Re: A confined sftp user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/08/2012 08:58 AM, Miroslav Grepl wrote:
> On 02/08/2012 06:38 PM, Erinn Looney-Triggs wrote:
>> On 02/08/2012 05:15 AM, Miroslav Grepl wrote:
>>> On 02/08/2012 01:31 AM, Erinn Looney-Triggs wrote:
>>>> My company asked me today to set up a user that is allowed only to
>>>> upload files via sftp. This got me thinking, an sftp user has shell
>>>> access as well, of course, and this can lead to all kinds of
>>>> interesting
>>>> things (the kernel privilege escalation from last week comes to mind).
>>>>
>>>> I figured it might be appropriate to run this user as a confined user,
>>>> at least at a minimum running the user as user_u would block a lot of
>>>> options, or perhaps a different user I haven't researched them all yet.
>>>>
>>>> Now the question is, would SELinux be an appropriate place for an
>>>> sftp_u
>>>> user? What I am envisioning is a confined user, that allows only the
>>>> sftp subsystem to be run and files to be uploaded to the confined users
>>>> homedir. It seems to me that SELinux would be a good fit for this,
>>>> but I
>>>> am merely an amateur here :).
>>>>
>>>> Anyone ever done anything like this? Would this be an easy thing?
>>>>
>>>> There are of course other options, folks have written programs to
>>>> confine a user to only uploading via sftp, rssh and others.
>>>>
>>>> -Erinn
>>>>
>>>>
>>>> -- 
>>>> selinux mailing list
>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx<mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> What OS?
>>>
>>> We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
>>> users in their home directories and then after sftp on a machine, a user
>>> will run in the "chroot_user_t" domain.
>>>
>>> This domain has these accesses by default
>>>
>>> userdom_read_user_home_content_files(chroot_user_t)
>>> userdom_read_inherited_user_home_content_files(chroot_user_t)
>>> userdom_read_user_home_content_symlinks(chroot_user_t)
>>> userdom_exec_user_home_content_files(chroot_user_t
>>>
>>> and the "ssh_chroot_rw_homedirs" boolean.
>>>
>>>
>>>
>>>
>> RHEL 6.2, it looks like between your suggestions and Dominick's
>> suggestions I can probably put together a pretty good little sandbox for
>> an sftp user, without of course, having to become the master of the
>> universe that can write policy ;).
>>
>> Thanks for all the good info,
>>
>> -Erinn
>>
>>
> Petr Lautrbach (openssh package maintainer) is just writing a blog how
> to setup it. I am going to post his blog tomorrow.

Well that is just wonderful, thanks Miroslav and thank Petr for me.

-Erinn


Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux