On 02/08/2012 06:38 PM, Erinn Looney-Triggs wrote:
> On 02/08/2012 05:15 AM, Miroslav Grepl wrote:
>> On 02/08/2012 01:31 AM, Erinn Looney-Triggs wrote:
>>> My company asked me today to set up a user that is allowed only to
>>> upload files via sftp. This got me thinking, an sftp user has shell
>>> access as well, of course, and this can lead to all kinds of
>>> interesting
>>> things (the kernel privilege escalation from last week comes to mind).
>>>
>>> I figured it might be appropriate to run this user as a confined user,
>>> at least at a minimum running the user as user_u would block a lot of
>>> options, or perhaps a different user I haven't researched them all yet.
>>>
>>> Now the question is, would SELinux be an appropriate place for an
>>> sftp_u
>>> user? What I am envisioning is a confined user, that allows only the
>>> sftp subsystem to be run and files to be uploaded to the confined users
>>> homedir. It seems to me that SELinux would be a good fit for this,
>>> but I
>>> am merely an amateur here :).
>>>
>>> Anyone ever done anything like this? Would this be an easy thing?
>>>
>>> There are of course other options, folks have written programs to
>>> confine a user to only uploading via sftp, rssh and others.
>>>
>>> -Erinn
>>>
>>>
>>> --
>>> selinux mailing list
>>>
selinux@lists.fedoraproject.org<mailto:selinux@lists.fedoraproject.org>
>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>> What OS?
>>
>> We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
>> users in their home directories and then after sftp on a machine, a user
>> will run in the "chroot_user_t" domain.
>>
>> This domain has these accesses by default
>>
>> userdom_read_user_home_content_files(chroot_user_t)
>> userdom_read_inherited_user_home_content_files(chroot_user_t)
>> userdom_read_user_home_content_symlinks(chroot_user_t)
>> userdom_exec_user_home_content_files(chroot_user_t
>>
>> and the "ssh_chroot_rw_homedirs" boolean.
>>
>>
>>
>>
> RHEL 6.2, it looks like between your suggestions and Dominick's
> suggestions I can probably put together a pretty good little sandbox for
> an sftp user, without of course, having to become the master of the
> universe that can write policy ;).
>
> Thanks for all the good info,
>
> -Erinn
>
>
Petr Lautrbach (openssh package maintainer) is just writing a blog how
to setup it. I am going to post his blog tomorrow.
Well that is just wonderful, thanks Miroslav and thank Petr for me.
-Erinn