![]() The user does not belong to the wheel group, the only one authorized to use su (enforced via PAM).The way I usually implement this kind of restrictions requires that several conditions are met, otherwise the restriction can be easily circumvented: In my opinion, you only need steps 2 and 3, since in combination they both prevent the ability to do anything harmful outside of the carefully constructed box you set up in both those steps. Approving read and execute rights to the selected few allowed system commands.Approving read access to most of the system libraries. ![]() This is monstrously tedious, but needs to happen if you need this level of security. ![]() Use the auditlog to build the AppArmor profile (SUSE has tools for this, not sure about other Linux distros).Do everything you want Bob to be able to do. Create an AppArmor profile for /bin/bash-bob and set it to audit mode.The hard part is building that AppArmor profile. Even if they somehow find the root password, the AppArmor profile for /bin/bash-bob will still apply even after they su up since su and the bash process it spawns are children of /bin/bash-bob. Set the bash-bob profile to only allow writing to their home directory and /tmp, and such permission mistakes can't be leveraged. If some lazy install script left /var/opt/vendor/tmp global-writeable for some stupid reason, the user using /bin/bash-bob as their shell won't be able to write there. Set a user's login to be /bin/bash-bob, set the AppArmor profile for that specific binary right, and the only way they're getting out of that permission jail is through kernel exploits. Hard to go wrong there.ĪppArmor is interesting since the MAC for a specific executable is inherited by all of its children. These prevent users from running the right tools even if they find them somewhere (and like file permissions, prevent them from using them outside of the restricted box).īelt, suspenders, and a staple-gun for good measure. MACs like AppArmor and SELinux embed permissions in the kernel. Use a mandatory access control technoloy like AppArmor.Of these three steps, this is the easiest step. Don't want users to damage the system? Set the permissions so they can't damage the system even if they have the right tools. This is a hard thing to get, but if you really truly don't want users to have access to some shell primitives, this is the only way to remove them. A custom shell that lacks the commands you're interested in.There are three things that need to be in place to fully do what you're asking for: For added points use ZFS so you can take a snapshot of the environment when they log in so if they delete their files you can just pull them out of the snapshot. If you're really scared of your users and want to stick them in a supermax type of restricted environment, use something like freebsd's jails or solaris's zones - each user gets their own tailor made environment. If you do this, for example, on /home, if the user runs ls on /home, they get a permission denied error. The gist of this is that directories can be set such that a user can go into a directory and can run programs out of that directory but can't view the contents of that directory. ![]() This seems to be a decent tutorial on unix filesystem permissions. How do I protect my system and my users from my users?įirst, unix has very a very comprehensive filesystem permissions system. And the lazy, don't get me started on the lazy ones. The devious ones like to snoop around and look at other peoples files and steal their ideas. The dumb ones see something on the internet and try it out without understanding what it does.
0 Comments
Leave a Reply. |