I would like to have a way in which a set of folders do not allow write access for a particular process. For example, I would love to have a way in which YUM/RPM is not allowed to write into /usr/bin
Asked
Active
Viewed 217 times
1 Answers
2
You can chroot the software into a bind mount setup where these directories are mounted read-only.
mkdir /foo
mount --bind / /foo
mount --rbind /dev /foo/dev
mount --bind /proc /foo/proc
mount --bind /run /foo/run
mount -t tmpfs tmpfs /foo/tmp
mount --bind /sys /foo/sys
mount --bind /usr/bin /foo/usr/bin
mount -o remount,ro /foo/usr/bin
chroot /foo rpm …
Note that hostile processes running as root can escape a chroot, so this is not a secure confinement, only a way to ensure that a non-malicious process isn't writing where it isn't supposed to.
An alternative approach would be to set up SELinux rules. These constrain even processes running as root, so if set up correctly (which is nontrivial, and requires more than file access blocking) it can be a secure confinement.
If the process isn't running as root, just make sure that the permissions on the directory don't allow the user to write there. You can use an ACL that excludes a specific user, e.g.
setfacl -m user:alice:0 /some/dir
to make /some/dir inaccessible to the user alice, or
setfacl -R -m user:alice:rX /some/dir
to make it and files under it readable but not writable.
Gilles 'SO- stop being evil'
- 829,060
-
-
1@Thejdeep Sure. Access a device file directly (and root can create device files even if they weren't provided originally) or mount it, call
gdb -p 1to make a process outside the chroot do anything, etc. – Gilles 'SO- stop being evil' Jun 15 '15 at 08:08
yum/rpmis a tough example because they typically run as root. The only way to prevent a root process from writing to a directory would be by playing with chroot or containers to constrain the filesystem namespace it will execute in. You could also try replacing the executables in question with wrappers that suid to a non-root owner/group before exec'ing the actual executable (e.g. moved to a new name), or chroot first. Note that you can't use suid on wrappers if they are shell scripts or interpreted executables of any kind. – BobDoolittle Jun 14 '15 at 19:15