LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 03-10-2005, 04:28 PM   #16
or1onas
Member
 
Registered: Mar 2004
Location: Athens,Greece
Distribution: Debian,Ubuntu
Posts: 181

Rep: Reputation: 32

One more question (i just made an ugly thought....but probably silly):
I need to make sure that in case the user account is compromised (though quite difficult i hope, as ssh does exactly this dirty job), the box will remane safe and the user won't be able to gain root privileges...
The home directory is rw for the user.
Is it possible to copy 'su' file from his remote machine to mine and then get root?
I've already tried to do it myself and it didn't work, but i'd like some opinions on this..
Just to make sure what the proper procedure about securing the machine is.
Thanx in advance...
 
Old 03-11-2005, 02:42 AM   #17
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 18.3+19.3, MX-18, Mandrake
Posts: 4,439

Rep: Reputation: Disabled
Quote:
Originally posted by or1onas
...The home directory is rw for the user....
I'd change that to r without w.

You might also want to develop a group policy giving your users the appropriate privileges by that means.

There is also a kernel extension for better granularity of rights than rwx, I just can't remember its name but I think it's included in the coming SuSE 9.3 as an optional feature. Just google Novell / SuSE...
 
Old 03-11-2005, 02:13 PM   #18
Lakefall
LQ Newbie
 
Registered: Feb 2005
Location: Finland
Distribution: Debian sarge
Posts: 26

Rep: Reputation: 15
Quote:
Originally posted by or1onas
You're right about the directories being listable if guessed (which is not to difficult of course), but no dir listing access is given to them to by chmod -r.
So the user can only get inside his home folder and try to cd to /bin,/lib,etc but he gets a permission denied if he tries to do an ls...
My point was, did you do that to /usr/bin as well as /usr?

Quote:
Originally posted by or1onas
Is it possible to copy 'su' file from his remote machine to mine and then get root?
su needs to be owned by root and have the set user ID on execution bit set (see man chmod). Otherwise it cannot give you root access, because it doesn't have it itself. Normal user cannot change file ownership, so he cannot make his su to be owned by root. You may want to unset the SUID bit from as many binaries as you can, because they all have a potential ability to give any user running them full access as the user who owns them (usually root). This command should find them:
Code:
find / -perm -4000
 
Old 03-12-2005, 06:45 AM   #19
or1onas
Member
 
Registered: Mar 2004
Location: Athens,Greece
Distribution: Debian,Ubuntu
Posts: 181

Rep: Reputation: 32
thanx a lot for the info.
i'll do that
and to answer the first question, i didn't chmod /usr/bin, i only did it on /usr

Last edited by or1onas; 03-12-2005 at 06:49 AM.
 
Old 03-12-2005, 08:22 AM   #20
frob23
Senior Member
 
Registered: Jan 2004
Location: Roughly 29.467N / 81.206W
Distribution: OpenBSD, Debian, FreeBSD
Posts: 1,450

Rep: Reputation: 48
BTW: Might as well turn off execute permissions for directories as well. Makes it a little harder to search around because you need to guess an exact end path.

You're crippling a LOT of stuff here. I sure hope you are doing this in the chrooted evironment and not to the world.

EDIT: Turning off the execute bit on the directories prevents people from cd'ing into them.

Last edited by frob23; 03-12-2005 at 08:25 AM.
 
Old 03-12-2005, 08:51 AM   #21
or1onas
Member
 
Registered: Mar 2004
Location: Athens,Greece
Distribution: Debian,Ubuntu
Posts: 181

Rep: Reputation: 32
Quote:
Originally posted by frob23
You're crippling a LOT of stuff here. I sure hope you are doing this in the chrooted evironment and not to the world.
EDIT: Turning off the execute bit on the directories prevents people from cd'ing into them.
Of course the changes we're talking about are done on the chrooted environment...
I'll read a bit about the folder permissions better, though i believe it's quite secure at this point....
If i make it to not even let cd into the folders, that will be the best!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Limit Users Home Directory Size KrGAce Linux - Newbie 6 10-24-2005 09:48 AM
Users home directory. Permissions. jsbush Linux - Newbie 4 10-29-2003 08:13 AM
multi users on the same home directory rpinatel Linux - General 2 09-05-2003 11:55 AM
multi users on the same home directory rpinatel Linux - General 4 09-05-2003 10:22 AM
2 users, 1 mailbox and 1 home directory keevitaja Linux - Newbie 3 08-15-2002 08:20 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 07:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration