FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-08-2012, 12:31 AM
Erinn Looney-Triggs
 
Default A confined sftp user

My company asked me today to set up a user that is allowed only to
upload files via sftp. This got me thinking, an sftp user has shell
access as well, of course, and this can lead to all kinds of interesting
things (the kernel privilege escalation from last week comes to mind).

I figured it might be appropriate to run this user as a confined user,
at least at a minimum running the user as user_u would block a lot of
options, or perhaps a different user I haven't researched them all yet.

Now the question is, would SELinux be an appropriate place for an sftp_u
user? What I am envisioning is a confined user, that allows only the
sftp subsystem to be run and files to be uploaded to the confined users
homedir. It seems to me that SELinux would be a good fit for this, but I
am merely an amateur here .

Anyone ever done anything like this? Would this be an easy thing?

There are of course other options, folks have written programs to
confine a user to only uploading via sftp, rssh and others.

-Erinn

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-08-2012, 09:21 AM
Dominick Grift
 
Default A confined sftp user

On Tue, 2012-02-07 at 16:31 -0900, Erinn Looney-Triggs wrote:
> My company asked me today to set up a user that is allowed only to
> upload files via sftp. This got me thinking, an sftp user has shell
> access as well, of course, and this can lead to all kinds of interesting
> things (the kernel privilege escalation from last week comes to mind).
>
> I figured it might be appropriate to run this user as a confined user,
> at least at a minimum running the user as user_u would block a lot of
> options, or perhaps a different user I haven't researched them all yet.

I don't think these users need a shell. You could probably use notty
option in their authorized_keys file.

Try guest_u (useradd -Z guest_u joe)

guest_t is pretty much made for this purpose. Though its not perfect but
in combination with other security measures it pretty good.

Think firewalling (because last time i checked these users are able to
do udp flood attacks to the outside), ip checking, pki auth, resource
management like cgroups etc etc

> Now the question is, would SELinux be an appropriate place for an sftp_u
> user? What I am envisioning is a confined user, that allows only the
> sftp subsystem to be run and files to be uploaded to the confined users
> homedir. It seems to me that SELinux would be a good fit for this, but I
> am merely an amateur here .
>
> Anyone ever done anything like this? Would this be an easy thing?

Not easy but not that hard either. Basically one could clone the source
policy for the least privileged login user available and modify that to
your requirements.

Whether it is worth the trouble that depends on your requirements.

> There are of course other options, folks have written programs to
> confine a user to only uploading via sftp, rssh and others.
>
> -Erinn
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-08-2012, 01:10 PM
Dominick Grift
 
Default A confined sftp user

On Wed, 2012-02-08 at 14:15 +0000, Miroslav Grepl wrote:

> What OS?
>
> We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
> users in their home directories and then after sftp on a machine, a
> user will run in the "chroot_user_t" domain.
>
> This domain has these accesses by default
>
> userdom_read_user_home_content_files(chroot_user_t )
> userdom_read_inherited_user_home_content_files(chr oot_user_t)
> userdom_read_user_home_content_symlinks(chroot_use r_t)
> userdom_exec_user_home_content_files(chroot_user_t
>
> and the "ssh_chroot_rw_homedirs" boolean.
>

You might want to write a blog about how this is supposed to work and
how chroot_user_t differs from sftpd_t.

>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-08-2012, 01:15 PM
Miroslav Grepl
 
Default A confined sftp user

On 02/08/2012 01:31 AM, Erinn Looney-Triggs wrote:

My company asked me today to set up a user that is allowed only to
upload files via sftp. This got me thinking, an sftp user has shell
access as well, of course, and this can lead to all kinds of interesting
things (the kernel privilege escalation from last week comes to mind).

I figured it might be appropriate to run this user as a confined user,
at least at a minimum running the user as user_u would block a lot of
options, or perhaps a different user I haven't researched them all yet.

Now the question is, would SELinux be an appropriate place for an sftp_u
user? What I am envisioning is a confined user, that allows only the
sftp subsystem to be run and files to be uploaded to the confined users
homedir. It seems to me that SELinux would be a good fit for this, but I
am merely an amateur here .

Anyone ever done anything like this? Would this be an easy thing?

There are of course other options, folks have written programs to
confine a user to only uploading via sftp, rssh and others.

-Erinn




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

What OS?



We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
users in their home directories and then after sftp on a machine, a
user will run in the "chroot_user_t" domain.



This domain has these accesses by default



userdom_read_user_home_content_files(chroot_user_t )

userdom_read_inherited_user_home_content_files(chr oot_user_t)

userdom_read_user_home_content_symlinks(chroot_use r_t)

userdom_exec_user_home_content_files(chroot_user_t



and the "ssh_chroot_rw_homedirs" boolean.











--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-08-2012, 04:35 PM
Miroslav Grepl
 
Default A confined sftp user

On 02/08/2012 03:10 PM, Dominick Grift wrote:

On Wed, 2012-02-08 at 14:15 +0000, Miroslav Grepl wrote:


What OS?

We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
users in their home directories and then after sftp on a machine, a
user will run in the "chroot_user_t" domain.

