On 02/08/2012 05:15 AM, Miroslav Grepl wrote:
> On 02/08/2012 01:31 AM, Erinn Looney-Triggs wrote:
>> My company asked me today to set up a user that is allowed only to
>> upload files via sftp. This got me thinking, an sftp user has shell
>> access as well, of course, and this can lead to all kinds of interesting
>> things (the kernel privilege escalation from last week comes to mind).
>>
>> I figured it might be appropriate to run this user as a confined user,
>> at least at a minimum running the user as user_u would block a lot of
>> options, or perhaps a different user I haven't researched them all yet.
>>
>> Now the question is, would SELinux be an appropriate place for an sftp_u
>> user? What I am envisioning is a confined user, that allows only the
>> sftp subsystem to be run and files to be uploaded to the confined users
>> homedir. It seems to me that SELinux would be a good fit for this, but I
>> am merely an amateur here :).
>>
>> Anyone ever done anything like this? Would this be an easy thing?
>>
>> There are of course other options, folks have written programs to
>> confine a user to only uploading via sftp, rssh and others.
>>
>> -Erinn
>>
>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org<mailto:selinux@lists.fedoraproject.org>
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
> What OS?
>
> We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
> users in their home directories and then after sftp on a machine, a user
> will run in the "chroot_user_t" domain.
>
> This domain has these accesses by default
>
> userdom_read_user_home_content_files(chroot_user_t)
> userdom_read_inherited_user_home_content_files(chroot_user_t)
> userdom_read_user_home_content_symlinks(chroot_user_t)
> userdom_exec_user_home_content_files(chroot_user_t
>
> and the "ssh_chroot_rw_homedirs" boolean.
>
>
>
>
RHEL 6.2, it looks like between your suggestions and Dominick's
suggestions I can probably put together a pretty good little sandbox for
an sftp user, without of course, having to become the master of the
universe that can write policy ;).
Thanks for all the good info,
-Erinn
Petr Lautrbach (openssh package maintainer) is just writing a blog how
to setup it. I am going to post his blog tomorrow.