| 1 |
Dear Jan, |
| 2 |
|
| 3 |
-- |
| 4 |
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
| 5 |
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
| 6 |
|
| 7 |
On Hét, November 24, 2008 21:03, Jan Klod wrote: |
| 8 |
> Well, the idea is: if program is started with userid N != 0, what are the |
| 9 |
> ways |
| 10 |
> it can access the information, it is supposed to be forbidden to access in |
| 11 |
> a |
| 12 |
> normal Linux configuration (other users info)? |
| 13 |
> As you might think, I am not really sure of what I need other than a way |
| 14 |
> to |
| 15 |
> forbid all the users access to other users files unless they are in a |
| 16 |
> group |
| 17 |
> and permissions allow it. |
| 18 |
|
| 19 |
You don't need more than regular Unix-style access-control to achieve this |
| 20 |
basically: every user must have its own group, and files should be created |
| 21 |
without world-access rights by default. It can be configured on any |
| 22 |
regular host. |
| 23 |
|
| 24 |
> Many wild things can happen, I just think, this might be a good place |
| 25 |
> where I |
| 26 |
> could ask. |
| 27 |
> |
| 28 |
> For example: I install mailserver or run samba on a server, where some |
| 29 |
> other |
| 30 |
> things are going on and I totally don't want them to interfare in any |
| 31 |
> possible way unless it has been intended. |
| 32 |
|
| 33 |
If you want to separate services, you can install them in their own |
| 34 |
chroot/jail environment or go for separate virtual machines. For the |
| 35 |
former method grsecurity provides advanced protection and for the latter |
| 36 |
strategy there are several possibilities for implementation. |
| 37 |
|
| 38 |
> |
| 39 |
> Hope, I made it clear enough... |
| 40 |
|
| 41 |
Hardened project offers toolchain-based additional hardening and several |
| 42 |
types of mandatory access control (MAC) techniques, which makes bypassing |
| 43 |
system security much harder. Most of us would vote on their favorite |
| 44 |
method(s) and argue against the other(s). You should dig yourself a bit |
| 45 |
deeper into SELinux/RSBAC/PaX/Grsecurity/PIE-SSP and choose your |
| 46 |
combination according to your taste. |
| 47 |
|
| 48 |
> |
| 49 |
> Jan |
| 50 |
> |
| 51 |
|
| 52 |
Regards, |
| 53 |
Dw. |
Archives