Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
One more question (i just made an ugly thought....but probably silly):
I need to make sure that in case the user account is compromised (though quite difficult i hope, as ssh does exactly this dirty job), the box will remane safe and the user won't be able to gain root privileges...
The home directory is rw for the user.
Is it possible to copy 'su' file from his remote machine to mine and then get root?
I've already tried to do it myself and it didn't work, but i'd like some opinions on this..
Just to make sure what the proper procedure about securing the machine is.
Thanx in advance...
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Rep:
Quote:
Originally posted by or1onas ...The home directory is rw for the user....
I'd change that to r without w.
You might also want to develop a group policy giving your users the appropriate privileges by that means.
There is also a kernel extension for better granularity of rights than rwx, I just can't remember its name but I think it's included in the coming SuSE 9.3 as an optional feature. Just google Novell / SuSE...
Originally posted by or1onas You're right about the directories being listable if guessed (which is not to difficult of course), but no dir listing access is given to them to by chmod -r.
So the user can only get inside his home folder and try to cd to /bin,/lib,etc but he gets a permission denied if he tries to do an ls...
My point was, did you do that to /usr/bin as well as /usr?
Quote:
Originally posted by or1onas Is it possible to copy 'su' file from his remote machine to mine and then get root?
su needs to be owned by root and have the set user ID on execution bit set (see man chmod). Otherwise it cannot give you root access, because it doesn't have it itself. Normal user cannot change file ownership, so he cannot make his su to be owned by root. You may want to unset the SUID bit from as many binaries as you can, because they all have a potential ability to give any user running them full access as the user who owns them (usually root). This command should find them:
BTW: Might as well turn off execute permissions for directories as well. Makes it a little harder to search around because you need to guess an exact end path.
You're crippling a LOT of stuff here. I sure hope you are doing this in the chrooted evironment and not to the world.
EDIT: Turning off the execute bit on the directories prevents people from cd'ing into them.
Originally posted by frob23 You're crippling a LOT of stuff here. I sure hope you are doing this in the chrooted evironment and not to the world.
EDIT: Turning off the execute bit on the directories prevents people from cd'ing into them.
Of course the changes we're talking about are done on the chrooted environment...
I'll read a bit about the folder permissions better, though i believe it's quite secure at this point....
If i make it to not even let cd into the folders, that will be the best!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.