Re: A confined sftp user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2012-02-07 at 16:31 -0900, Erinn Looney-Triggs wrote:
> My company asked me today to set up a user that is allowed only to
> upload files via sftp. This got me thinking, an sftp user has shell
> access as well, of course, and this can lead to all kinds of interesting
> things (the kernel privilege escalation from last week comes to mind).
> 
> I figured it might be appropriate to run this user as a confined user,
> at least at a minimum running the user as user_u would block a lot of
> options, or perhaps a different user I haven't researched them all yet.

I don't think these users need a shell. You could probably use notty
option in their authorized_keys file.

Try guest_u (useradd -Z guest_u joe)

guest_t is pretty much made for this purpose. Though its not perfect but
in combination with other security measures it pretty good.

Think firewalling (because last time i checked these users are able to
do udp flood attacks to the outside), ip checking, pki auth, resource
management like cgroups etc etc

> Now the question is, would SELinux be an appropriate place for an sftp_u
> user? What I am envisioning is a confined user, that allows only the
> sftp subsystem to be run and files to be uploaded to the confined users
> homedir. It seems to me that SELinux would be a good fit for this, but I
> am merely an amateur here :).
> 
> Anyone ever done anything like this? Would this be an easy thing?

Not easy but not that hard either. Basically one could clone the source
policy for the least privileged login user available and modify that to
your requirements.

Whether it is worth the trouble that depends on your requirements.

> There are of course other options, folks have written programs to
> confine a user to only uploading via sftp, rssh and others.
> 
> -Erinn
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux