System-wide Access Control: how to go about it
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok, this isn't exactly SuSE specific but it's for a SuSE system, so please bear with me. The reason I'm interestd in SE Linux (Re my previous few posts) is because it was suggested to me that I could use it to control what ports users have access to. I'm a little confused. I've never dealt with this kind of severe security restrictions before and i feel out of my leauge. Here's what I'm trying to do. I have system users who are jailed in a chroot. They will all be running their own system -- i.e. there own software and daemons, but _not_ their own kernel (tit's not VMware or usermode or anything like that) They will each have their own IP address. I have recompiled my kernel to allow common usesr to open ports < 1024 (yes, it works, yes, I'm a little crazy) In my dreams at least, I'd like to be able to prevent all of the following: 1. They cannot access the host filesystem system It's my understanding that on lInux, processes will still be able to access the host system. At least, I got that impression from an article I was reading on FreeBSD jailing, where proccesses _can't_ access the host system. 2. They cannot acess any files anywhere except in their $HOME Basically, something more then just chroot to keep them jailed away. 3. I want to be able to allow/disallow the ports they have access to. 4. I'd like to be able to prevent them from using any IP address but the ones allocated to them. This is currently the worst problem. By default, everything they do (wrt the network) will attempt to use the base ip. Some services like Apache can be set to use only one IP, which helps, and maight be sufficient, but I wish really badly that I could set up somethign in the hosts system that would make it appear as if there's only 1 IP on the system (per user) 5. Processes should not be able to "see" or interact with the host's/other users processes and filesystems. It was suggested to me that SE Linux would allow fine grained controll over things like this, but I'm a little confused after reading some other things. Can anyone offer any other suggestions/advise as to how I should go about this? Have any of you done anything similar before? Would you recommend any other form of system-wide acess control besides SE Linux? All advice, ideas and pointers appreciated. Please don't hesitate to ask for clarification if I did a bad job explaining any particular point (I usually do :-/ ) TIA! - -- - ---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE89rT6Q5u80xXOLBcRAioZAJ9jdYPbQVBFJVzcy82NwF/SzuXS/gCfWnsj GUYVWZQJUcTex1KoBsmbxx4= =uhLG -----END PGP SIGNATURE-----
On May 30, JW <jw@centraltexasit.com> wrote:
4. I'd like to be able to prevent them from using any IP address but the ones allocated to them. Try the Linux 2.x port/socket pseudo ACLs: http://original.killa.net/infosec/acls/ I don't know, if they fit for different ip addresses, though. Please try.
5. Processes should not be able to "see" or interact with the host's/other users processes and filesystems. www.openwall.com/linux -> procfs security option
regards, Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \ Linux 2.4.18-4GB
On Thu, 30 May 2002, JW wrote: Hi, I remember a project on sourceforge which claimed to port FreeBSD's jail to Linux. Maybe thats a point to start. l8, Sebastian
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ok, this isn't exactly SuSE specific but it's for a SuSE system, so please bear with me.
The reason I'm interestd in SE Linux (Re my previous few posts) is because it was suggested to me that I could use it to control what ports users have access to.
I'm a little confused. I've never dealt with this kind of severe security restrictions before and i feel out of my leauge.
Here's what I'm trying to do.
I have system users who are jailed in a chroot. They will all be running their own system -- i.e. there own software and daemons, but _not_ their own kernel (tit's not VMware or usermode or anything like that) They will each have their own IP address. I have recompiled my kernel to allow common usesr to open ports < 1024 (yes, it works, yes, I'm a little crazy)
In my dreams at least, I'd like to be able to prevent all of the following:
1. They cannot access the host filesystem system It's my understanding that on lInux, processes will still be able to access the host system. At least, I got that impression from an article I was reading on FreeBSD jailing, where proccesses _can't_ access the host system.
2. They cannot acess any files anywhere except in their $HOME Basically, something more then just chroot to keep them jailed away.
3. I want to be able to allow/disallow the ports they have access to.
4. I'd like to be able to prevent them from using any IP address but the ones allocated to them. This is currently the worst problem. By default, everything they do (wrt the network) will attempt to use the base ip. Some services like Apache can be set to use only one IP, which helps, and maight be sufficient, but I wish really badly that I could set up somethign in the hosts system that would make it appear as if there's only 1 IP on the system (per user)
5. Processes should not be able to "see" or interact with the host's/other users processes and filesystems.
It was suggested to me that SE Linux would allow fine grained controll over things like this, but I'm a little confused after reading some other things.
Can anyone offer any other suggestions/advise as to how I should go about this? Have any of you done anything similar before? Would you recommend any other form of system-wide acess control besides SE Linux?
All advice, ideas and pointers appreciated. Please don't hesitate to ask for clarification if I did a bad job explaining any particular point (I usually do :-/ )
TIA!
- --
- ---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE89rT6Q5u80xXOLBcRAioZAJ9jdYPbQVBFJVzcy82NwF/SzuXS/gCfWnsj GUYVWZQJUcTex1KoBsmbxx4= =uhLG -----END PGP SIGNATURE-----
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~
JW wrote:
1. They cannot access the host filesystem system Possible. You could assign each user it's own role/domain and restrict access.
