User Security [SOLVED]

Message

Narusegawa · Post by **Narusegawa** » Wed May 17, 2006 10:09 am

I'm in the process of moving my webserver from FreeBSD to Gentoo. But at the moment I have a problematic user with shell access. I'm hoping this can be done in Gentoo (it might be able to do in FreeBSD too)

The user downloads BitchX binaries and runs them in his home dir. Is there a way to prevent said user doing so, without removing their shell access or wget/lynx etc...

Edit: Solved by deciding to not let users have shell access

Narusegawa · Post by **Narusegawa** » Wed May 17, 2006 10:18 am

Thinking about it... I'd need to find one of 2 methods....

1) Prevent user running binaries outside that don't exist in /bin, /sbin /usr/

2) Force -x on ALL files in their home folder (They can only write to this folder)

allucid · Post by **allucid** » Wed May 17, 2006 11:45 am

Is the user not allowed to run any local applications, not allowed to run specific applications, or is this a network issue? Make sure you fix the problem without crippling some of their privileges.

Narusegawa · Post by **Narusegawa** » Wed May 17, 2006 12:25 pm

It was given to the user so that they could wget, tar and nano files in their web space. And so this is really all they should have access to.

marvin5 · Post by **marvin5** » Wed May 17, 2006 1:55 pm

How about mounting the home-directories with "noexec"? Check "man mount" for details. This should prevent the execution of everything on this partition.

marvin

Narusegawa · Post by **Narusegawa** » Thu May 25, 2006 4:11 pm

Is it possible then perhaps to specify a list of commands/binaries that the user CAN run?

nlindblad · Post by **nlindblad** » Thu May 25, 2006 4:17 pm

Narusegawa wrote:Is it possible then perhaps to specify a list of commands/binaries that the user CAN run?

Yes:

1) Use a Mandatory Access Control solution like Selinux.
2) Lock the user into a chroot upon login and only place the binaries he is allowed to use within the chroot.

Alternative 2 might be the easisest one.

Narusegawa · Post by **Narusegawa** » Thu May 25, 2006 4:23 pm

That's a good idea, the problem is I want to allow wget, but then that allows user to get a binary into the chroot.

However it might be possible if I can force all folders of that chroot into having -x on all files automatically.

nlindblad · Post by **nlindblad** » Thu May 25, 2006 4:27 pm

Narusegawa wrote:That's a good idea, the problem is I want to allow wget, but then that allows user to get a binary into the chroot.

However it might be possible if I can force all folders of that chroot into having -x on all files automatically.

I would rather make sure the home directories in the chroot is on a separate partition and mounted with noexec, that way the user can't execute anything inside his home directory.

Also, make sure the binaries you do put in the chroot are in directories owned by root and not write-able.