Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Here's the beginning of the issue: I'm running Fedora 12 with httpd and sshd. I want to create a user with a scponly shell for sftp access, but this user should ONLY be able to view /the/http/base/dir and its subdirectories. The user should not be able to see or get into directories above the httpd base. Someone mentioned creating a chroot jail for sshd and binding the httpd base to that dir, but this seems like more work than is necessary for the application I wish. Also mentioned was creating a user, say user1 with a selinux user setting of staff_r. I have read the articles and creating a user of staff_r isn't overly difficult, but how would I make it where staff_r would be restricted to where I want them to be? If I'm not mistaken, that would require changing the context of /the/httpd/base/dir?
There doesn't seem to be a simple solution for this, but there is a solution somewhere I'm certain of it. Any help on this subject would be welcome.
Here's the beginning of the issue: I'm running Fedora 12 with httpd and sshd. I want to create a user with a scponly shell for sftp access, but this user should ONLY be able to view /the/http/base/dir and its subdirectories. The user should not be able to see or get into directories above the httpd base. Someone mentioned creating a chroot jail for sshd and binding the httpd base to that dir, but this seems like more work than is necessary for the application I wish. Also mentioned was creating a user, say user1 with a selinux user setting of staff_r. I have read the articles and creating a user of staff_r isn't overly difficult, but how would I make it where staff_r would be restricted to where I want them to be? If I'm not mistaken, that would require changing the context of /the/httpd/base/dir?
There doesn't seem to be a simple solution for this, but there is a solution somewhere I'm certain of it. Any help on this subject would be welcome.
Well, restricting a user to ONE directory only, a chroot jail is the only way to go. You can kludge something together, but it's not going to work as effectively, and leave lots of holes to exploit.
Well, restricting a user to ONE directory only, a chroot jail is the only way to go. You can kludge something together, but it's not going to work as effectively, and leave lots of holes to exploit.
I may setup a chroot jail in the end, but there's going to be a lot entailed in that. As the directory that needs access granted is part of the main server, I'll have to establish a chroot jail and bind that directory to it or establish a symlink to it.
Currently I have established a user with guest_u selinux context privs, reduced this person's privs to near nothing, and only given permission to one spot, the intended directory. So far the user can only login to their home directory or the target directory. If they try to use any other directory as their base or target SftpDrive reports a failed authentication. It's not a perfect solution, but it is a good layer solution, using the chroot can enhance this. This on top of no-pty in the keyfile and scponly as the shell should give me the results I need.
Keep the ideas coming, it's still a work in progress. Thanks much for the idea so far...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.