FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 03-27-2012, 09:17 PM
seth vidal
 
Default default user context on fedorapeople.org

We are debating the default user context for fedorapeople.org:

Right now users are unconfined_t.
This would, ostensibly, let them do a lot. However, we have
fedorapeople set up to isolate user tempdirs and every place a user can
write to is mounted noexec,nosuid - so there is no place to run
anything that isn't already on the system.

We're wondering if we should move them to either:

user_t

or

guest_t


User_t sets:
X Windows Login and terminal login, nosetuid, noexec in homedir

As we have things currently configured this would not involve much in
the way of a change to how users can operate on fedorapeople.org


Guest_t sets:
Terminal login, nosetuid, nonetwork, noxwindows, noexec in homedir

X is not really an issue, obviously. So the big difference here is that
outbound network connections would not be allowed with guest_t.

The debate is really over network access. We know that some folks
tunnel through fedorapeople.org for irc and they login there to rsync
things to this space for personal hosting, etc.

So there are some legit reasons for outbound network connections.
However, it is not obvious that those reasons are within the scope
for what fedorapeople.org is supposed to be used.

And that is the more or less it - does anyone have any
suggestions/thoughts?

-sv
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 03-27-2012, 09:33 PM
Konstantin Ryabitsev
 
Default default user context on fedorapeople.org

On Tue, 2012-03-27 at 17:17 -0400, seth vidal wrote:
> And that is the more or less it - does anyone have any
> suggestions/thoughts?

You don't have to limit yourself to picking between user_u or guest_u.
You can create another role, such as "fedorauser_u" that is basically
guest_u, except you can then add specific policies via SELinux roles,
such as:

irc_role(fedorauser_t, fedorauser_r)

Which should let them run an IRC client such as irsii.

On the other hand, just setting user_u is a good start and a lot less
work.

Best,
--
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montréal, Québec
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 03-27-2012, 09:35 PM
seth vidal
 
Default default user context on fedorapeople.org

On Tue, 27 Mar 2012 17:33:26 -0400
Konstantin Ryabitsev <icon@fedoraproject.org> wrote:

> On Tue, 2012-03-27 at 17:17 -0400, seth vidal wrote:
> > And that is the more or less it - does anyone have any
> > suggestions/thoughts?
>
> You don't have to limit yourself to picking between user_u or guest_u.
> You can create another role, such as "fedorauser_u" that is basically
> guest_u, except you can then add specific policies via SELinux roles,
> such as:
>
> irc_role(fedorauser_t, fedorauser_r)
>
> Which should let them run an IRC client such as irsii.
>
> On the other hand, just setting user_u is a good start and a lot less
> work.


Except it is more or less where we are now.

ie: user can run stuff but they cannot put any exec or suid files in
any place they can write.

The debate is not about whether or not to enable this - it is about
whether we need to allow network connections at all.

Allowing irc out or ssh tunnels is not significant more safety
over just allowing general network communication, afaict.

-sv
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 03-27-2012, 09:43 PM
Konstantin Ryabitsev
 
Default default user context on fedorapeople.org

On Tue, 2012-03-27 at 17:35 -0400, seth vidal wrote:
> Except it is more or less where we are now.
>
> ie: user can run stuff but they cannot put any exec or suid files in
> any place they can write.
>
> The debate is not about whether or not to enable this - it is about
> whether we need to allow network connections at all.
>
> Allowing irc out or ssh tunnels is not significant more safety
> over just allowing general network communication, afaict.

It's not quite like that. E.g. if we do fedora_u with irc_role(), then
the person would be allowed to execute a binary labelled with
irc_exec_t, which would then be allowed to connect to IRC ports. Without
executing that binary, the user would not be able to connect to IRC
ports, so no ssh-forwarding or just "telnet 6667".

Let me verify this in my VM, though, before I'm forced to insert my foot
into my mouth.

