Mailinglist Archive: opensuse-security (196 mails)

< Previous Next >
Re: [suse-security] limiting sftp users to specific dir
  • From: Hugo <hg.list@xxxxxxxxx>
  • Date: Sat, 23 Oct 2004 16:17:03 +0300
  • Message-id: <6f133dde04102306175e6f2ef@xxxxxxxxxxxxxx>
Hi!

Thanks for the answer again.

On Fri, 22 Oct 2004 13:58:09 -0400, suse@xxxxxx <suse@xxxxxx> wrote:
> Hugo wrote:
> >
> > Again, I'm worried about how such a shell would work when the user
> > logs in from the console (at home)? Or do I have to set up 2 accounts
> > for each? That would really make a mess of the file permissions...?
> >
>
> Well, if you trust the user to be able to log in to the console, why not
> trust them when then sftp in? Given console access, I can own over 90%

Because, they access the computer from a computer and environment that
is not possibly secure of course. For instance, open SFTP from work
place. Suddenly the the boss asks you to hand out some papers... you
go look for them... ah did I close the SFTP?

I heppen to be one of the guys that thing security policies are not
much more than means to transfer the blame on somebody else. If there
is a way to make the system secure, it should be made so... not write
guidelines about it.

> of the systems out there in minutes. Knoppix is the ultimate skeleton key.

To get to the console, you'd have to come to my home. To get SFTP
connection, you do not. How much time would it take you to own a
system with SSH/SCP/SFTP access with default SuSE 9.1 permissions?
That's what I'm more conserned of.

> Most hosting companies and whatnot do not have actual Unix accounts for
> their users. It's the best security of all: no user account, no login.
> We just give them FTP or access their files via an ssl website. Much
> more secure for all.

Well, at a company used to work for, we gave SCP/SFTP access to our
clients to transfer data to us. Yes, results were given back sometimes
through SSL. You suggest FTP! None of our clients would have done
that!

> That said, for some instances, I've used scponly to keep them in their
> place, but still allow secure file access. scponly is great. No
> worries about patching existing services.

I'm looking into it. It sure looks like the best alternative.

> > I guess Linux isn't that safe operating system after all... one really
> > needs to know and be active (=spend lot's of time to get the basic
> > stuff working) to get it safe. Or buy the stuff from SSH.
>
> Remember, just because the user can browse the filesystem through sftp,
> doesn't mean they can access anything they don't have permission to.
> Sftp doesn't give them access to anything they couldn't already access
> by logging in. The user sees the same access regardless of whether they
> login or sftp in. This isn't a flaw, but actually DESIRABLE in 99% of
> the cases.

I beg to differ. I think it is desirable only for admin-type of users
and geeks that want to know everything about everything. In our
current organization we have one linux partition mapped directly as
windows samba share. There are all the same stuff, like libs and
binaries that we analysts need while working in Linux, and it really
confuses the sales people for instance. They are sometimes even afraid
to use it as it is packed with stuff they do not know. They would not
want to see the same things there even though they have scp/sftp
access to it also (and there they need all that stuff for it to work)
... but that's work, I'm trying to set this up at home and make a
better job out of it - as you can tell, I'm not a sysadmin. :-)

> If you give a user an account, you are trusting that user with the
> public areas of that server. That means they'll be able to see most of
> the system files, but not write to them. That also usually means they
> can't view other people's home directories, and it definitely means

Ah, but for instance in SuSE 9.1 default configuration they can see
other users home dirs! And as I'm quite new to administrering linux, I
do not know what other things they can see and should not be able to
see!

> they're not going to be seeing the inside of the file where the
> passwords are stored.

Ah, one of those things that I really do not know... as I suspect that
somehow they need to be available for the initial autentication.

> Unlike windows, Linux is designed to be secure even to people who access
> the general filesystem. It also allows you to tailor your system to
> create directories where certain groups of people have access, but not

This all applies to windows too. If you haven't notices. I do not want
any win vs. linux here, but I must say that at least the default in
windows is that the users can not view other users home dirs.

> others. Also, there is a HUGE difference in Linux in the area of read
> vs. write access. A normal user has read access to most things, but can
> only write to a very limited area.
>
> For instance, if I was a normal user on your system, I could sftp in and
> go to the /etc directory and see the passwd file, but I would be
> completely unable to upload a new one over it.

But if you can read it, you can start cracking it, right?

I still fail to see why all users should even see those places? I mean
that there is no switch that would restrict remote users from even
seeing them. Because then that leaves me in a position that I can not
open that service at all. I know that I do not know as much about
linux as the possible hackers... and as default permissions might not
be the most secure, I know that I will miss something and create a
hole.

But I'm really looking into the scponly shell. Thanks.

--
HG

< Previous Next >
Follow Ups
References