This domain has these accesses by default

userdom_read_user_home_content_files(chroot_user_t )
userdom_read_inherited_user_home_content_files(chr oot_user_t)
userdom_read_user_home_content_symlinks(chroot_use r_t)
userdom_exec_user_home_content_files(chroot_user_t

and the "ssh_chroot_rw_homedirs" boolean.


You might want to write a blog about how this is supposed to work and
how chroot_user_t differs from sftpd_t.
Yes, you read my mind. I have it on my TODO list. Basically, there is no
longer sftpd_t. There is just chroot_user_t for "Chroot" option and
userdomain context for internal-sftp subsystem without chroot.




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-08-2012, 04:38 PM
Erinn Looney-Triggs
 
Default A confined sftp user

On 02/08/2012 05:15 AM, Miroslav Grepl wrote:
> On 02/08/2012 01:31 AM, Erinn Looney-Triggs wrote:
>> My company asked me today to set up a user that is allowed only to
>> upload files via sftp. This got me thinking, an sftp user has shell
>> access as well, of course, and this can lead to all kinds of interesting
>> things (the kernel privilege escalation from last week comes to mind).
>>
>> I figured it might be appropriate to run this user as a confined user,
>> at least at a minimum running the user as user_u would block a lot of
>> options, or perhaps a different user I haven't researched them all yet.
>>
>> Now the question is, would SELinux be an appropriate place for an sftp_u
>> user? What I am envisioning is a confined user, that allows only the
>> sftp subsystem to be run and files to be uploaded to the confined users
>> homedir. It seems to me that SELinux would be a good fit for this, but I
>> am merely an amateur here .
>>
>> Anyone ever done anything like this? Would this be an easy thing?
>>
>> There are of course other options, folks have written programs to
>> confine a user to only uploading via sftp, rssh and others.
>>
>> -Erinn
>>
>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org>
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> What OS?
>
> We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
> users in their home directories and then after sftp on a machine, a user
> will run in the "chroot_user_t" domain.
>
> This domain has these accesses by default
>
> userdom_read_user_home_content_files(chroot_user_t )
> userdom_read_inherited_user_home_content_files(chr oot_user_t)
> userdom_read_user_home_content_symlinks(chroot_use r_t)
> userdom_exec_user_home_content_files(chroot_user_t
>
> and the "ssh_chroot_rw_homedirs" boolean.
>
>
>
>

RHEL 6.2, it looks like between your suggestions and Dominick's
suggestions I can probably put together a pretty good little sandbox for
an sftp user, without of course, having to become the master of the
universe that can write policy .

Thanks for all the good info,

-Erinn


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-08-2012, 04:58 PM
Miroslav Grepl
 
Default A confined sftp user

On 02/08/2012 06:38 PM, Erinn Looney-Triggs wrote:

On 02/08/2012 05:15 AM, Miroslav Grepl wrote:

On 02/08/2012 01:31 AM, Erinn Looney-Triggs wrote:

My company asked me today to set up a user that is allowed only to
upload files via sftp. This got me thinking, an sftp user has shell
access as well, of course, and this can lead to all kinds of interesting
things (the kernel privilege escalation from last week comes to mind).

I figured it might be appropriate to run this user as a confined user,
at least at a minimum running the user as user_u would block a lot of
options, or perhaps a different user I haven't researched them all yet.

Now the question is, would SELinux be an appropriate place for an sftp_u
user? What I am envisioning is a confined user, that allows only the
sftp subsystem to be run and files to be uploaded to the confined users
homedir. It seems to me that SELinux would be a good fit for this, but I
am merely an amateur here .

Anyone ever done anything like this? Would this be an easy thing?

There are of course other options, folks have written programs to
confine a user to only uploading via sftp, rssh and others.

-Erinn


--
selinux mailing list
selinux@lists.fedoraproject.org<mailto:selinux@lis ts.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/selinux

What OS?

We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
users in their home directories and then after sftp on a machine, a user
will run in the "chroot_user_t" domain.

This domain has these accesses by default

userdom_read_user_home_content_files(chroot_user_t )
userdom_read_inherited_user_home_content_files(chr oot_user_t)
userdom_read_user_home_content_symlinks(chroot_use r_t)
userdom_exec_user_home_content_files(chroot_user_t

and the "ssh_chroot_rw_homedirs" boolean.





RHEL 6.2, it looks like between your suggestions and Dominick's
suggestions I can probably put together a pretty good little sandbox for
an sftp user, without of course, having to become the master of the
universe that can write policy .

