LinuxQuestions.org
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Disabling Networking and Mounting Capabilities (https://www.linuxquestions.org/questions/linux-security-4/disabling-networking-and-mounting-capabilities-883796/)

DoomUs 06-02-2011 01:42 PM
Quote:
Originally Posted by frieza (Post 4373579)
perhaps a little more detail on your actual purpose is, as in how you actually intend to USE these machines? this sounds like something that could potentially be achieved with diskless workstations or live cds on machines without hard drives?
either way
1) Linux only has one root account
2) only accounts approved to use sudo can actually do so, therefore you can prevent root access by simply not approving the restricted users from using sudo
3) no drive can be mounted without root privileges unless explicitly configured to do so, the exception being thumb drives, but this also can be disabled
4) the network can be disabled without disabling the modules, how varies from distribution to distribution

unfortunately, what you have to do to lock down your system varies based on what your ultimate goal is for the systems, which you havn't exactly provided
Thanks, I appreciate your input. So, the main goal is to have a live-cd where someone can put it in their computer, boot up, play a game, and shut down. I want the user to rest assured that their local hard disks won't be mounted, and that their network devices will not be "used" period. I even want to go so far as to say that when the user tries to mount a drive, the mounting functionality is disabled (ideally even with the root password). Likewise, if they attempt to sniff on the network, or access any network device, I want that to be disabled by defualt.

If the user really wants to write their own modules, programs, etc, and try to gain access to the network via the live-cd, I'm really not concerned with that because I'm not trying to "beat them". What they do with the live-cd is their business, I just want it to exhibit these DEFAULT behaviors.

All that being said, addressing (1) and (2), I'd like the users to have root access so they are free to do what they want. As for (3), given that they will have root access, do you have any suggestions for mechanisms to deter mounting?

(4), that's good to hear. What are some of the options? I'm using Slax right now, but I'd be willing to change if it's way easier on something else.

Hangdog42 06-03-2011 07:12 AM
Quote:
Originally Posted by DoomUs
All that being said, addressing (1) and (2), I'd like the users to have root access so they are free to do what they want. As for (3), given that they will have root access, do you have any suggestions for mechanisms to deter mounting?
I really think you need to go back and re-read acid kewpie's response. You're fighting against the system and trying to achieve mutually exclusive goals here. Mounting is one of those things you can't completely disable if you want a bootable system. However, by allowing users to have full root access, you're giving them the ability to use mount. You really have to make a decision here, either restrict root access for your users or give them full access and live with them being able to mount.

Now given that the goal of your live-cd is to allow people to play a game, I can't imagine what they would need root access for. If you could state the actual goal of allowing users to have root access, maybe we can suggest some ways to use sudo to give them the root access they need while restricting the ability to mount. And by the way, mount isn't the only thing you have to worry about. If you allow users the ability to install software, even to a virtual drive, they might be able to use programs like pmount to mount local drives.


All times are GMT -5. The time now is 02:26 AM.
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page