Best,
--
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montréal, Québec
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 03-27-2012, 09:46 PM
Toshio Kuratomi
 
Default default user context on fedorapeople.org

On Tue, Mar 27, 2012 at 05:35:46PM -0400, seth vidal wrote:
> On Tue, 27 Mar 2012 17:33:26 -0400
> Konstantin Ryabitsev <icon@fedoraproject.org> wrote:
>
> > On Tue, 2012-03-27 at 17:17 -0400, seth vidal wrote:
> > > And that is the more or less it - does anyone have any
> > > suggestions/thoughts?
> >
> > You don't have to limit yourself to picking between user_u or guest_u.
> > You can create another role, such as "fedorauser_u" that is basically
> > guest_u, except you can then add specific policies via SELinux roles,
> > such as:
> >
> > irc_role(fedorauser_t, fedorauser_r)
> >
> > Which should let them run an IRC client such as irsii.
> >
> > On the other hand, just setting user_u is a good start and a lot less
> > work.
>
>
> Except it is more or less where we are now.
>
> ie: user can run stuff but they cannot put any exec or suid files in
> any place they can write.
>
> The debate is not about whether or not to enable this - it is about
> whether we need to allow network connections at all.
>
> Allowing irc out or ssh tunnels is not significant more safety
> over just allowing general network communication, afaict.
>
I do find it useful to be able to ssh files from fedorapeople to other hosts
at times (if I've uploaded them there at one point and then later realize
I need them somewhere else as well).

Can't think of anything else where I need to initiate a network connection
from fedorapeople.org

-Toshio
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 03-27-2012, 10:09 PM
Konstantin Ryabitsev
 
Default default user context on fedorapeople.org

On Tue, 2012-03-27 at 17:43 -0400, Konstantin Ryabitsev wrote:
> Let me verify this in my VM, though, before I'm forced to insert my
> foot
> into my mouth.

Yes, it works just as I thought. If you want to test it out:

testguest.te:
--------------------------------
policy_module(testguest, 1.0.0)
role testguest_r;
irc_role(testguest_r, testguest_t)
userdom_restricted_user_template(testguest)
gen_user(testguest_u, user, testguest_r, s0, s0)
--------------------------------

make -f make -f /usr/share/selinux/devel/Makefile testguest.pp
semodule -i testguest.pp
cd /etc/selinux/targeted/contexts/users
cat guest_u | sed 's/guest_u/testguest_u/g' > testguest_u
useradd bob
passwd bob
usermod -Z testguest_u bob

As a result:

[bob@moppet ~]$ whoami
bob
[bob@moppet ~]$ id -Z
testguest_u:testguest_r:testguest_t:s0
[bob@moppet ~]$ telnet irc.freenode.org 6667
Trying 94.125.182.252...
telnet: connect to address 94.125.182.252: Permission denied

Best,
--
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montréal, Québec
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 03-27-2012, 11:28 PM
Kevin Fenzi
 
Default default user context on fedorapeople.org

We do have:

https://fedorahosted.org/fedora-infrastructure/ticket/2586

that might be related.

I guess I'd lean toward user_t.

Note that folks who need to sudo need to still be unconfined right?

kevin
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 03-28-2012, 12:51 AM
Konstantin Ryabitsev
 
Default default user context on fedorapeople.org

On Tue, 2012-03-27 at 17:28 -0600, Kevin Fenzi wrote:
> Note that folks who need to sudo need to still be unconfined right?

No, you want them to be staff_u and add the following to your sudoers:

%wheel ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL

This will transition to unconfined upon sudo.

BTW, I just found out that guest_u (and, by extension, my testguest_u)
still allows sshd forwarding -- I guess it's hard to restrict that on
the SELinux level. It can be disallowed in sshd config, though,
including by group:

AllowTcpForwarding no
Match Group wheel
AllowTcpForwarding yes

Best,
--
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montréal, Québec
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 

Thread Tools




All times are GMT. The time now is 07:28 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org