A confined sftp user

Miroslav Grepl mgrepl at redhat.com
Thu Feb 9 15:30:38 UTC 2012

On 02/08/2012 10:13 PM, Erinn Looney-Triggs wrote:
> On 02/08/2012 08:58 AM, Miroslav Grepl wrote:
>> On 02/08/2012 06:38 PM, Erinn Looney-Triggs wrote:
>>> On 02/08/2012 05:15 AM, Miroslav Grepl wrote:
>>>> On 02/08/2012 01:31 AM, Erinn Looney-Triggs wrote:
>>>>> My company asked me today to set up a user that is allowed only to
>>>>> upload files via sftp. This got me thinking, an sftp user has shell
>>>>> access as well, of course, and this can lead to all kinds of
>>>>> interesting
>>>>> things (the kernel privilege escalation from last week comes to mind).
>>>>> I figured it might be appropriate to run this user as a confined user,
>>>>> at least at a minimum running the user as user_u would block a lot of
>>>>> options, or perhaps a different user I haven't researched them all yet.
>>>>> Now the question is, would SELinux be an appropriate place for an
>>>>> sftp_u
>>>>> user? What I am envisioning is a confined user, that allows only the
>>>>> sftp subsystem to be run and files to be uploaded to the confined users
>>>>> homedir. It seems to me that SELinux would be a good fit for this,
>>>>> but I
>>>>> am merely an amateur here :).
>>>>> Anyone ever done anything like this? Would this be an easy thing?
>>>>> There are of course other options, folks have written programs to
>>>>> confine a user to only uploading via sftp, rssh and others.
>>>>> -Erinn
>>>>> -- 
>>>>> selinux mailing list
>>>>> selinux at lists.fedoraproject.org<mailto:selinux at lists.fedoraproject.org>
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> What OS?
>>>> We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
>>>> users in their home directories and then after sftp on a machine, a user
>>>> will run in the "chroot_user_t" domain.
>>>> This domain has these accesses by default
>>>> userdom_read_user_home_content_files(chroot_user_t)
>>>> userdom_read_inherited_user_home_content_files(chroot_user_t)
>>>> userdom_read_user_home_content_symlinks(chroot_user_t)
>>>> userdom_exec_user_home_content_files(chroot_user_t
>>>> and the "ssh_chroot_rw_homedirs" boolean.
>>> RHEL 6.2, it looks like between your suggestions and Dominick's
>>> suggestions I can probably put together a pretty good little sandbox for
>>> an sftp user, without of course, having to become the master of the
>>> universe that can write policy ;).
>>> Thanks for all the good info,
>>> -Erinn
>> Petr Lautrbach (openssh package maintainer) is just writing a blog how
>> to setup it. I am going to post his blog tomorrow.
> Well that is just wonderful, thanks Miroslav and thank Petr for me.
Here is:

> -Erinn

More information about the selinux mailing list