Hello List,
dont have experience with selinux, but i want to know if it would be a practicable way to secure sshd with selinux. i have some webservers and want to grant ssh-access to some users. my plan ist to make new server where users are able to log in. the homes from webserver are mounted in by nfs etc. i dont like chroot-env for ssh, a lot of disadvantages... also i dont like if users would scrabble folders that doesn't concern them. so i thought it would be possible to restrict users by selinux so they dont are able to see too much... objective is to restrict users to there home (as far as possible) and run some typical programms like perl, php, some binaries and hide all other... is this a useful scenario for selinux? If not, are there alternatives?
Thanks, Hajo
--On Tuesday, May 17, 2011 03:00:43 PM +0200 Hajo Locke hajo.locke@gmx.de wrote:
dont have experience with selinux, but i want to know if it would be a practicable way to secure sshd with selinux.
[snip]
Do your users need full ssh access or just scp/sftp? You mention php/perl, but it's not clear if they need to be able to upload scripts that use those to render their web pages, or if they're needed interactively. (See also the last paragraph at the bottom of this email.)
If they just need scp/sftp, then a really nice solution is to use
Subsystem sftp internal-sftp ChrootDirectory /var/some-web-dir/%u
in your sshd_config file. You don't have the usual headaches associated with setting up chroot environments, your users can only see their own files, and you can point apache at that hierarchy to serve their pages.
For a username 'joe' with group 'web' with a nominal home directory of /home/joe, the setup would then consist of:
install -d -m755 -o root -g root /var/some-web-dir/joe install -d -m755 -o root -g root /var/some-web-dir/joe/home install -d -m755 -o joe -g web /var/some-web-dir/joe/home/joe
You can use the above directory instead of public_html if you want all their files to be visible, or create a public_html under that directory otherwise. Another option is to create both a public_html and a logs directory, and then arrange for the apache logs for that user to be copied there.
You would still need to evaluate whether, in your environment, this is sufficient for them uploading php/perl scripts and having them *execute* in an appropriate and secure manner under apache.
Devin
On 17/05/11 14:00, Hajo Locke wrote:
Hello List,
dont have experience with selinux, but i want to know if it would be a practicable way to secure sshd with selinux.
sshd runs unconfined, at least on el5:
$ ps Zax | grep sshd system_u:system_r:unconfined_t:SystemLow-SystemHigh 2918 ? Ss 0:00 /usr/sbin/sshd
-
Devin Reade -
Hajo Locke -
Ned Slider