On 02/08/2012 05:15 AM, Miroslav Grepl wrote:
On 02/08/2012 01:31 AM, Erinn Looney-Triggs wrote:
> My company asked me today to set up a user that is allowed only to
> upload files via sftp. This got me thinking, an sftp user has shell
> access as well, of course, and this can lead to all kinds of interesting
> things (the kernel privilege escalation from last week comes to mind).
>
> I figured it might be appropriate to run this user as a confined user,
> at least at a minimum running the user as user_u would block a lot of
> options, or perhaps a different user I haven't researched them all yet.
>
> Now the question is, would SELinux be an appropriate place for an sftp_u
> user? What I am envisioning is a confined user, that allows only the
> sftp subsystem to be run and files to be uploaded to the confined users
> homedir. It seems to me that SELinux would be a good fit for this, but I
> am merely an amateur here :).
>
> Anyone ever done anything like this? Would this be an easy thing?
>
> There are of course other options, folks have written programs to
> confine a user to only uploading via sftp, rssh and others.
>
> -Erinn
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org>
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
What OS?
We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
users in their home directories and then after sftp on a machine, a user
will run in the "chroot_user_t" domain.
This domain has these accesses by default
userdom_read_user_home_content_files(chroot_user_t)
userdom_read_inherited_user_home_content_files(chroot_user_t)
userdom_read_user_home_content_symlinks(chroot_user_t)
userdom_exec_user_home_content_files(chroot_user_t
and the "ssh_chroot_rw_homedirs" boolean.
RHEL 6.2, it looks like between your suggestions and Dominick's
suggestions I can probably put together a pretty good little sandbox for
an sftp user, without of course, having to become the master of the
universe that can write policy ;).
Thanks for all the good info,
-Erinn