我想为几个人运行一个老式的外壳服务器。一种使用户可以通过ssh访问的方式,以便他们可以运行软件(自己的或提供的)。我关心的是用户之间的适当隔离。
我不希望他们查看彼此的进程,访问彼此的文件(除非明确允许),等等。最好不要被每个特权升级错误所咬住或在每次较小的内核更新时重新启动服务器。采取这些安全措施后,保持运行常规服务(如Web和邮件托管)的选项将是非常理想的。
早在我使用grsec的那一天,但这需要保留在较旧的内核上,并要自己处理编译它的麻烦。有没有更现代,更Ubuntu的方法来确保共享服务器上的用户分离?
也许您可以使用AppArmor做到这一点?也许有一个为共享环境预配置的内核存储库?还是基于容器的解决方案?这些最近很流行。
Answers:
hidepidprocfs在Linux上现在支持该hidepid选项。来自man 5 proc:
hidepid=n (since Linux 3.3)
This option controls who can access the information in
/proc/[pid] directories. The argument, n, is one of the
following values:
0 Everybody may access all /proc/[pid] directories. This is
the traditional behavior, and the default if this mount
option is not specified.
1 Users may not access files and subdirectories inside any
/proc/[pid] directories but their own (the /proc/[pid]
directories themselves remain visible). Sensitive files
such as /proc/[pid]/cmdline and /proc/[pid]/status are now
protected against other users. This makes it impossible to
learn whether any user is running a specific program (so
long as the program doesn't otherwise reveal itself by its
behavior).
2 As for mode 1, but in addition the /proc/[pid] directories
belonging to other users become invisible. This means that
/proc/[pid] entries can no longer be used to discover the
PIDs on the system. This doesn't hide the fact that a
process with a specific PID value exists (it can be learned
by other means, for example, by "kill -0 $PID"), but it
hides a process's UID and GID, which could otherwise be
learned by employing stat(2) on a /proc/[pid] directory.
This greatly complicates an attacker's task of gathering
information about running processes (e.g., discovering
whether some daemon is running with elevated privileges,
whether another user is running some sensitive program,
whether other users are running any program at all, and so
on).
gid=gid (since Linux 3.3)
Specifies the ID of a group whose members are authorized to
learn process information otherwise prohibited by hidepid
(ie/e/, users in this group behave as though /proc was mounted
with hidepid=0. This group should be used instead of approaches
such as putting nonroot users into the sudoers(5) file.
因此,安装/proc有hidepid=2足够隐藏其他用户在Linux上> 3.3过程的细节。Ubuntu 12.04默认带有3.2,但是您可以安装较新的内核。Ubuntu 14.04及更高版本很容易满足此要求。
第一步,rwx从每个主目录中除去对其他人的权限(如果需要,还应除去对组的权限)。我当然假设包含主目录的文件夹对除root以外的任何人都没有写权限。
然后,使用ACL授予Web服务器和邮件服务器等服务对相应目录的访问权限。例如,要授予Web服务器进程对用户主页的访问权限,假设www-data是用户,并且~/public_html是主页的保存位置:
setfacl u:www-data:X ~user
setfacl d:u:www-data:rX ~user/public_html
同样,为邮件过程和邮箱目录添加ACL。
默认情况下,至少在Ubuntu 14.04及更高版本上,在ext4上默认启用ACL。
/tmp 和 umask另一个问题是/tmp。设置,umask使文件无法在组或世界范围内读取,从而使其他用户无法访问用户的临时文件。
使用这三个设置,用户将无法访问其他用户的文件或检查他们的进程。
/tmp该程序包是对放置在其中的单独文件的替代或补充libpam-tmpdir:它为每个用户创建了一个root拥有的,非世界可读的目录,/tmp/user以及用户拥有的,非世界可读的,不可世界遍历的目录/tmp/user/$UID(在第一个用户创建后)登录),并将环境变量设置TMP_DIR为指向后者。大多数程序播放效果很好,并将它们的临时文件放入其中($TMP_DIR如果已设置)。