Thanks for all the good info,

-Erinn


Petr Lautrbach (openssh package maintainer) is just writing a blog how
to setup it. I am going to post his blog tomorrow.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-08-2012, 08:13 PM
Erinn Looney-Triggs
 
Default A confined sftp user

On 02/08/2012 08:58 AM, Miroslav Grepl wrote:
> On 02/08/2012 06:38 PM, Erinn Looney-Triggs wrote:
>> On 02/08/2012 05:15 AM, Miroslav Grepl wrote:
>>> On 02/08/2012 01:31 AM, Erinn Looney-Triggs wrote:
>>>> My company asked me today to set up a user that is allowed only to
>>>> upload files via sftp. This got me thinking, an sftp user has shell
>>>> access as well, of course, and this can lead to all kinds of
>>>> interesting
>>>> things (the kernel privilege escalation from last week comes to mind).
>>>>
>>>> I figured it might be appropriate to run this user as a confined user,
>>>> at least at a minimum running the user as user_u would block a lot of
>>>> options, or perhaps a different user I haven't researched them all yet.
>>>>
>>>> Now the question is, would SELinux be an appropriate place for an
>>>> sftp_u
>>>> user? What I am envisioning is a confined user, that allows only the
>>>> sftp subsystem to be run and files to be uploaded to the confined users
>>>> homedir. It seems to me that SELinux would be a good fit for this,
>>>> but I
>>>> am merely an amateur here .
>>>>
>>>> Anyone ever done anything like this? Would this be an easy thing?
>>>>
>>>> There are of course other options, folks have written programs to
>>>> confine a user to only uploading via sftp, rssh and others.
>>>>
>>>> -Erinn
>>>>
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux@lists.fedoraproject.org<mailto:selinux@lis ts.fedoraproject.org>
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> What OS?
>>>
>>> We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
>>> users in their home directories and then after sftp on a machine, a user
>>> will run in the "chroot_user_t" domain.
>>>
>>> This domain has these accesses by default
>>>
>>> userdom_read_user_home_content_files(chroot_user_t )
>>> userdom_read_inherited_user_home_content_files(chr oot_user_t)
>>> userdom_read_user_home_content_symlinks(chroot_use r_t)
>>> userdom_exec_user_home_content_files(chroot_user_t
>>>
>>> and the "ssh_chroot_rw_homedirs" boolean.
>>>
>>>
>>>
>>>
>> RHEL 6.2, it looks like between your suggestions and Dominick's
>> suggestions I can probably put together a pretty good little sandbox for
>> an sftp user, without of course, having to become the master of the
>> universe that can write policy .
>>
>> Thanks for all the good info,
>>
>> -Erinn
>>
>>
> Petr Lautrbach (openssh package maintainer) is just writing a blog how
> to setup it. I am going to post his blog tomorrow.

Well that is just wonderful, thanks Miroslav and thank Petr for me.

-Erinn


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-09-2012, 02:30 PM
Miroslav Grepl
 
Default A confined sftp user

On 02/08/2012 10:13 PM, Erinn Looney-Triggs wrote:

On 02/08/2012 08:58 AM, Miroslav Grepl wrote:

On 02/08/2012 06:38 PM, Erinn Looney-Triggs wrote:

On 02/08/2012 05:15 AM, Miroslav Grepl wrote:

On 02/08/2012 01:31 AM, Erinn Looney-Triggs wrote:

My company asked me today to set up a user that is allowed only to
upload files via sftp. This got me thinking, an sftp user has shell
access as well, of course, and this can lead to all kinds of
interesting
things (the kernel privilege escalation from last week comes to mind).

I figured it might be appropriate to run this user as a confined user,
at least at a minimum running the user as user_u would block a lot of
options, or perhaps a different user I haven't researched them all yet.

Now the question is, would SELinux be an appropriate place for an
sftp_u
user? What I am envisioning is a confined user, that allows only the
sftp subsystem to be run and files to be uploaded to the confined users
homedir. It seems to me that SELinux would be a good fit for this,
but I
am merely an amateur here .

Anyone ever done anything like this? Would this be an easy thing?

There are of course other options, folks have written programs to
confine a user to only uploading via sftp, rssh and others.

-Erinn


--
selinux mailing list
selinux@lists.fedoraproject.org<mailto:selinux@lis ts.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/selinux

What OS?

We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
users in their home directories and then after sftp on a machine, a user
will run in the "chroot_user_t" domain.

This domain has these accesses by default

userdom_read_user_home_content_files(chroot_user_t )
userdom_read_inherited_user_home_content_files(chr oot_user_t)
userdom_read_user_home_content_symlinks(chroot_use r_t)
userdom_exec_user_home_content_files(chroot_user_t

and the "ssh_chroot_rw_homedirs" boolean.





RHEL 6.2, it looks like between your suggestions and Dominick's
suggestions I can probably put together a pretty good little sandbox for
an sftp user, without of course, having to become the master of the
universe that can write policy .

Thanks for all the good info,

-Erinn



Petr Lautrbach (openssh package maintainer) is just writing a blog how
to setup it. I am going to post his blog tomorrow.

Well that is just wonderful, thanks Miroslav and thank Petr for me.

Here is:

http://bachradsusi.livejournal.com/2239.html


-Erinn




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-09-2012, 03:53 PM
Dominick Grift
 
Default A confined sftp user

On Thu, 2012-02-09 at 16:30 +0100, Miroslav Grepl wrote:

> Here is:
>
> http://bachradsusi.livejournal.com/2239.html
> >
> > -Erinn
> >
> >

Thanks verified.

Only thing to keep in mind is to restorecon -R -v /home/sftponlyuser

made a screencast of the process while verifying:
http://youtu.be/KJVlis1uwIg

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 07:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org