LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-09-2011, 08:58 PM   #1
dev_d
LQ Newbie
 
Registered: Feb 2010
Location: Tempe, Arizona
Distribution: Ubuntu
Posts: 12

Rep: Reputation: 0
How to hide eth0 information (from ifconfig's output) from sudo user?


Hi Folks,

I have been brainstorming a lot on how do I hide eth0 information from a sudo user, from output of ifconfig. It is my project requirement. This means upon issuing anything like "ifconfig", "ifconfig -a", "ifconfig eth0" and via other commands such as lshw, ethtool et al, the sudo user should not see the details of eth0 in any way.

The machine is a virtual machine running ubuntu 8 and 10 versions on which the user is issuing commands. We are using XenServer for virtualization.

I tried restricting the user from /etc/sudoers file but it proved to be lame solution for me and there are several ways a sudoer can get hold of eth0. I also thought of making a wrapper for 'ifconfig' like "ifconfig | sed '/eth0/,/^$/d'" but it did not work if user supplies "ifconfig -a".

I am thinking of doing something on kernel level. I am a newbie thought but sooner or later, I have to learn it. Am I thinking in the right direction ?

Please advise.

Thanks,
Immi
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 09-10-2011, 03:43 AM   #2
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374
Hi,

Is there a good reason why you want to hide this information? I'm asking because this might be harder to hide then you might have thought.

ethX/network information can be shown using a lot of commands (dmesg, cat /proc/net/dev, ifconfig, ip, etc) and it will be hard to hide this. Some of these commands (ip, ifconfig to name 2) aren't accessible out-of-the-box by normal users (/sbin is not in their PATH), but pre-pending /sbin to the command will give them access (they cannot manipulate, but they can get basic info this way).

You might be able to remove world access from the related commands, but I do wonder if you can deactivate dmesg and/or make /proc/net/dev unreadable for all but the root user.

Hope this helps.
 
Old 09-12-2011, 02:32 AM   #3
dev_d
LQ Newbie
 
Registered: Feb 2010
Location: Tempe, Arizona
Distribution: Ubuntu
Posts: 12

Original Poster
Rep: Reputation: 0
Yeah, I agree with you. I joined in the middle of the project and the virtualization architecture was implemented. Due to lack of finances, we could arrange for only one gateway connected to internet from which users enter their VMs. They enter passing this NIC whose information we gotta hide.

As you said, there are so many commands from which user can see eth0's information. Will update if we can have a work-around for this.
 
Old 09-12-2011, 02:37 AM   #4
corp769
Guru
 
Registered: Apr 2005
Posts: 5,807

Rep: Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996Reputation: 996
Or maybe you just need to think outside of the box, and not use eth0? Maybe create a new device, or rename the device to something else, like wlan0 or wwan0?
 
Old 09-13-2011, 04:08 AM   #5
dev_d
LQ Newbie
 
Registered: Feb 2010
Location: Tempe, Arizona
Distribution: Ubuntu
Posts: 12

Original Poster
Rep: Reputation: 0
Thanks corp769

Gotta check that but this could be a problem. Eth0 gets its address from DHCP and this interface is connected to the gateway and internet from which users login.

If I create other device like wlan and should allow it to be connected to the internet (gateway) for users to login through it, I wonder if the users would still see wlan's ip information ?

The NIC for eth0 is connected to the xen management network and users login through that and this NIC gets dynamic IP. I want to allow users to use this interface to login and not see its information, instead see other vlans and stuff for their networking purposes.

Please let me know if I am clear, else I shall post attachment related to the architecture.

Thanks for your advise !!!
 
Old 09-13-2011, 09:11 AM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
From reading the above posts, I have a general concern about the feasibility of the concept. You mention hiding things like NIC, and IP, and other network information. The thing is, as was alluded to, this information is available from a wide variety of sources. The design of Ethernet is such that this information was not meant to be hidden. Rather it is included in all of the traffic and in all packets, plus more. This is the kind of information that allows packets to get from one place to another and without it, the network simply doesn't work.

While I have no idea what your application is, I get the impression that someone who doesn't truly or fully understand networking as shown by what they are considering 'privileged' information that needs to be hidden is calling the shots here.

Undoubtedly there is some form of need and some information probably needs to be protected, but it looks to me like you (or the team) needs to go back to drawing board and evaluate what your actual need and objective rather than focusing on what looks like one person's, possibly naive, view.
 
3 members found this post helpful.
Old 09-13-2011, 10:05 AM   #7
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
I used to work as a contractor for a federal agency and when they had security incidents, they always wanted to mask the internal IPs within internal and public reports. I could never understand this. If I'm using 192.168.1.200 as a gateway IP on my LAN, what the hell does it matter if anyone knows that IP? The whole IP system is public knowledge but no one on the public side of the LAN will be able to access it. The numbers themselves are just numbers.

The same can be said for any network information that is dug up when running commands associated with eth0. If you've a trust issue with people who've sudo access, you should probably remove their access. I don't think the Linux system was designed to hide such information from a user with sudo rights anyways. And, to be honest, I don't see other operating systems enabling masking of such information for users who have escalated privileges.

OP, if you were handed this project by your management chain, I feel for you.

Last edited by unixfool; 09-14-2011 at 03:53 PM.
 
2 members found this post helpful.
Old 09-20-2011, 02:19 AM   #8
dev_d
LQ Newbie
 
Registered: Feb 2010
Location: Tempe, Arizona
Distribution: Ubuntu
Posts: 12

Original Poster
Rep: Reputation: 0
Unhappy Thanks guys !!!

Thanks for the suggestions guys.... I removed sudoers and added specific entries for ifconfig in the /etc/sudoers for STUDENT group. Now, the STUDENT group can view eth0, eth1 and eth2's information and they are only allowed to configure other ethernet addresses (eth1 and eth2).

This solution does not work for them. I told them that its not possible and left this activity

Thank you very much again for your replies !!!

Started working in new direction which is my semester's project. Will post some questions in the appropriate section if I get stuck.
 
  


Reply

Tags
ifconfig, networking, ubuntu, virtual machine, xenserver


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
finger command's output and user's information Hi_This_is_Dev Linux - Server 1 10-03-2009 06:51 AM
mac addresses swapped between built-in eth0 and pci eth1 in output of ifconfig -a globaltree Slackware 1 03-23-2009 11:29 PM
ifconfig eth0 up does not 'revive' eth0 Micro420 Linux - General 2 04-22-2006 12:55 PM
How to authorize common-user to run "ifconfig eth0 up"??? cqmyg5 Slackware 2 04-03-2005 11:22 PM
eth0 removed from ifconfig after dhcpcd eth0 johnklvr Linux - Networking 3 01-15-2004 08:21 PM


All times are GMT -5. The time now is 08:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration