing all the commands that you need to have able to have NOEXEC power.

PROBLEM! What if you edit one of those now white-listed files, and, say, append "gvim /etc/dansguardian/exceptionsitelist" to the end of it, and then execute it? BOOM! Instant Access.

I'm tearing my hair out here, because I, too, would really like to be able to do anything but not have the temptation to touch Dansguardian. I am looking for a solution. Can anyone help? Come up with any answers or ideas?

HELP!!!!!!

As for me, God gave me the wisdom to give up dansguardian. I think dansguardian is good provided that you never got root access. As I am a computer passionate. I bought a good router with filtering in it. I have personnally tested Zywall 2 plus and Fortigate 50B. Although it is a bit expensive. You can work with less temptation as you would have given the router password to your friend/wife.

Maybe I _will_ have to get a router...
BUT... I am ALMOST there!!! Here is the latest revision to /etc/sudoers (via visudo):


# Cmnd alias specification
Cmnd_Alias ALL_OK = /bin/,/usr/,/usr/*/*,/sbin/,/etc/init.d/
Cmnd_Alias ALL_CROSS_POLLEN = /bin/* /bin/*,/bin/* /usr/*,/bin/* /usr/*/*,/bin/* /sbin/*,/bin/* /etc/init.d/*,\
/usr/* /bin/*,/usr/* /usr/*,/usr/* /usr/*/*,/usr/* /sbin/*,/usr/* /etc/init.d/*,\
/usr/*/* /bin/*,/usr/*/* /usr/*,/usr/*/* /usr/*/*,/usr/*/* /sbin/*,/usr/*/* /etc/init.d/*,\
/sbin/* /bin/*,/sbin/* /usr/*,/sbin/* /usr/*/*,/sbin/* /sbin/*,/sbin/* /etc/init.d/*
Cmnd_Alias ALL_DANSGUARDIAN = /etc/init.d/dansguardian,/etc/init.d/firehol,/etc/init.d/tinyproxy
Cmnd_Alias ALL_DG_RESTRICTED = /bin/* /etc/dansguardian/*,/usr/* /etc/dansguardian/*,/usr/*/* /etc/dansguardian/*,/sbin/* /etc/dansguardian/*,/etc/init.d/* /etc/dansguardian/*
Cmnd_Alias ALL_DG_RESTRICTED2 = /bin/* /etc/dansguardian/*/*,/usr/* /etc/dansguardian/*/*,/usr/*/* /etc/dansguardian/*/*,/sbin/* /etc/dansguardian/*/*,/etc/init.d/* /etc/dansguardian/*/*
Cmnd_Alias ALL_DG_RESTRICTED3 = /bin/* /etc/dansguardian/*/*/*,/usr/* /etc/dansguardian/*/*/*,/usr/*/* /etc/dansguardian/*/*/*,/sbin/* /etc/dansguardian/*/*/*,/etc/init.d/* /etc/dansguardian/*/*/*
Cmnd_Alias ALL_ROOT = /usr/bin/sudo,/usr/bin/passwd root,/bin/su,/usr/sbin/visudo
Cmnd_Alias ALL_OTHERS = /usr/bin/passwd superuser
Cmnd_Alias SHELLS = /bin/sh,/bin/csh,/bin/ksh,/usr/local/bin/tcsh,/bin/rsh,/usr/local/bin/zsh,/bin/bash


# User privilege specification
root ALL=(ALL) ALL
mruser ALL = ALL_OK, !ALL_DANSGUARDIAN, !ALL_DG_RESTRICTED, !ALL_DG_RESTRICTED2, !ALL_DG_RESTRICTED3, !ALL_ROOT, !ALL_OTHERS, !SHELLS, !ALL_CROSS_POLLEN
superuser ALL = ALL #This user I would not have the password to (my wife would), but it is available in case of need...
This addresses EVERYTHING _except_ the Shell Escape. But instead of taking a blacklist approach, it's more of a whitelist... but with just about every command you'd ever want.

In all technicality I could (to fix the noexec thing):

1. Turn on no_exec globally
2. Whitelist commands that I would want to be able to have exec caps
3. Blacklist the use of any type of editors on the files that have exec caps

Not sure just how tedious that would be just yet... but I'll search for another solution for it first. I was looking at sudoedit and setfacl. Anyone know enough to tell me whether I'm heading down the wrong road?

Thanks!

All right... I think I have just about everything that I can think of at this point... let me know what you think of this?


