A confined sftp user
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Wed Feb 8 21:13:59 UTC 2012
On 02/08/2012 08:58 AM, Miroslav Grepl wrote:
> On 02/08/2012 06:38 PM, Erinn Looney-Triggs wrote:
>> On 02/08/2012 05:15 AM, Miroslav Grepl wrote:
>>> On 02/08/2012 01:31 AM, Erinn Looney-Triggs wrote:
>>>> My company asked me today to set up a user that is allowed only to
>>>> upload files via sftp. This got me thinking, an sftp user has shell
>>>> access as well, of course, and this can lead to all kinds of
>>>> interesting
>>>> things (the kernel privilege escalation from last week comes to mind).
>>>>
>>>> I figured it might be appropriate to run this user as a confined user,
>>>> at least at a minimum running the user as user_u would block a lot of
>>>> options, or perhaps a different user I haven't researched them all yet.
>>>>
>>>> Now the question is, would SELinux be an appropriate place for an
>>>> sftp_u
>>>> user? What I am envisioning is a confined user, that allows only the
>>>> sftp subsystem to be run and files to be uploaded to the confined users
>>>> homedir. It seems to me that SELinux would be a good fit for this,
>>>> but I
>>>> am merely an amateur here :).
>>>>
>>>> Anyone ever done anything like this? Would this be an easy thing?
>>>>
>>>> There are of course other options, folks have written programs to
>>>> confine a user to only uploading via sftp, rssh and others.
>>>>
>>>> -Erinn
>>>>
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux at lists.fedoraproject.org<mailto:selinux at lists.fedoraproject.org>
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> What OS?
>>>
>>> We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
>>> users in their home directories and then after sftp on a machine, a user
>>> will run in the "chroot_user_t" domain.
>>>
>>> This domain has these accesses by default
>>>
>>> userdom_read_user_home_content_files(chroot_user_t)
>>> userdom_read_inherited_user_home_content_files(chroot_user_t)
>>> userdom_read_user_home_content_symlinks(chroot_user_t)
>>> userdom_exec_user_home_content_files(chroot_user_t
>>>
>>> and the "ssh_chroot_rw_homedirs" boolean.
>>>
>>>
>>>
>>>
>> RHEL 6.2, it looks like between your suggestions and Dominick's
>> suggestions I can probably put together a pretty good little sandbox for
>> an sftp user, without of course, having to become the master of the
>> universe that can write policy ;).
>>
>> Thanks for all the good info,
>>
>> -Erinn
>>
>>
> Petr Lautrbach (openssh package maintainer) is just writing a blog how
> to setup it. I am going to post his blog tomorrow.
Well that is just wonderful, thanks Miroslav and thank Petr for me.
-Erinn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120208/c2c78e4a/attachment-0001.sig>
More information about the selinux
mailing list