On 02/08/2012 08:58 AM, Miroslav Grepl wrote: > On 02/08/2012 06:38 PM, Erinn Looney-Triggs wrote: >> On 02/08/2012 05:15 AM, Miroslav Grepl wrote: >>> On 02/08/2012 01:31 AM, Erinn Looney-Triggs wrote: >>>> My company asked me today to set up a user that is allowed only to >>>> upload files via sftp. This got me thinking, an sftp user has shell >>>> access as well, of course, and this can lead to all kinds of >>>> interesting >>>> things (the kernel privilege escalation from last week comes to mind). >>>> >>>> I figured it might be appropriate to run this user as a confined user, >>>> at least at a minimum running the user as user_u would block a lot of >>>> options, or perhaps a different user I haven't researched them all yet. >>>> >>>> Now the question is, would SELinux be an appropriate place for an >>>> sftp_u >>>> user? What I am envisioning is a confined user, that allows only the >>>> sftp subsystem to be run and files to be uploaded to the confined users >>>> homedir. It seems to me that SELinux would be a good fit for this, >>>> but I >>>> am merely an amateur here :). >>>> >>>> Anyone ever done anything like this? Would this be an easy thing? >>>> >>>> There are of course other options, folks have written programs to >>>> confine a user to only uploading via sftp, rssh and others. >>>> >>>> -Erinn >>>> >>>> >>>> -- >>>> selinux mailing list >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx<mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx> >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> What OS? >>> >>> We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot >>> users in their home directories and then after sftp on a machine, a user >>> will run in the "chroot_user_t" domain. >>> >>> This domain has these accesses by default >>> >>> userdom_read_user_home_content_files(chroot_user_t) >>> userdom_read_inherited_user_home_content_files(chroot_user_t) >>> userdom_read_user_home_content_symlinks(chroot_user_t) >>> userdom_exec_user_home_content_files(chroot_user_t >>> >>> and the "ssh_chroot_rw_homedirs" boolean. >>> >>> >>> >>> >> RHEL 6.2, it looks like between your suggestions and Dominick's >> suggestions I can probably put together a pretty good little sandbox for >> an sftp user, without of course, having to become the master of the >> universe that can write policy ;). >> >> Thanks for all the good info, >> >> -Erinn >> >> > Petr Lautrbach (openssh package maintainer) is just writing a blog how > to setup it. I am going to post his blog tomorrow. Well that is just wonderful, thanks Miroslav and thank Petr for me. -Erinn
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