Defaults env_reset

# Cmnd alias specification
Cmnd_Alias ALL_OK = /bin/,/sbin/,/etc/init.d/,/usr/,/usr/bin/,/usr/sbin
Cmnd_Alias ALL_CROSS_POLLEN = /bin/* /bin/*,/bin/* /usr/*,/bin/* /usr/bin/*,/bin/* /usr/sbin/*,/bin/* /sbin/*,/bin/* /etc/init.d/*,\
/sbin/* /bin/*,/sbin/* /sbin/*,/sbin/* /usr/*,/sbin/* /usr/bin/*,/sbin/* /usr/sbin/*,/sbin/* /etc/init.d/*,\
/usr/* /bin/*,/usr/* /sbin/*,/usr/* /usr/*,/usr/* /usr/bin/*,/usr/* /usr/sbin/*,/usr/* /etc/init.d/*,\
/usr/bin/* /bin/*,/usr/bin/* /usr/*,/usr/bin/* /usr/bin/*,/usr/bin/* /usr/sbin/*,/usr/bin/* /sbin/*,/usr/bin/* /etc/init.d/*,\
/usr/sbin/* /bin/*,/usr/sbin/* /usr/*,/usr/sbin/* /usr/bin/*,/usr/sbin/* /usr/sbin/*,/usr/sbin/* /sbin/*,/usr/sbin/* /etc/init.d/*
Cmnd_Alias ALL_DANSGUARDIAN = /etc/init.d/dansguardian,/etc/init.d/firehol,/etc/init.d/tinyproxy
Cmnd_Alias ALL_DG_RESTRICTED = /bin/* /etc/dansguardian/*,/usr/* /etc/dansguardian/*,/usr/bin/* /etc/dansguardian/*,/usr/sbin/* /etc/dansguardian/*,/sbin/* /etc/dansguardian/*,/etc/init.d/* /etc/dansguardian/*
Cmnd_Alias ALL_DG_RESTRICTED2 = /bin/* /etc/dansguardian/*/*,/usr/* /etc/dansguardian/*/*,/usr/bin/* /etc/dansguardian/*/*,/usr/sbin/* /etc/dansguardian/*/*,/sbin/* /etc/dansguardian/*/*,/etc/init.d/* /etc/dansguardian/*/*
Cmnd_Alias ALL_DG_RESTRICTED3 = /bin/* /etc/dansguardian/*/*/*,/usr/* /etc/dansguardian/*/*/*,/usr/bin/* /etc/dansguardian/*/*/*,/usr/sbin/* /etc/dansguardian/*/*/*,/sbin/* /etc/dansguardian/*/*/*,/etc/init.d/* /etc/dansguardian/*/*/*
Cmnd_Alias ALL_ROOT = /usr/bin/sudo,/usr/bin/passwd root,/bin/su,/usr/sbin/visudo
Cmnd_Alias ALL_OTHERS = /usr/bin/passwd superuser
Cmnd_Alias ALL_SHELLS = /bin/sh,/bin/csh,/bin/ksh,/usr/local/bin/tcsh,/bin/rsh,/usr/local/bin/zsh,/bin/bash
Cmnd_Alias ALL_NOEXECS = /usr/bin/*edit*,/usr/bin/*vi*,/usr/bin/emacs,/usr/bin/less,/bin/more,/usr/bin/pager,/usr/bin/php,/usr/bin/perl
Cmnd_Alias ALL_EXEC = /usr/sbin/synaptic,/usr/bin/apt*

# User privilege specification
root ALL=(ALL) ALL
mruser ALL=ALL_OK, NOEXEC: ALL_NOEXECS, !ALL_ROOT, !ALL_OTHERS, !ALL_SHELLS, !ALL_DANSGUARDIAN, !ALL_DG_RESTRICTED, !ALL_DG_RESTRICTED2, !ALL_DG_RESTRICTED3, !ALL_CROSS_POLLEN, EXEC: ALL_EXEC

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL


Basically with the sudoers file like this (by using visudo, of course), I have the following setup:

mruser (the primary user account) is NOT in the admin group.
superuser IS in the admin group.

mruser can do just about anything that doesn't meddle with dansguardian. If anything needs to get done on the DG side of things, I have my wife:


su superuser <enter>
(put her password in) <enter>
sudo **** (whatever)


And with her there, I can explain what it is that I am doing.

Cool?

Small modification... needed to make it so that commands with arguments would also be denied:

Change the following Cmnd_Aliases to reflect:


