Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I mean it can be done by Bastille scripts
Could you explain *what* Bastille Linux does to block users from opening sockets?
open socket: Operation not permitted
That's not very interesting IMHO, it's just a printf string. What's interesting is what causes it and if it can't be subverted.
is there any other way?
There's some ways, some more crude / elaborate than others:
- Iptables rules based on UID. Can't add "on demand" per-UID rules so it's crude IMO.
- Use 'lcap' to take away 'Linux capabilities' like CAP_NET_ADMIN or CAP_NET_BIND_SERVICE ("man capabilities"). Crude: no difference between root account and other users AFAIK :-] so breaks about everything.
- Dump user in a chroot and don't put network-capable apps (that includes Bash) in the chroot and don't allow users to compile, access or add network-capable applications.
- Use the GRSecurity kernel patch. Gain control over per-user tweaking knobs like who is allowed to use sockets, server sockets or client sockets and TPE (necessary for denying users to compile, access or add network-capable applications), can do finegrained access to apps (RBAC) and control 'Linux capabilities'.
- Use SELinux. More versatile compared and has steeper learning curve compared to GRSecurity. Deny users to transition to domain of network-capable applications. Could have some rules that affect networking using iptables but I'm not that far (yet).
Yes you're right, I've made one mistake. Bastille can block it for all users, excluding only root...
You know that some applications communicate locally with others or even with themselves through socket?
Which means that some applications might not run anymore after such hardening.
Yeah, I know that as I said I wonder how Bastille did it...
No, you don't. Really.
If you thought you did, go learn how to phrase questions properly.
My first question in the topic was: How to block sockets. Than I said that Bastille can do such a thing, so I meant that as a reason of using those scripts I have some of the sockets block... So I asked is there a way to block without using Bastille.
I am not a native english speaker so sometimes I have problems with saying what I really have on my mind.. So don't get too angry Still learning... so I will consider your suggestions and watch out when asking someone...
I choosed grsecurity patch... I have been using grsecurity anyway for some time, but I didn't spend too much time on configuring it in the kernel. Now I see that grsecurity can block a group with selected GID, or you can even choose to deny client or server sockets to some groups. This is enough for me.
Huge thanks !