2. They cannot acess any files anywhere except in their $HOME Hm, what's with password files?
3. I want to be able to allow/disallow the ports they have access to.
Possible with LIDS and SELinux. I think RSBAC can control that too.
4. I'd like to be able to prevent them from using any IP address but the ones allocated to them. I think it's possible. Download the SELinux package, unpack it and take a look at the /selinux/policy/net_contexts file. There you see ports and ips listed and assigned to roles, domains, ...
5. Processes should not be able to "see" or interact with the host's/other users processes and filesystems. Possible through role based access. RSBAC and SELinux may handle that.
It was suggested to me that SE Linux would allow fine grained controll over things like this, but I'm a little confused after reading some other things. It's not easy to install and maintain :)
Can anyone offer any other suggestions/advise as to how I should go about this? Take a look at SELinux and let's share our results.
Would you recommend any other form of system-wide acess control besides SE Linux? I've looked at LIDS and RSBAC so far. Other projects are Medusa DS9, DTE and User Mode Linux. With User Mode Linux you can have your own virtual Linux sessions.
Mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MM >JW wrote: MM > > 2. They cannot acess any files anywhere except in their $HOME MM >Hm, what's with password files? Not sure what you're asking. Currently each user have a full OS install inside their home directory -- including passwd files. The log on shell is a special script that jails them there with chroot. Did that answer your Q? MM > > Can anyone offer any other suggestions/advise as to how I should go MM > > about this? MM >Take a look at SELinux and let's share our results. I'm considering starting a shared project. Any one else interested? - -- - ---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE899gpQ5u80xXOLBcRAsUdAKC/EKOCH3LvNW6WhRoX3F3PvON+CQCgpDbS Yqi6aHQj8qBp3SmluP8DNuA= =6z7K -----END PGP SIGNATURE-----
On Thu, May 30, 2002 at 18:25 -0500, JW wrote:
Here's what I'm trying to do.
I have system users who are jailed in a chroot. They will all be running their own system -- i.e. there own software and daemons, but _not_ their own kernel (tit's not VMware or usermode or anything like that) They will each have their own IP address. I have recompiled my kernel to allow common usesr to open ports < 1024 (yes, it works, yes, I'm a little crazy)
In my dreams at least, I'd like to be able to prevent all of the following:
1. They cannot access the host filesystem system It's my understanding that on lInux, processes will still be able to access the host system. At least, I got that impression from an article I was reading on FreeBSD jailing, where proccesses _can't_ access the host system.
2. They cannot acess any files anywhere except in their $HOME Basically, something more then just chroot to keep them jailed away.
3. I want to be able to allow/disallow the ports they have access to.
4. I'd like to be able to prevent them from using any IP address but the ones allocated to them. This is currently the worst problem. By default, everything they do (wrt the network) will attempt to use the base ip. Some services like Apache can be set to use only one IP, which helps, and maight be sufficient, but I wish really badly that I could set up somethign in the hosts system that would make it appear as if there's only 1 IP on the system (per user)
5. Processes should not be able to "see" or interact with the host's/other users processes and filesystems.
This is funny. Did you notice that the above "shopping list" *exactly* reads like FreeBSD jail's feature set? I don't know which article you refer to above, but I suggest you have a look at the jail(8) and jail(2) manpages, both of which are available under the "Documentation" link from the www.freebsd.org website or your favourite local mirror. The first manpage was written from the user side's POV and tells you how to setup a jail. The latter outlines the jail features: process group separation, filesystem access restriction, IP activity control. Even "root" cannot do anything serious or dangerous, so you can hand out root accounts to your customers without too much fear for the other customers (rumours are that with root privs you can break out of any chroot environment while this is not the case for jails). You might even find a paper written by Poul-Henning Kamp (the original author) discussing the design and the mechanisms used. So the question raises: Is the "Linux" label important enough for you to take the trouble of making Linux do what you wish it to? Or are the above requirements important enough for you to switch to a system which natively provides the features you request? Neither way will you get the features for free, there definitely is some learning and evaluationeffort in any case. Just keep in mind that jails have been an integral part of FreeBSD since the 4.0 release (i.e. for more than two years now). People reportedly ran several hundred jails on a single machine and had no problems with it. I have installations around with some tens of jails on machines most of us would call "low end".
Can anyone offer any other suggestions/advise as to how I should go about this? Have any of you done anything similar before? Would you recommend any other form of system-wide acess control besides SE Linux?
You don't want to get me started on the *BSD vs Linux debate, do you? :] All I can say is: take a closer look at both sides and decide yourself. Again, the FreeBSD project's website holds a lot of information (look out for the excellent "handbook" and the short(er) articles discussing certain features in a cook book like manner). virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
participants (5)
-
Gerhard Sittig -
JW -
Mark Müller -
Markus Gaugusch -
Sebastian Krahmer