Cmnd_Alias ALL_OK = /bin/,/sbin/,/etc/init.d/,/usr/,/usr/bin/,/usr/sbin
Cmnd_Alias ALL_CROSS_POLLEN = /bin/* /bin/*,/bin/* /usr/*,/bin/* /usr/bin/*,/bin/* /usr/sbin/*,/bin/* /sbin/*,/bin/* /etc/init.d/*,\
/sbin/* /bin/*,/sbin/* /sbin/*,/sbin/* /usr/*,/sbin/* /usr/bin/*,/sbin/* /usr/sbin/*,/sbin/* /etc/init.d/*,\
/usr/* /bin/*,/usr/* /sbin/*,/usr/* /usr/*,/usr/* /usr/bin/*,/usr/* /usr/sbin/*,/usr/* /etc/init.d/*,\
/usr/bin/* /bin/*,/usr/bin/* /usr/*,/usr/bin/* /usr/bin/*,/usr/bin/* /usr/sbin/*,/usr/bin/* /sbin/*,/usr/bin/* /etc/init.d/*,\
/usr/sbin/* /bin/*,/usr/sbin/* /usr/*,/usr/sbin/* /usr/bin/*,/usr/sbin/* /usr/sbin/*,/usr/sbin/* /sbin/*,/usr/sbin/* /etc/init.d/*\
\
/bin/* * /bin/*,/bin/* * /usr/*,/bin/* * /usr/bin/*,/bin/* * /usr/sbin/*,/bin/* * /sbin/*,/bin/* * /etc/init.d/*,\
/sbin/* * /bin/*,/sbin/* * /sbin/*,/sbin/* * /usr/*,/sbin/* * /usr/bin/*,/sbin/* * /usr/sbin/*,/sbin/* * /etc/init.d/*,\
/usr/* * /bin/*,/usr/* * /sbin/*,/usr/* * /usr/*,/usr/* * /usr/bin/*,/usr/* * /usr/sbin/*,/usr/* * /etc/init.d/*,\
/usr/bin/* * /bin/*,/usr/bin/* * /usr/*,/usr/bin/* * /usr/bin/*,/usr/bin/* * /usr/sbin/*,/usr/bin/* * /sbin/*,/usr/bin/* * /etc/init.d/*,\
/usr/sbin/* * /bin/*,/usr/sbin/* * /usr/*,/usr/sbin/* * /usr/bin/*,/usr/sbin/* * /usr/sbin/*,/usr/sbin/* * /sbin/*,/usr/sbin/* * /etc/init.d/*
Cmnd_Alias ALL_DANSGUARDIAN = /etc/init.d/dansguardian,/etc/init.d/firehol,/etc/init.d/tinyproxy
Cmnd_Alias ALL_DG_RESTRICTED = /bin/* /etc/dansguardian/*,/usr/* /etc/dansguardian/*,/usr/bin/* /etc/dansguardian/*,/usr/sbin/* /etc/dansguardian/*,/sbin/* /etc/dansguardian/*,/etc/init.d/* /etc/dansguardian/*\
/bin/* * /etc/dansguardian/*,/usr/* * /etc/dansguardian/*,/usr/bin/* * /etc/dansguardian/*,/usr/sbin/* * /etc/dansguardian/*,/sbin/* * /etc/dansguardian/*,/etc/init.d/* * /etc/dansguardian/*
Cmnd_Alias ALL_DG_RESTRICTED2 = /bin/* /etc/dansguardian/*/*,/usr/* /etc/dansguardian/*/*,/usr/bin/* /etc/dansguardian/*/*,/usr/sbin/* /etc/dansguardian/*/*,/sbin/* /etc/dansguardian/*/*,/etc/init.d/* /etc/dansguardian/*/*\
/bin/* * /etc/dansguardian/*/*,/usr/* * /etc/dansguardian/*/*,/usr/bin/* * /etc/dansguardian/*/*,/usr/sbin/* * /etc/dansguardian/*/*,/sbin/* * /etc/dansguardian/*/*,/etc/init.d/* * /etc/dansguardian/*/*
Cmnd_Alias ALL_DG_RESTRICTED3 = /bin/* /etc/dansguardian/*/*/*,/usr/* /etc/dansguardian/*/*/*,/usr/bin/* /etc/dansguardian/*/*/*,/usr/sbin/* /etc/dansguardian/*/*/*,/sbin/* /etc/dansguardian/*/*/*,/etc/init.d/* /etc/dansguardian/*/*/*\
/bin/* * /etc/dansguardian/*/*/*,/usr/* * /etc/dansguardian/*/*/*,/usr/bin/* * /etc/dansguardian/*/*/*,/usr/sbin/* * /etc/dansguardian/*/*/*,/sbin/* * /etc/dansguardian/*/*/*,/etc/init.d/* * /etc/dansguardian/*/*/*
Cmnd_Alias ALL_ROOT = /usr/bin/sudo,/usr/bin/passwd root,/bin/su,/usr/sbin/visudo
Cmnd_Alias ALL_OTHERS = /usr/bin/passwd superuser
Cmnd_Alias ALL_SHELLS = /bin/sh,/bin/csh,/bin/ksh,/usr/local/bin/tcsh,/bin/rsh,/usr/local/bin/zsh,/bin/bash
Cmnd_Alias ALL_NOEXECS = /usr/bin/*edit*,/usr/bin/*vi*,/usr/bin/emacs,/usr/bin/less,/bin/more,/usr/bin/pager,/usr/bin/php,/usr/bin/perl
Cmnd_Alias ALL_EXEC = /usr/sbin/synaptic,/usr/bin/apt*

very interesting, indeed