Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm interested in the easiest way to run untrusted binary-only (closed source) apps on Linux, limiting their access to some paths like the users home, partition mounts, etc. I am interested in a simple linux/unix way only, eventually simple setups like 'chroot', not using special applications like AppArmor or SELinux.
So far, the easiest method I found is comprised of the following steps, on Slackware Linux:
- I add the 'skype' group and user (GID 3000)
- usermod -G skype,audio,video,messagebus,plugdev skype (I want skype have access to devices, etc but not to be in the 'users' group, the one which allows the users to read and write specific paths like /mnt /media)
- I set the read and write access to 'none' for the 'others' on the paths I'm interested to protect
- optionally, I add my user to the skype group, to be able to check and edit /home/skype (setting also read and write permissions for all the group in that home)
- I use: 'xhost +local:skype' - to allow skype to connect to my display
- I login in the terminal with 'su skype' + password
- I run the command: skype
Basically I've created this user specially for Skype but it could be for example named 'untrustedUser' for all untrusted apps and also this should be repeated for each user if there would be others than me. As you can see it is a very complicated setup and not handy enough.
I think a better method would have been to create a mounted root system like /virtual to mount all the required directories the applications need, including a /virtual/home/username/.appSettings -> /home/username/.appSettings but I couldn't find any information so far, except that 'chroot' does something like this but it can be used only by root.
Any ideas or corrections on my setup appreciated, thanks!
I'm interested in the easiest way to run untrusted binary-only (closed source) apps on Linux, limiting their access to some paths like the users home, partition mounts, etc.
Different threats ask for different methods of compartmentalization. I see no reason to say "I want this but not that" unless we know what it exactly is what you're trying to protect the system from.
You've done a good job. A chroot will just stop access to anything on the filesystem that isn't explicitly copied over in the chroot directory, but it usually means duplicating half your system each time (i.e. Skype will need to access library X, file Y, etc. and so you have to copy them all into the chroot). If you've permissioned correctly and the Skype user can't touch any files outside of the usual ones (/tmp and it's owned files) then that's just as good. You can test this by just loading up a shell as the user skype and seeing what files they are allowed to look at / overwrite.
However, you are running an untrusted binary and then giving it access to 90% of your system anyway through various groups and systems - short of Skype trying to actually read and delete your files, you're not going to gain much by such enclosure - surely the more worrying issue with Skype is that it has access to things like your private conversations and microphone, as well as an indeterminate network protocol? Anyway, you've done a pretty good job at being able to still run Skype without having to rip your system apart - the next step is chroots and/or SELinux, both of which are severe overkill for a home desktop. Skype, running as a non-root user, can't get hold of files that it doesn't have permission to, can't sniff your keyboard, etc. so that gets you 90% of the way to stopping Skype doing nasty stuff with information you don't want it to have.
Different threats ask for different methods of compartmentalization. I see no reason to say "I want this but not that" unless we know what it exactly is what you're trying to protect the system from.
as most as possible, to make the application think i have only an empty home with only its settings folder, no mount, no cdrom, etc. i think i already wrote this before... about the memory protection and other stuff, i didn't think too much about it, at least it has no access to the files on the disk. i'm no secret agent or breaking the law, just it's common sense to do something for my privacy.
Quote:
Originally Posted by ledow
...
thanks, i've done my best. i'm sure if i've known more about linux in general i'd have dome much better.
well i didn't think too much about the keyboard and stuff, good point. if the app has access in proc, can it see the typings of my personal user?
basically i don't have anything against the app accessing (reading) the libs, setting & stuff, just not my non-system, personal files. what i'v done so far was to set from the file manager access for "others" to "none", on the top level directories i protect (/mnt, /home/me, /media).
can't chroot be set-up by mounting or linking the directories, without necessarily copying them?
that's ok it has access to the conversation, i am forced to use it for that basically, i use it to talk to companies, and if they accept the tradeoff, that's fine for me .
indeed SELinux is overkill. i'd rather use more running Linux instances in qemu for something vital, disk space is no longer an issue today.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.