Hi.
I read the post about " chroot'ing " with ACL's and been trying to think of a way by which this "chroot" can be made to restrict access to different directories based on system User / Group .
Is there a way to do this? The only thing I came up with would be a UID/GID based ACL. Is there such a thing in GRSec? Will there be?
Thanks for your hard work.
It's been of great help to me.
Joel A. Chornik[/b]
UID/GID ACL?
10 posts
• Page 1 of 1
by Sharky » Sat Nov 09, 2002 9:39 pm
What you can do is basically ADD the GID you want them to be chrooted to the customized Chrooted Bash.
Im my example befor for instance I have CREATED a bash called bash-3
so what you can do is edit /etc/passwd and change the users shell you want to restrict to bash-3 instead of their original shell.
Im my example befor for instance I have CREATED a bash called bash-3
so what you can do is edit /etc/passwd and change the users shell you want to restrict to bash-3 instead of their original shell.
- Sharky
- Posts: 43
- Joined: Fri Nov 01, 2002 10:12 pm
by Joel » Mon Nov 11, 2002 7:38 am
sharky, thanks for your reply.
although generating the need for about 500
hardlinks, this will suffice for granting restricted ssh access to my users.
now suppose I want similar restricitions applied to apache's suexec, but the ACL should be different based on which is the calling user. (depending on the user, access to one homedir or another should be granted, everything else denied)
is there a way to do this with current grsec ACLs?
once again thanks a lot for your help.
although generating the need for about 500
hardlinks, this will suffice for granting restricted ssh access to my users.
now suppose I want similar restricitions applied to apache's suexec, but the ACL should be different based on which is the calling user. (depending on the user, access to one homedir or another should be granted, everything else denied)
is there a way to do this with current grsec ACLs?
once again thanks a lot for your help.
- Joel
- Posts: 10
- Joined: Mon Jun 17, 2002 11:01 am
by Sharky » Mon Nov 11, 2002 3:20 pm
Hi again
First of all you will have to create an acl for apache in learning mode.
What you should do basically is create the following ACL
/path/to/your/httpd lo {
/ h
-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 100
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
connect {
disabled
}
bind {
disabled
}
}
let it run for a couple of days, maybe weeks depending on how often your system HTML are being ACCESSED.
After that you will have to have a look at the generated ACL.
use gradm -L -O learn
go to your learn file and check what RESTRICTIONS were applied, Check which directories needs to be accessed and which wont.
BASED on that you can customize it as you want.
here's my GENERATED ACL for my httpd
disabled
}
bind {
disabled
}
}
connect {
disabled
}
bind {
disabled
}
}
based on your users you can tell which directories needs to be accessed etc.
Regards.
First of all you will have to create an acl for apache in learning mode.
What you should do basically is create the following ACL
/path/to/your/httpd lo {
/ h
-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 100
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
connect {
disabled
}
bind {
disabled
}
}
let it run for a couple of days, maybe weeks depending on how often your system HTML are being ACCESSED.
After that you will have to have a look at the generated ACL.
use gradm -L -O learn
go to your learn file and check what RESTRICTIONS were applied, Check which directories needs to be accessed and which wont.
BASED on that you can customize it as you want.
here's my GENERATED ACL for my httpd
disabled
}
bind {
disabled
}
}
connect {
disabled
}
bind {
disabled
}
}
based on your users you can tell which directories needs to be accessed etc.
Regards.
- Sharky
- Posts: 43
- Joined: Fri Nov 01, 2002 10:12 pm
by Joel » Tue Nov 12, 2002 5:32 am
yes, I understand what you meant.
But suppose the following:
Apache is configured with name based virtualhosts, and suExec, each virtualhost with its own user/group.
I want different virtualhosts (or differen user/groups for the matter) to have different ACL's. Very similar ACL's, but different.
can this be done?
thanks again for your time.
Joel.
But suppose the following:
Apache is configured with name based virtualhosts, and suExec, each virtualhost with its own user/group.
I want different virtualhosts (or differen user/groups for the matter) to have different ACL's. Very similar ACL's, but different.
can this be done?
thanks again for your time.
Joel.
- Joel
- Posts: 10
- Joined: Mon Jun 17, 2002 11:01 am
by Joel » Wed Nov 13, 2002 8:45 pm
spender and sharky.
thanks both for your replies.
I am eager to see this roles thing going.
I've been using Linux Trustees but i don't like it very much and it does not co-exists peacefully wuth grsec.
thanks again.
Joel.
thanks both for your replies.
I am eager to see this roles thing going.
I've been using Linux Trustees but i don't like it very much and it does not co-exists peacefully wuth grsec.
thanks again.
Joel.
- Joel
- Posts: 10
- Joined: Mon Jun 17, 2002 11:01 am
by Cyt0plas » Tue Jan 13, 2004 1:47 am
Sounds like you could use Linux Trustees (http://trustees.sourceforge.net). I use it with grseurity, in the WOLK (http://wolk.sourceforge.net) kernel. Grsec gets ACLS for the programs, Trustees lets you do ACLs for people/groups.
A nice combo.
A nice combo.
- Cyt0plas
- Posts: 5
- Joined: Sun Aug 04, 2002 11:53 pm
10 posts
• Page 1 of 1