On 02/08/2012 06:38 PM, Erinn Looney-Triggs wrote:
On 02/08/2012 05:15 AM, Miroslav Grepl wrote:
On 02/08/2012 01:31 AM, Erinn Looney-Triggs wrote:
My company asked me today to set up a user that is allowed only to
upload files via sftp. This got me thinking, an sftp user has shell
access as well, of course, and this can lead to all kinds of interesting
things (the kernel privilege escalation from last week comes to mind).
I figured it might be appropriate to run this user as a confined user,
at least at a minimum running the user as user_u would block a lot of
options, or perhaps a different user I haven't researched them all yet.
Now the question is, would SELinux be an appropriate place for an sftp_u
user? What I am envisioning is a confined user, that allows only the
sftp subsystem to be run and files to be uploaded to the confined users
homedir. It seems to me that SELinux would be a good fit for this, but I
am merely an amateur here :).
Anyone ever done anything like this? Would this be an easy thing?
There are of course other options, folks have written programs to
confine a user to only uploading via sftp, rssh and others.
-Erinn
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx<mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx>
https://admin.fedoraproject.org/mailman/listinfo/selinux
What OS?
We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
users in their home directories and then after sftp on a machine, a user
will run in the "chroot_user_t" domain.
This domain has these accesses by default
userdom_read_user_home_content_files(chroot_user_t)
userdom_read_inherited_user_home_content_files(chroot_user_t)
userdom_read_user_home_content_symlinks(chroot_user_t)
userdom_exec_user_home_content_files(chroot_user_t
and the "ssh_chroot_rw_homedirs" boolean.
RHEL 6.2, it looks like between your suggestions and Dominick's
suggestions I can probably put together a pretty good little sandbox for
an sftp user, without of course, having to become the master of the
universe that can write policy ;).
Thanks for all the good info,
-Erinn
Petr Lautrbach (openssh package maintainer) is just writing a blog how
to setup it. I am going to post his blog tomorrow.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux