How to Temporarily Suspend Security Policy Checks / Or Temporarily Grant Root Access?

Question

Note: Please feel free to edit the question -- I am having a hard time expressing it!

Question:

How do you impersonate a regular user--while still retaining admin/root privileges to execute any command on behalf of that target user?

A Mechanism To:

1. Allows Complete root/admin access to execute any command;
2. Allows you to specify some "Target Group";
3. Allow you to specify some "Target User";
4. And ensures that all commands, scripts, etc, are executed on behalf of that user/group -- setting the "Target User" and "Target Group" as owner ...

These examples show how pkexec and/or sudo have to be specified for each and every command -- which is what I am trying to avoid doing :

pkexec:

FAIL: Requires admin to prefix with sudo and pkexec.

1. sudo pkexec -u TestUser mkdir /home/TestUser/NewFolder

   • Success: Creates folder and assigns correct permissions

2. sudo pkexec -u btsync mkdir /opt/btsync

   • FAIL: Does not work for service accounts without home folders: Error changing to home directory /home/btsync: No such file or directory

sudo:

FAIL: Requires admin to prefix with sudo.

1 sudo pkexec -u btsync mkdir /opt/btsync

• FAIL: Makes Folder - But Assigns Root Owner.
• FAIL: Requires fixing permissions afterwards, increasing commands entered by x3 sometimes.

Desired Functionally using BTSync as an Example:

• root@localhost > enterElevatedShell -u btsync
• btsync@localhost > nano /etc/asound.conf
• many commands entered manually.
• btsync@localhost > exit
• root@localhost >

or:

• root@localhost > stopauthorizationModules
• root@localhost > sudo -i btsync
• btsync@localhost > nano /etc/asound.conf
• many commands entered manually.
• btsync@localhost > exit
• root@localhost >

or:

• root@localhost > sudo --setUmask=0222 --setTargetUser=btsync
• root@localhost > sudo -E mkdir /opt/btsync

Common Scenarios:

Note: This is in the context of manual system administration.

With Root Access:

1. Create /home/[username]/Subfolder | w/[username] as owner
2. Create /opt/[serviceAccount]Service | w/[serviceAccount] as owener
3. Create/Modify /etc/service/[someconfig] | w /[serviceAccount] as owner

Generally, I execute many, many commands, and going back behind flipping permission bits is tedious, non-consistent, and a security vulnerability rising from admin forgetfulness, or type-os.

Answer 1

To create a directory and immediately set the owner:

sudo install -d -o owner -g group -m 755 /path/to/dir

You need to use install for this if the parent directory is not writeable by "owner" as is the case for /home.

To create files simply use sudo

sudo -u owner touch /path/to/file

Or vi or whatever.

If you have a file you wish to copy and set the owner you can use install again. It works like cp with extra options

sudo install -o owner -g group -m 640 file /path/to/file

If you need to create a large number of files, users and directories etc. and you are worried about consistency perhaps you need too look at a configuration management system like puppet, chef, ansible or the like. It takes a bit more work to set up but it has the advantage that it can be reused.