home | list info | list archive | date index | thread index

Re: [OCLUG-Tech] jailing users?

jbuburuz [ at ] sce [ dot ] carleton [ dot ] ca wrote:

I know if permissions are set correctly other users cannot see into each
other home directories. But I just want to prevent shell
access/hacking/playing.

Users seeing world-readable files in directories outside their own home should not be a problem - that's why the files are marked world-readable. Many programs (that operate with less priviledges than root) rely on being able to read these files to determine how they should operate.

Going in and marking many files in /etc as 700 (root) could (and will) cause cascading problems for many other things, so be careful about trying to harden a system with chmod!

You are better to mount the user home directories as noexec, and nosuid so 1) they don't install executable programs and 2) setuid to other users doesn't work. High risk users should usually be installed with their own group that does not belong a more trusted users group. By either individual groups or implementing a high risk user group, you can control how much they can get into.

Perhaps a little reading on chmod and Unix file permissions would help alleviate your concerns.

One problem about tightening security is that if expected and typical services stop working, users complain to senior management, and senior management generally sends down sweeping edicts to remove barriers to user functionality. What I'm trying to say (poorly I may add) is that too much security will result in someone higher in the food chain telling you to remove security altogether.

One important thing is that discipline on the system admin's part really helps - install and USE sudo, and allocate executable program access via sudoers. Given the ease of installing keyloggers, working from any terminal - xterm or remote ssh can result in exposure of username/passwords, therefore keeping administrative access to only trusted platforms, and using PKI keys instead of passwords is important.

--
Bill Strosberg, CISSP

replies

references

message navigation