On 7/19/06, Bhaskar <abc.bhaskar@xxxxxxxxx> wrote:
Dear Steven, I am the one who confirmed about the implementation of the Linux Security Policies. I did my homework on PAM, SELinux, shell scripting and came to conclusion of writing shell scripts for implementing those policies. As I mentioned in my previous thread, my policies are from the custom server and include enabling/disabling ftp, rlogin, rsh, telnet to particular user. Here whenever the user logs into the system, my script would get executed and the permissions are setted accordingly. In the scripts, I am changing the group of the executables and setting the permissions using the chmod command. The point that I want to confirm with you is that changing the permissions like this for every user as soon as he logs into the system is feasible or not.
It is racy. A person knowing what they are doing could break out of the startups before they are executed (eg control C logging in can cause the .bash_profile etc not to be executed in some cases). An old solution would be to create an everyone-else group: Group goodguys would have every good user in it (up to the limit of number of people in a group ) You would set the executables you are worried about to being 0550 or equivalent and that they had the group goodguys. This would mean that permissions arent being changed on log-in but are always set. Problems are that it doesnt stop bad-user from doing something like uploading a working ftp/scp/telnet client into their home account and using that versus the global executable. The only fix to that is setting an selinux policy for the user where he can't open ports etc from non-allowed programs.
Regards, Bhaskar.
-- Stephen J Smoogen. CSIRT/Linux System Administrator
