LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-28-2010, 03:11 PM   #1
deutsche
LQ Newbie
 
Registered: Feb 2010
Distribution: Centos 5
Posts: 15

Rep: Reputation: 0
Secure environment for developers


Hi Guys,

I'm looking for a way to have my users log in to my server (Cetos 5) and get a secure shell in which they could compile their own code, with as less privileges granting as possible.
A sort of sandbox for them to write in...
Now I've heard of chroot, and I'd like to know if anyone has tried it for this sort of purpose, and of course any other ideas will be much appreciated.

Thanks a lot,
Johnny
 
Old 02-28-2010, 04:15 PM   #2
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Jessie"
Posts: 6,008

Rep: Reputation: 367Reputation: 367Reputation: 367Reputation: 367
Just have them compile their own code, within their own home directories.
Maybe they'll have to add /home/username/bin/ to their $PATH if they would like an easy life. But that's up to them.

This is the way linux is set up as the default behaviour: Any user can compile and install (to their ~/* ) anything, but they cannot install it to the system, or have it seen or executed by other users unless they have root privileges.

So all users should already be in a "sandbox" unless you have granted them further privileges or messed about with your default installation.

You do not need chroot and I think you do not understand the purpose of chroot

Please read about it.
 
0 members found this post helpful.
Old 02-28-2010, 05:25 PM   #3
bret381
Member
 
Registered: Nov 2009
Location: Alabama
Distribution: Arch x86_64
Posts: 648

Rep: Reputation: 78
ditto above

They just need to login. Problem solved
 
0 members found this post helpful.
Old 02-28-2010, 07:03 PM   #4
invalidid
LQ Newbie
 
Registered: Aug 2007
Location: Germany
Distribution: Fedora, Slackware 13.0, Gentoo
Posts: 7
Blog Entries: 2

Rep: Reputation: 1
Arrow

Hi,

I have found a great article about the chroot command. Maybe it's helpful for you.
Here it is: http://unixwiz.net/techtips/chroot-practices.html
If you need general help with Linux, give http://www.tldp.org/ a try.

Greetings,

invalidid
 
1 members found this post helpful.
Old 03-01-2010, 11:33 AM   #5
deutsche
LQ Newbie
 
Registered: Feb 2010
Distribution: Centos 5
Posts: 15

Original Poster
Rep: Reputation: 0
I didn't explain myself right

OK, what I forgot to write is that the code that we write requires root permissions to run, and all of our developers need to run it after working on it.
So the question still stands:
I need an environment that I can give my users root permissions but yet not really give them root to all of the server.
So ?

Thanks,
Johnny
 
Old 03-01-2010, 11:42 AM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,782
Blog Entries: 1

Rep: Reputation: 413Reputation: 413Reputation: 413Reputation: 413Reputation: 413
Looks like you need to use sudo to give them permissions for just that program.
 
Old 03-01-2010, 08:59 PM   #7
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,261

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
If they're writing the code, forget it. They can break out anytime they want...
If you can't trust them, either buy some cheap boxes for them to work on, or create a VM for each Dev.
 
Old 03-02-2010, 04:31 AM   #8
deutsche
LQ Newbie
 
Registered: Feb 2010
Distribution: Centos 5
Posts: 15

Original Poster
Rep: Reputation: 0
if we go down the VM for each developer

whats the smallest distro I can give them on each VM box ?
and no ideas other then VM the whole box?

Thanks,
Johnny
 
Old 03-02-2010, 10:24 AM   #9
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
Originally Posted by deutsche View Post
OK, what I forgot to write is that the code that we write requires root permissions to run, and all of our developers need to run it after working on it.
So the question still stands:
I need an environment that I can give my users root permissions but yet not really give them root to all of the server.
Have you considered VMWare? I'm thinking, create a virtual machine on a server for each developer, and give that developer root privileges to that virtual machine. They can run the program there to test it, and it will do whatever it's designed to to IN THAT VIRTUAL MACHINE, but it will not be able to affect the hosting server or any other virtual machine on that server.
 
Old 03-02-2010, 10:47 AM   #10
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Why not run the server as a code repository and have then develop the code on their own hosts?
 
Old 03-02-2010, 11:16 AM   #11
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,782
Blog Entries: 1

Rep: Reputation: 413Reputation: 413Reputation: 413Reputation: 413Reputation: 413
VMs are a decent solution, provided you do the proper capacity planning. Just slapping a bunch of VMs on a piece of hardware can result in some serious performance problems if you haven't bothered to figure out how hard the VMs are going to be used.

Quote:
Why not run the server as a code repository and have then develop the code on their own hosts?
Unless there is some reason to run the code on a specific box, I think this is my favorite solution.
 
Old 03-02-2010, 12:13 PM   #12
deutsche
LQ Newbie
 
Registered: Feb 2010
Distribution: Centos 5
Posts: 15

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Hangdog42 View Post
VMs are a decent solution, provided you do the proper capacity planning. Just slapping a bunch of VMs on a piece of hardware can result in some serious performance problems if you haven't bothered to figure out how hard the VMs are going to be used.



Unless there is some reason to run the code on a specific box, I think this is my favorite solution.
Well first, about the VM, what sort of planning do you mean?
Second, about developing on their own host, we do not allow to have the code on the local box.

Still, goes to the former question: what is the most basic distro to run for development (c++,java) on the VM?
 
Old 03-02-2010, 01:26 PM   #13
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,782
Blog Entries: 1

Rep: Reputation: 413Reputation: 413Reputation: 413Reputation: 413Reputation: 413
Quote:
Well first, about the VM, what sort of planning do you mean?
I mean that you need to look into how many VMs your hardware can support without running into unacceptable performance issues. Each VM will require RAM, disk space and CPU cycles. One of the places I work has a tendency to just stand up VMs regardless of how many are already running on a given bit of hardware. The result is that all of the VMs are largely useless because each one doesn't get enough RAM or CPU time. VMs are good at maximizing hardware usage, but they also make it much easier to max out hardware.


Quote:
Still, goes to the former question: what is the most basic distro to run for development (c++,java) on the VM?
I don't think it really matters as the most common/popular distros are all going to be more or less the same. I'd put more emphasis on what distro you're more comfortable managing or which one your developers are more comfortable using.
 
  


Reply

Tags
chroot, jailkit, secure


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Requirements for secure wireless environment meruwireless Linux - Newbie 18 03-11-2008 05:37 AM
LXer: Microsoft! needs! Yahoo! developers! developers! developers! LXer Syndicated Linux News 0 02-01-2008 11:40 PM
how can I secure my nis server ?can I use openSSL to secure it form sniffing ? abhi_raj Linux - Networking 1 07-10-2006 06:19 AM
LXer: University of Michigan Selects SSH Tectia for Secure System Administration and Secure File Transfers LXer Syndicated Linux News 0 04-25-2006 12:54 AM


All times are GMT -5. The time now is 08:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration