Re: A confined sftp user

On 02/08/2012 05:15 AM, Miroslav Grepl wrote: > On 02/08/2012 01:31 AM, Erinn Looney-Triggs wrote: >> My company asked me today to set up a user that is allowed only to >> upload files via sftp. This got me thinking, an sftp user has shell >> access as well, of course, and this can lead to all kinds of interesting >> things (the kernel privilege escalation from last week comes to mind). >> >> I figured it might be appropriate to run this user as a confined user, >> at least at a minimum running the user as user_u would block a lot of >> options, or perhaps a different user I haven't researched them all yet. >> >> Now the question is, would SELinux be an appropriate place for an sftp_u >> user? What I am envisioning is a confined user, that allows only the >> sftp subsystem to be run and files to be uploaded to the confined users >> homedir. It seems to me that SELinux would be a good fit for this, but I >> am merely an amateur here :). >> >> Anyone ever done anything like this? Would this be an easy thing? >> >> There are of course other options, folks have written programs to >> confine a user to only uploading via sftp, rssh and others. >> >> -Erinn >> >> >> -- >> selinux mailing list >> selinux@lists.fedoraproject.org<mailto:selinux@lists.fedoraproject.org> >> https://admin.fedoraproject.org/mailman/listinfo/selinux > What OS? > > We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot > users in their home directories and then after sftp on a machine, a user > will run in the "chroot_user_t" domain. > > This domain has these accesses by default > > userdom_read_user_home_content_files(chroot_user_t) > userdom_read_inherited_user_home_content_files(chroot_user_t) > userdom_read_user_home_content_symlinks(chroot_user_t) > userdom_exec_user_home_content_files(chroot_user_t > > and the "ssh_chroot_rw_homedirs" boolean. > > > > RHEL 6.2, it looks like between your suggestions and Dominick's suggestions I can probably put together a pretty good little sandbox for an sftp user, without of course, having to become the master of the universe that can write policy ;). Thanks for all the good info, -Erinn