LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 08-28-2002, 09:22 PM   #1
RedHatter
LQ Newbie
 
Registered: Aug 2002
Posts: 3

Rep: Reputation: 0
Limiting users


Hi people,

First post so go easy please. I have recently setup a RedHat 7.3 box so that I have something to do at work (IRC etc), and I have given SSH access to some work buddies here so they can access it too to keep them entertained as well. What I am wanting to do is limit them to their home directories when they are logged in so they don't go snooping all around my box. What is the easiest way to limit selected users to specific directories?

As a note I did read the chmod man page but you can't seem to chmod things for selected users.

Any help would be muchly appreciated.

Thanks!
 
Old 08-29-2002, 02:32 AM   #2
MartBrooks
Member
 
Registered: May 2002
Location: London
Distribution: Debian
Posts: 388

Rep: Reputation: 31
Set their shell to be "rbash". This greatly restricts what they can do. For example, they can't change out of their home directory.

Regards
 
Old 08-29-2002, 07:07 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,766
Blog Entries: 54

Rep: Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976
Since I've had an overlarge caffeine shot by now I'll allow myself a bit of a lengthy reply :-]

There are 3 basic ways to guard against users snooping.
Chroot, restricted shell and ACL's.
Since you're letting 'em in tru OpenSSH, there's 4th way: a chroot patch out for openSSH-3.4 (untried).

Chroot
By putting a user in a "chrooted" jail, what they see as home will be changed to "/". Pro is you don't have to worry about the user seeing the system, con is because the user root now is "/" you will have to provide all system configs, libs and binaries necessary for the usual tasks. This isn't a real PITA since you can use a static shell like ash, and the busybox binary, and populate their environment using some form of automation (I use "jail", then tweak it manually). Another bad thing is providing access to /proc, devices like /dev/kmem and setuid binaries within the chroot which can be used to "tweak" the kernel (Silvio Cesare) or break out of a chroot.
You can opt to not mount /proc for users, which means they can't use proc-utils like ps, top and such, or using the Grsecurity kernel patch, you can mount /proc but restrict what they see to their own processes. The patch also covers tricks like writing to kmem, automagically provides "chdir" before chroot, allows for logging all commands in a chroot.
*It also allows for user/process ACL's and TPE. TPE stands for Trusted Path Execution which means if you opt to *not* chroot users, they will *only* be able to run binaries in the approved system dirs and *not* from their home!

Rbash
Mart hinted at using rbash, under which you can make symlinks to binaries outside the users home so you don't have to include binaries etc which is efficient, which is also bad, because if you include /bin they'll be able to exec bash or chsh and so break out of the rbash. Another other side effect of rbash seems that this user won't be able to execute binaries in subdirs of his/her own home (IIRC).

ACL's
There are a few tools that can help you put up Access Control Lists. There's ACL/Linux Trustees ACL, RSBAC, Grsecurity (sure I'm forgetting some).

A stupid example using the Grsecurity kernel patch could be:
Code:
/ {      
/     rwx
     /dev/kmem r
     /dev/mem r
     /bin     x
     /sbin    x
     /lib     x
     /usr/lib x
     /usr/sbin x
     /some/dir h
 }
Which means a process for instance can enter (execute) /bin, but can't read it's contents. This is a stupid "security by obscurity" example because if you know the name of the binary you'll still be able to execute it. OTOH note /some/dir, it is hidden completely...

Finally since you're on a PAM-aware system you can provide some restrictions (tho they won't guard from snooping) right now by restricing who logs in from where (/etc/usertty, hosts.(allow|deny) and /etc/security/*), shell based limits (ulimit, /etc/security/limits.conf) and who has access to system services (allow lists, /etc/pam.d). Also if your system is stable you could chattr +i your system configs to guard against changes, but you'd have to know which ones.

And please read up on "chroot" rbash and ACL's.
 
Old 08-29-2002, 08:18 AM   #4
MasterC
Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 64
Damn, UnSpawn, has anyone ever accused you of under-explaining something

That was very good, and I think even most people who have no idea what they are doing before reading that response, could now at least get someone on their system, and jail them pretty well.

Nice reply, as it helped me as well.

Thank you
 
Old 08-29-2002, 08:39 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,766
Blog Entries: 54

Rep: Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976
Thnx, but np, it's what we're here for.

Damn, UnSpawn, has anyone ever accused you of under-explaining something
Yes, and you know it damn well :-]
Twas in the "tips and tricks" thread I once again discovered brevity ain't all...

Plz note
I think anyone who ain't off their rocker completely can recite the 7 Tenets Of Security or the usual replies to "I've been hacked!" type of questions. It's the basics, the stuff that *leads* to these answers that's important IMO.

What I really would like is for ppl to don't take nfo for granted even from ppl they "trust" (for whatever reason), but research, verify, investigate tru other sources and try themselves before they label an answer as "good".
 
Old 08-29-2002, 09:17 PM   #6
RedHatter
LQ Newbie
 
Registered: Aug 2002
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks alot of that reply unSpawn, that was a good read and much appreciated.

Now that I have armed myself with some good keywords for google, I will go and do a little more research (which you hinted would be a good idea, and I think would be too).

If I find anythign worth while I will post the URL's into this thread.

Thanks again!
 
Old 08-29-2002, 09:45 PM   #7
RedHatter
LQ Newbie
 
Registered: Aug 2002
Posts: 3

Original Poster
Rep: Reputation: 0
I was going to try out the rbash idea until I found out that RedHat doesn't come with rbash installed\configured properly.

Looks like I'll search for an install how-to first before I try anything else.

edit: does anyone have a guide to enabling rbash on a RedHat 7.3 machine? I have the latest RPM for bash installed but can't seem to find a guide to enabling rbash. I might be stuck with compiling bash myself?!

Last edited by RedHatter; 08-29-2002 at 11:05 PM.
 
Old 08-30-2002, 06:03 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,766
Blog Entries: 54

Rep: Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976
YMMV: ln -s bin/bash /bin/rbash (or specify "bash -r").
make a dir somewhere, and symlink commands they are allowed to execute, set their PATH to the dir you created, and export that PATH.

Don't expect magic: *anything* you've included that allows for shell escapes will be a erm, punishment for taking the easy route using rbash instead of a chroot.

echo Continue [y|N]...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
limiting users sql databases amadkow Linux - General 1 08-09-2005 12:05 PM
limiting users using gradm/acl ruleman Linux - Security 6 06-19-2004 05:55 AM
Limiting Users Obie Linux - Security 6 05-29-2004 06:01 PM
a question reguarding limiting users Projectxx Linux - General 3 04-06-2003 03:30 AM
limiting users access iquadri1 Linux - Networking 1 09-04-2001 02:23 PM


All times are GMT -5. The time now is 03:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration