Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
restricting skype and wine, disallow a use by a user[solved]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
The Doctor
Veteran
Veteran


Joined: 27 Jul 2010
Posts: 1515

PostPosted: Tue Aug 28, 2012 12:05 am    Post subject: restricting skype and wine, disallow a use by a user[solved] Reply with quote

I am intending to install skype and only run it from a new, dedicated user to limit my system's exposure to it. Not installing skype really is not an option, so if there are any other ideas, I would like to hear them.
Second, I would like to disallow my normal user from running skype, just so I don't do it by accident. I can't seem to find any instructions on how to do this on Google.
I would like to do the same thing with wine.

By the way, the method I intend to use is as follows:
    add a group called skype
    make a new user with primary group skype and also add to the audio group
    add an alias to my .bashrc file: alias skype="xhost +local: && sudo -u skype /opt/bin/skype"
    add %wheel ALL=(skype) NOPASSWD: /usr/bin/skype to my soders file


This method comes from Arch Linux Wiki

I would like to do the same for wine, and even more critically I want to prevent wine from ever starting as my normal user. If it dose catch a cold, I don't want it spreading to my data.

Thanks!
_________________
First things first, but not necessarily in that order.


Last edited by The Doctor on Tue Aug 28, 2012 1:38 am; edited 1 time in total
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 2524
Location: UK

PostPosted: Tue Aug 28, 2012 12:59 am    Post subject: Reply with quote

chgrp blobusers, chmod o-x,g+x /usr/bin/wine?
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Tue Aug 28, 2012 1:08 am    Post subject: Re: restricting skype and wine, disallow a use by a user Reply with quote

penguin swordmaster wrote:
limit my system's exposure to it

I run skype (along with e.g. firefox) under AppArmor. I'd recommend it.
Back to top
View user's profile Send private message
The Doctor
Veteran
Veteran


Joined: 27 Jul 2010
Posts: 1515

PostPosted: Tue Aug 28, 2012 1:18 am    Post subject: Reply with quote

Ant P. wrote:
chgrp blobusers, chmod o-x,g+x /usr/bin/wine?

Thanks, that works!
_________________
First things first, but not necessarily in that order.
Back to top
View user's profile Send private message
The Doctor
Veteran
Veteran


Joined: 27 Jul 2010
Posts: 1515

PostPosted: Tue Aug 28, 2012 1:24 am    Post subject: Re: restricting skype and wine, disallow a use by a user Reply with quote

PaulBredbury wrote:
penguin swordmaster wrote:
limit my system's exposure to it

I run skype (along with e.g. firefox) under AppArmor. I'd recommend it.


Thanks for the recommendation, I look into it.
_________________
First things first, but not necessarily in that order.
Back to top
View user's profile Send private message
Jacekalex
Guru
Guru


Joined: 17 Sep 2009
Posts: 496

PostPosted: Tue Sep 04, 2012 2:45 am    Post subject: Reply with quote

Apparmor is a good choice, but it requires a patch to ensure compatibility with version 2.4, which I have not found (working) on the kernel older than 3.2.9, not to mention the version 3.5.3 - which I'm currently using

Without this patch you will see the result:
Code:
/ etc / init.d / apparmor start
apparmor | * Starting apparmor ...
apparmor | * apparmor compatibility is not present in the kernel [!! ]
apparmor | * ERROR: apparmor failed to start


You can also use Grsecurity - and set up the ACL policy for the system, step by step information you have on the wiki - Gentoo Hardened.

A sample profile of grsecurity ACL skype (skype works as a separate user voip):

Code:
subject /opt/skype/skype o {
   /            h
   /SYSV00000000         x
   /SYSV00003400         x
   /SYSV00003401         x
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/log         h
   /dev/mem         h
   /dev/null         rw
   /dev/port         h
   /dev/snd         rxw
   /dev/urandom         r
   /dev/video1         rw
   /etc            rx
   /etc/grsec         h
   /etc/gshadow         h
   /etc/ppp                 h
   /etc/samba/smbpasswd   h
   /etc/shadow         h
   /etc/ssh                            h
   /etc/ssl/private                   h
   /home            h
    /home/*/.ssh       h
    /home/*/.purple      h
    /home/*/.mozilla   h
    /home/*/.opera      h
    /home/*/.thunderbird        h
   /home/voip         rw
   /home/voip/.Skype      rwcd
   /home/voip/.Skype/{PROFILE_NAME}   rwcd
   /home/voip/.Skype/shared_dynco   
   /home/voip/.Skype/shared_dynco/dc.db   rw
   /home/voip/.Skype/shared_dynco/dc.db-journal   rwcd
   /home/voip/.Skype/shared_dynco/dc.lock   rwcd
   /home/voip/.Skype/shared_httpfe   
   /home/voip/.Skype/shared_httpfe/queue.db   rw
   /home/voip/.Skype/shared_httpfe/queue.lock   rwcd
   /lib            rx
   /lib/modules         h
   /opt            
   /opt/skype         rx
   /proc            r
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /selinux         
   /tmp            rwcd
   /usr            
   /usr/bin/dbus-launch      x
   /usr/lib         rx
   /usr/share         rx
   /usr/src         h
   /var            h
   /var/cache         h
   /var/cache/fontconfig      rx
   /var/lib         h
   /var/lib/dbus/machine-id   r
   -CAP_ALL
   bind 127.0.0.1/32:0 dgram udp
   bind 0.0.0.0/32:0 stream dgram ip tcp udp
   bind 0.0.0.0/32:7334 stream dgram ip tcp udp
   connect 0.0.0.0/0:1024-65535 stream dgram tcp udp
   connect 0.0.0.0/0:443 stream dgram tcp udp
   connect 0.0.0.0/0:80 stream dgram tcp udp
   connect 0.0.0.0/0:53 stream dgram tcp udp
   sock_allow_family netlink


This is automatically generated rules in the gradm learning mode.
http://www.gentoo.org/proj/en/hardened/grsecurity.xml

Cheers
8)
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Tue Sep 04, 2012 3:00 am    Post subject: Reply with quote

Jacekalex wrote:
patch

Get apparmor-whatever.tar.gz from launchpad, and look in the "kernel-patches" dir - currently has patches for linux 3.0 to 3.4.

Jacekalex wrote:
to ensure compatibility with version 2.4

Version 2.4 of *what*?
Back to top
View user's profile Send private message
Jacekalex
Guru
Guru


Joined: 17 Sep 2009
Posts: 496

PostPosted: Tue Sep 04, 2012 10:41 am    Post subject: Reply with quote

PaulBredbury wrote:
Jacekalex wrote:
patch

Get apparmor-whatever.tar.gz from launchpad, and look in the "kernel-patches" dir - currently has patches for linux 3.0 to 3.4.

......

Code:
echo $PWD
/usr/src/linux-3.4.7-hardened

 patch -p1  < ../patch34/3.4/0002-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch
patching file security/apparmor/.gitignore
patching file security/apparmor/Makefile
patching file security/apparmor/apparmorfs.c
Hunk #1 succeeded at 201 (offset -226 lines).
patching file security/apparmor/include/audit.h
patching file security/apparmor/include/net.h
patching file security/apparmor/include/policy.h
patching file security/apparmor/lsm.c
Hunk #2 FAILED at 623.
1 out of 3 hunks FAILED -- saving rejects to file security/apparmor/lsm.c.rej
patching file security/apparmor/net.c
patching file security/apparmor/policy.c
patching file security/apparmor/policy_unpack.c


Code:

cat security/apparmor/lsm.c.rej


security/apparmor/lsm.c.rej
--- security/apparmor/lsm.c
+++ security/apparmor/lsm.c
@@ -623,6 +624,104 @@
    return error;
 }
 
+static int apparmor_socket_create(int family, int type, int protocol, int kern)
+{
+   struct aa_profile *profile;
+   int error = 0;
+
+   if (kern)
+      return 0;
+
+   profile = __aa_current_profile();
+   if (!unconfined(profile))
+      error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
+                NULL);
+   return error;
+}
+
+static int apparmor_socket_bind(struct socket *sock,
+            struct sockaddr *address, int addrlen)
+{
+   struct sock *sk = sock->sk;
+
+   return aa_revalidate_sk(OP_BIND, sk);
+}
+
+static int apparmor_socket_connect(struct socket *sock,
+               struct sockaddr *address, int addrlen)
+{
+   struct sock *sk = sock->sk;
+
+   return aa_revalidate_sk(OP_CONNECT, sk);
+}
+
+static int apparmor_socket_listen(struct socket *sock, int backlog)
+{
+   struct sock *sk = sock->sk;
+
+   return aa_revalidate_sk(OP_LISTEN, sk);
+}
+
+static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
+{
+   struct sock *sk = sock->sk;
+
+   return aa_revalidate_sk(OP_ACCEPT, sk);
+}
+
+static int apparmor_socket_sendmsg(struct socket *sock,
+               struct msghdr *msg, int size)
+{
+   struct sock *sk = sock->sk;
+
+   return aa_revalidate_sk(OP_SENDMSG, sk);
+}
+
+static int apparmor_socket_recvmsg(struct socket *sock,
+               struct msghdr *msg, int size, int flags)
+{
+   struct sock *sk = sock->sk;
+
+   return aa_revalidate_sk(OP_RECVMSG, sk);
+}
+
+static int apparmor_socket_getsockname(struct socket *sock)
+{
+   struct sock *sk = sock->sk;
+
+   return aa_revalidate_sk(OP_GETSOCKNAME, sk);
+}
+
+static int apparmor_socket_getpeername(struct socket *sock)
+{
+   struct sock *sk = sock->sk;
+
+   return aa_revalidate_sk(OP_GETPEERNAME, sk);
+}
+
+static int apparmor_socket_getsockopt(struct socket *sock, int level,
+                  int optname)
+{
+   struct sock *sk = sock->sk;
+
+   return aa_revalidate_sk(OP_GETSOCKOPT, sk);
+}
+
+static int apparmor_socket_setsockopt(struct socket *sock, int level,
+                  int optname)
+{
+   struct sock *sk = sock->sk;
+
+   return aa_revalidate_sk(OP_SETSOCKOPT, sk);
+}
+
+static int apparmor_socket_shutdown(struct socket *sock, int how)
+{
+   struct sock *sk = sock->sk;
+
+   return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
+}
+
 static struct security_operations apparmor_ops = {
    .name =            "apparmor",


Generally, perhaps one day will AppArmor had real support in Gentoo, but for now it is the overlay userspace and kernel requires patches from Ubuntu, I would not call this normal support, which the widths of the system responsible for the safety of a very important

In general, I do not understand, if you need compatibility with userspace apparmor-2.4 version, how did it happen that the kernel apparmor went without this (very important) compatibility.

Both Grsecurity in hardened-sources, as well as all sources SELINUX any special patch does not need to just work.

Cheers
;-)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum