LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-17-2007, 04:20 AM   #1
avallach
Member
 
Registered: Sep 2006
Location: Silesia
Distribution: Debian GNU/Linux 4.0, ArchLinux, OpenBSD
Posts: 190
Blog Entries: 2

Rep: Reputation: 30
How to block sockets?


I've always wondered how to block sockets oon the system to some of the users. I mean it can be done by Bastille scripts, but I wonder is there any other way?

//----
I want something like this:
Code:
open socket: Operation not permitted
 
Old 01-17-2007, 06:00 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,003
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
I mean it can be done by Bastille scripts
Could you explain *what* Bastille Linux does to block users from opening sockets?


open socket: Operation not permitted
That's not very interesting IMHO, it's just a printf string. What's interesting is what causes it and if it can't be subverted.


is there any other way?
There's some ways, some more crude / elaborate than others:
- Iptables rules based on UID. Can't add "on demand" per-UID rules so it's crude IMO.
- Use 'lcap' to take away 'Linux capabilities' like CAP_NET_ADMIN or CAP_NET_BIND_SERVICE ("man capabilities"). Crude: no difference between root account and other users AFAIK :-] so breaks about everything.
- Dump user in a chroot and don't put network-capable apps (that includes Bash) in the chroot and don't allow users to compile, access or add network-capable applications.
- Use the GRSecurity kernel patch. Gain control over per-user tweaking knobs like who is allowed to use sockets, server sockets or client sockets and TPE (necessary for denying users to compile, access or add network-capable applications), can do finegrained access to apps (RBAC) and control 'Linux capabilities'.
- Use SELinux. More versatile compared and has steeper learning curve compared to GRSecurity. Deny users to transition to domain of network-capable applications. Could have some rules that affect networking using iptables but I'm not that far (yet).
 
Old 01-17-2007, 07:15 AM   #3
avallach
Member
 
Registered: Sep 2006
Location: Silesia
Distribution: Debian GNU/Linux 4.0, ArchLinux, OpenBSD
Posts: 190
Blog Entries: 2

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn
I mean it can be done by Bastille scripts
Could you explain *what* Bastille Linux does to block users from opening sockets?
To be honest that's what I am really asking in this thread. How the beatiful Bastille script is doing such things ?
 
Old 01-17-2007, 08:07 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,003
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
To be honest that's what I am really asking in this thread.
No, you don't. Really.
If you thought you did, go learn how to phrase questions properly.
With all due respect and all that.
 
Old 01-17-2007, 08:13 AM   #5
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
Quote:
Originally Posted by avallach
How the beatiful Bastille script is doing such things ?
Never seen such a feature on Bastille. You have the bastille-firewall but I don't think it plays with UID.

You know that some applications communicate locally with others or even with themselves through socket?
Which means that some applications might not run anymore after such hardening.
 
Old 01-17-2007, 01:38 PM   #6
avallach
Member
 
Registered: Sep 2006
Location: Silesia
Distribution: Debian GNU/Linux 4.0, ArchLinux, OpenBSD
Posts: 190
Blog Entries: 2

Original Poster
Rep: Reputation: 30
Yes you're right, I've made one mistake. Bastille can block it for all users, excluding only root...

Quote:
You know that some applications communicate locally with others or even with themselves through socket?
Which means that some applications might not run anymore after such hardening.
Yeah, I know that as I said I wonder how Bastille did it...

Quote:
No, you don't. Really.
If you thought you did, go learn how to phrase questions properly.
My first question in the topic was: How to block sockets. Than I said that Bastille can do such a thing, so I meant that as a reason of using those scripts I have some of the sockets block... So I asked is there a way to block without using Bastille.

I am not a native english speaker so sometimes I have problems with saying what I really have on my mind.. So don't get too angry Still learning... so I will consider your suggestions and watch out when asking someone...

Last edited by avallach; 01-17-2007 at 01:42 PM.
 
Old 01-17-2007, 05:28 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,003
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
So don't get too angry
I apologise without reserve.
 
Old 01-23-2007, 04:26 AM   #8
avallach
Member
 
Registered: Sep 2006
Location: Silesia
Distribution: Debian GNU/Linux 4.0, ArchLinux, OpenBSD
Posts: 190
Blog Entries: 2

Original Poster
Rep: Reputation: 30
I choosed grsecurity patch... I have been using grsecurity anyway for some time, but I didn't spend too much time on configuring it in the kernel. Now I see that grsecurity can block a group with selected GID, or you can even choose to deny client or server sockets to some groups. This is enough for me.
Huge thanks !
 
  


Reply

Tags
blocking, kernel, linux, security, sockets


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables and PPTPD :S (to block or not to block) thewonka Linux - Networking 0 03-24-2005 06:58 PM
c and sockets Matir Programming 4 03-09-2005 04:15 PM
Sockets on RH 9.0 rjs2006 Linux - Newbie 1 01-17-2005 10:16 PM
sockets pantera Programming 6 11-24-2004 06:28 AM
Sockets sibtay Programming 4 10-08-2004 09:33 AM


All times are GMT -5. The time now is 08:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration