1

I want to be able to generically pick a certain executable (potentially malicious) x and run it (from an admin account) with write access restricted to certain directories (dynamically deduced) "${dirs[@]}".

The executable should have access to whatever is globally accessible on the system.

I figured I could use simple user-switching and have a dedicated, stateless system user foreveralone, for running theses executables.

Whenever I would want to run x with these restrictions, I would, flock a lock file, chown -R foreveralone:foreveralone -- "${dirs[@]}" and then do sudo -u foreveralone -g foreveralone $PWD/x.

After that, I would chown the write directories to someone else, so that foreveralone would have no persistent files on the filesystem. I figure I would also need to clean up up global write directories (e.g., /tmp, /dev/shm) from foreveralones files.

My questions are:

  1. Is this a feasible and secure mechanism for jailing processes, given a standardly setup *nix system?
  2. What exactly are the standard globally writable places and files on a a standardly setup *nix?

  3. How can I find them better than with something like

    sudo -u foreveralone -g foreveralone find / ! -type l -writable 2>/dev/null | grep -v '^/proc'

    (My find game is very weak. /proc/$pid appears to have lots of files that appear writable but, in fact aren't so I'm skipping those (I wonder what's up with that)).

Anyway, on my system, 3. returns (filtered to show filetypes): 

 character special file /dev/full character special file /dev/fuse character special file /dev/net/tun character special file /dev/null character special file /dev/ptmx character special file /dev/random character special file /dev/tty character special file /dev/urandom character special file /dev/zero character special file /sys/kernel/security/apparmor/.null directory /run/lock directory /run/shm directory /tmp directory /tmp/.ICE-unix directory /tmp/.X11-unix directory /var/local/dumps directory /var/mail directory /var/spool/samba directory /var/tmp regular empty file /run/sendmail/mta/smsocket regular empty file /sys/kernel/security/apparmor/.access socket /dev/log socket /run/acpid.socket socket /run/avahi-daemon/socket socket /run/cups/cups.sock socket /run/dbus/system_bus_socket socket /run/gdm_socket socket /run/mysqld/mysqld.sock socket /run/samba/nmbd/unexpected socket /run/sdp socket /tmp/.ICE-unix/2537 socket /tmp/mongodb-27017.sock socket /tmp/.X11-unix/X0
  1. Is there a better (simpler/more flexible solution to this)

In my particualar case, x would be a potentially malicious build script which should run without writing to the wrong places or reading things that aren't globally readable.

Improve this question

1 Answer 1

Reset to default
2

First sorry for my bad english. Lets show something for you using only unix concepts, cause i think it can help (or maybe not).

Imagine that i want that the executable nano can be executed by every users, but must never run as the user that call its executable, but with a limited environment, with access to edit the apache configuration only or files in certain groups, in other words i want nano to be executed like a linux service limited to a specific virtual user privileges.

1- First i will create the user nano and disable its login: 

useradd nano -d /var/nano mkdir /var/nano chown -R nano:nano /var/nano passwd -l nano

2- Lets force nano to run as user nano(for example if root call nano it must run as nano and not by root) 

chown nano:nano /usr/bin/nano chmod a+s /usr/bin/nano

Now +s means, that nano will run as the owner and not by who called it.

3- Call nano with root for a test:

#nano #ps aux | grep nano nano 3399 0.0 0.0 13828 3840 pts/0 S+ 08:48 0:00 nano

Beautiful! Nano now run as user nano not depending in what user i logged with.

4- So what now? I want nano to edit the files at /var/www/apache2 

chgrp -R www-data /var/www/ (yes i now that is unnecessary in Debian if the group are respected) chmod -R g+rw /var/www adduser nano www-data

5- What more?

You will note that every user now can use nano (or a special copy of it "nano-special" ;-) to edit /var/www files, so what if you want that only users in group nano can do that?

Simple remove other privileges to execute it:

chmod o-x /usr/bin/nano

And add the users to the group nano

adduser myuser1 nano
Improve this answer
2
  • It doesn't actually answer my question but it's a nice example. I think this approach of traditional user-space-based jailing is feasible and that I just need to clean up the globally writable directories to clean up. Maybe I'll upgrade to AppArmor or something later, but I'd rather not. Thanks for the time to make the answer. Commented May 30, 2016 at 13:46
  • Thank you very much ! I gived +1 to you. I think you can jail your program using this method and put the user of the program at the groups that have access to the devices you want, giving +w permission in the files it will need to access to the group. Commented May 30, 2016 at 14:37

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.