September 21, 2005
Host security is a very important topic. You want to keep your machine as secure as possible. One security principle that most overlook is the "Principle of Least Privilege." This principle states that you should only give sufficent security access to a user to allow them to get their job done, but no more. There have been many different tools, ideas, and practices created to help stick to this principle. (eg su, sudo, PAM etc) I'm going to show you two very powerfull tools/ideas that will vastly improve your security by limiting certian accounts, while still maintaining sufficent access as to not restrict functionality. I'm first going to introduce you to scponly. Then I'll demonstrate a cool PAM trick to create a "su only" user.
First SCPonly. Many protocols have been created to replace the aging protocols of yesteryear. (FTP Telnet RSH RCP etc...) SSH is one of the more popular. SecureSHell or SSH allows one to remotely connect to a shell while the traffic between hosts is encrypted. Many of the plain-text protocols have been replaced by ssh. To emulate an FTP only server, (eg an account without an interactive shell, which can still upload and download files) you can use tools such as scponly. SCPonly is a restricted shell that only allows scp traffic and denys any interactive shell traffic.
There's also a package named SCPjailer that will assist you in creating the chroot jails for the chrooted version of SCPonly.
I'm currently working on some tools to make creating users with these two programs much simpler, so watch this space for news on the upcomming scponly-tools.
I've also recently come up with a PAM trick which will allow you to create a user which can only be accessed via the su command. Thats right, no direct login at all! Here's how you accomplish this:
- Create a new user who will only be accessable via su
# useradd kyle
- Restrict the new user account from all access by modifying the file
/etc/pam.d/system-authby adding the pam_listfile.so line as shown:
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_listfile.so sense=deny onerr=succeed item=user file=/etc/suonlyusers
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
- After editing that file, create the file
/etc/suonlyusersand add a single line with the username of whomever you are trying to restrict (in our case: kyle)
- Unrestrict the same user when using the su command.
edit the file
/etc/pam.d/suand add the pam_listfile.so line as shown:
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account sufficient /lib/security/$ISA/pam_listfile.so item=user sense=allow onerr=succeed file=/etc/suonlyusers
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session required /lib/security/$ISA/pam_selinux.so close
session required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session required /lib/security/$ISA/pam_selinux.so open multiple
session optional /lib/security/$ISA/pam_xauth.so
Try giving your user a password, loggin in directly, or accessing the user account via su.
Quite a trick.
(ranks a 4.3 out of 5 in my book)
Posted by sjansen at September 21, 2005 4:24 PM