Hello, I want to restrict a user, I would forbid the use of system command such as "find, perl".
In all documentation I've found is always to allow commands, never to prohibit a user to do something.
it's can be done with Selinux ? or I have to "play" with the rights of commands ?
Thanks Jérémy P
On Tue, 2012-11-06 at 10:09 +0100, bob lapointe wrote:
Hello, I want to restrict a user, I would forbid the use of system command such as "find, perl".
In all documentation I've found is always to allow commands, never to prohibit a user to do something.
Access is denied by default, if you want to allow something then you need to specify that.
it's can be done with Selinux ? or I have to "play" with the rights of commands ?
It can be done , sure (whether i makes sense to do it is another question)
I do not know what you mean with "I have to "play" with the rights of commands ?"
Basically what you would need to do with create private types, make the types core command executable file type, label the executable files accordingly and then specify who can execute them
I am not sure what approach you are using to create your confined user but if you are using shipped selinux macros, as is, to base your new confined user policy off of then you are accepting some of the properties of these macros. One of these properties may be that it allows already your user to execute find or perl.
So to create a confined user that is customized in a way that differs from what is facilitated by the distro macros you would need to work around those few "limitations" of the provided macros or create a new user domain from scratch.
Basically you are providing us with too little details about your approach for me to be able to give a more specific answer.
Thanks Jérémy P -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Thanks for the answer
My apache server running php in "fcgi" I want to protect my server from script kiddies like r99 shell etc ..
example : http://mikeybeck.com/hacking/N3tShell.html
I can not remove the "exec()" from php because I use Typo3.
My users can run "find" command in php code and view files like /etc/passwd.
------------------------------------------------------------------------------------------------------------------------------------ [root@webserver ~]# ls -lZ /bin/find -rwxr-x---. root root system_u:object_r:bin_t:s0 /bin/find ------------------------------------------------------------------------------------------------------------------------------------- If I remove the rights of "others" they can't use it but it seems to me not the best solution.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------- unconfined_u:system_r:httpd_sys_script_t:s0 500 12060 12043 0 Nov05 ? 00:00:00 /usr/bin/php-cgi -c /var/www/conf/php-democlient1.ini ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- 500 is UID for my user
----------------------------------------------------------------------------------------------------------------------------------------- unconfined_u:system_r:httpd_t:s0 apache 6373 6349 0 Oct29 ? 00:00:00 /usr/sbin/httpd.worker ------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------ [root@webserver ~]# semanage login -l
Nom pour l'ouverture de session Identité SELinux Intervalle MLS/MCS
__default__ unconfined_u s0-s0:c0.c1023 democlient1 user_u s0 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 --------------------------------------------------------------------------------------------------------------------------------------------
my user's test is democlient1 with uid 500.
Thanks sorry for my english
On Tue, Nov 6, 2012 at 10:50 AM, Dominick Grift dominick.grift@gmail.comwrote:
On Tue, 2012-11-06 at 10:09 +0100, bob lapointe wrote:
Hello, I want to restrict a user, I would forbid the use of system command such as "find, perl".
In all documentation I've found is always to allow commands, never to prohibit a user to do something.
Access is denied by default, if you want to allow something then you need to specify that.
it's can be done with Selinux ? or I have to "play" with the rights of commands ?
It can be done , sure (whether i makes sense to do it is another question)
I do not know what you mean with "I have to "play" with the rights of commands ?"
Basically what you would need to do with create private types, make the types core command executable file type, label the executable files accordingly and then specify who can execute them
I am not sure what approach you are using to create your confined user but if you are using shipped selinux macros, as is, to base your new confined user policy off of then you are accepting some of the properties of these macros. One of these properties may be that it allows already your user to execute find or perl.
So to create a confined user that is customized in a way that differs from what is facilitated by the distro macros you would need to work around those few "limitations" of the provided macros or create a new user domain from scratch.
Basically you are providing us with too little details about your approach for me to be able to give a more specific answer.
Thanks Jérémy P -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org