0

I am managing a server running Cantos 7. Some users login to the server via ssh/sftp for development. For them i have created a user devel. For security reasons, i need to confine them to certain directories. They should be able to:

  • Run only basic commands such as cd, ls, cp, cat, mv, mkdir, rmdir, etc.
  • Run programs such as java, gcc, python etc.
  • Access home directory (devel) with full permissions (rwx)
  • Access a mounted Hard Drive /mnt/dataspace with full permissions (rwx)
  • Access the /usr/lib, /usr/src and some other directories with full permissions (rwx)

I want to prevent devel from:

  • Accessing all other directories such as /, /boot, /etc, /opt, /var etc.
  • Accessing certain services/deamons such as httpd, sshd, mysqld etc.
  • Running any command (other than the basic commands above) e.g. systemctl.

I don't want these directories (e.g. /, /etc, /var etc.) to even show up to them, or at the very least disable access to them.

Is it possible to do? I have read many questions here and also many other articles, forums and blogs about ACL and Chroot Jail erc. such as this, this, this, this, this, this, this, this, this, this, this but none of them helped me to achieve what i need to do.

Any help or any suggestions will be highly appreciated, i desperately need help.

Raja Ayaz
  • 1
  • 1
  • What you're describing here isn't really practical. You will always have a / directory, and a lot of programs won't work without the things in /etc or /dev. And if the users have access to java/gcc/python, they can write their own replacements for many of the programs that you don't provide. – Kenster Nov 21 '19 at 20:34
  • okay i can give them access to /. Is it possible to disable access to certain list of directories (such as /var, /etc/httd,...)? – Raja Ayaz Nov 21 '19 at 20:44
  • 1
    The requirement to allow write access to /usr/lib will allow the devel user to gain root access. They can move aside one of the frequently-used system libraries and place their own evil version of it in its place. As soon as any root-owned process uses that library, it grants root access to devel, deletes itself and moves the normal library back in its place, then loads the normal library so that the root-owned process works as usual (with maybe a <0.1 second extra delay in starting). You should not allow them write access to anything that may run as root in normal system operations. – telcoM Nov 21 '19 at 23:45

1 Answers1

0

You can use a restricted shell like rbash or rssh to restrict the capabilities of users. (Or VirtFS/jailshell if you're willing to go that far.) Here's an example from RH on using rbash:

https://access.redhat.com/solutions/65822

Angelo
  • 1,941