Jeff Coy said: > The reason people usually ignore this fact is in general, who cares. > If you remove my permissions to a file I just upload my own file and use > it instead.
If one is concerned enough about this happening, it's not that hard to prevent it, depending on the circumstances. > Sure, you can turn off my rcp, ftp, & scp, but then I can probably still > just email myself the file. Sure you can turn off email attachments. There > are other ways. You'd have to restrict me to my home directory *and* make > it read-only for this to work. You'd also have to lock me out of /tmp, > /var/tmp, ... Well, as others have pointed out, restricted shells in general aren't so hard to work around. I think the assumption here has to be that either a) you're going to do lots of othe things to help lock down the system, or b) the users in question aren't terribly skilled. However, one need not restrict your use of your home directory, other than to make sure the filesystem where home directories live are mounted noexec. Since this was posted on focus-linux, I think it's safe to assume that anyone interested has the ability to mount filesystems with the noexec option. It's easy enough to limit access to /tmp and other tmp dirs by also giving them the same permissions as the other files in my scheme: owned by the untrusted group, and no group permissions. That keeps the untrusted people out of /tmp. Do the same for other tmp dirs, if you have them (they're symlinks on a lot of systems). > There's no rule that states I have to run *your* copy except in the case of > seteuid programs. If you have an account on my system, and I don't want you to run binaries on it, you won't, unless you can manage to get root access (which is also a possiblity if my system has vulnerabilities, but really really hard if you're limited to an extremely restricted environment). It's really only a matter of how much effort it is worth to me to make sure you don't have that ability. > Trusted groups are a good thing. Denied groups just make me a bit more > creative, probably increasing my skill set along the way so that I become > harder to notice. Having a seperate trusted group provides ZERO additional protection or functionality to the method I outlined, if you're only worried about one group of users who can all be put in the same group. -- Derek Martin Senior System Administrator Mission Critical Linux [EMAIL PROTECTED]
