1 |
Dear Jan, |
2 |
|
3 |
-- |
4 |
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
5 |
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
6 |
|
7 |
On Hét, November 24, 2008 21:03, Jan Klod wrote: |
8 |
> Well, the idea is: if program is started with userid N != 0, what are the |
9 |
> ways |
10 |
> it can access the information, it is supposed to be forbidden to access in |
11 |
> a |
12 |
> normal Linux configuration (other users info)? |
13 |
> As you might think, I am not really sure of what I need other than a way |
14 |
> to |
15 |
> forbid all the users access to other users files unless they are in a |
16 |
> group |
17 |
> and permissions allow it. |
18 |
|
19 |
You don't need more than regular Unix-style access-control to achieve this |
20 |
basically: every user must have its own group, and files should be created |
21 |
without world-access rights by default. It can be configured on any |
22 |
regular host. |
23 |
|
24 |
> Many wild things can happen, I just think, this might be a good place |
25 |
> where I |
26 |
> could ask. |
27 |
> |
28 |
> For example: I install mailserver or run samba on a server, where some |
29 |
> other |
30 |
> things are going on and I totally don't want them to interfare in any |
31 |
> possible way unless it has been intended. |
32 |
|
33 |
If you want to separate services, you can install them in their own |
34 |
chroot/jail environment or go for separate virtual machines. For the |
35 |
former method grsecurity provides advanced protection and for the latter |
36 |
strategy there are several possibilities for implementation. |
37 |
|
38 |
> |
39 |
> Hope, I made it clear enough... |
40 |
|
41 |
Hardened project offers toolchain-based additional hardening and several |
42 |
types of mandatory access control (MAC) techniques, which makes bypassing |
43 |
system security much harder. Most of us would vote on their favorite |
44 |
method(s) and argue against the other(s). You should dig yourself a bit |
45 |
deeper into SELinux/RSBAC/PaX/Grsecurity/PIE-SSP and choose your |
46 |
combination according to your taste. |
47 |
|
48 |
> |
49 |
> Jan |
50 |
> |
51 |
|
52 |
Regards, |
53 |
Dw. |