Implementing Security Policies
Stephen John Smoogen
smooge at gmail.com
Wed Jul 19 15:49:40 UTC 2006
On 7/19/06, Bhaskar <abc.bhaskar at gmail.com> wrote:
>
> Dear Steven,
>
> I am the one who confirmed about the implementation of the Linux Security
> Policies.
>
> I did my homework on PAM, SELinux, shell scripting and came to conclusion of
> writing shell scripts for implementing those policies.
>
> As I mentioned in my previous thread, my policies are from the custom server
> and include enabling/disabling ftp, rlogin, rsh, telnet to particular user.
>
> Here whenever the user logs into the system, my script would get executed
> and the permissions are setted accordingly.
>
> In the scripts, I am changing the group of the executables and setting the
> permissions using the chmod command.
>
> The point that I want to confirm with you is that changing the permissions
> like this for every user as soon as he logs into the system is feasible or
> not.
>
It is racy. A person knowing what they are doing could break out of
the startups before they are executed (eg control C logging in can
cause the .bash_profile etc not to be executed in some cases).
An old solution would be to create an everyone-else group:
Group goodguys would have every good user in it (up to the limit of
number of people in a group )
You would set the executables you are worried about to being 0550 or
equivalent and that they had the group goodguys. This would mean that
permissions arent being changed on log-in but are always set. Problems
are that it doesnt stop bad-user from doing something like uploading a
working ftp/scp/telnet client into their home account and using that
versus the global executable.
The only fix to that is setting an selinux policy for the user where
he can't open ports etc from non-allowed programs.
> Regards,
>
> Bhaskar.
>
>
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
More information about the security
mailing list