hidepid

hidepid

我想為幾個人運行一個老式的 shell 伺服器,即。使用者可以獲得 ssh 存取權限,以便他們可以運行軟體(他們自己的或提供的)。我關心的是用戶之間的適當分離。

我不希望它們查看彼此的進程、訪問彼此的文件(除非明確允許)等。在採取這些安全措施的情況下,保持運行公共服務(如網路和郵件託管)的選項將是完美的。

以前我使用 grsec,但這需要保留較舊的核心並處理自己編譯它的麻煩。是否有更現代、更 Ubuntu 的方式來確保共享伺服器上的使用者分離?

也許你可以用 AppArmor 做一些事情來達到這個效果?或者也許有一個為共享環境預先配置的核心儲存庫?或基於容器的解決方案?這些最近很流行。

答案1

hidepid

procfsLinux 上現在支援該hidepid選項。從man 5 proc

hidepid=n (since Linux 3.3)
      This   option   controls  who  can  access  the  information  in
      /proc/[pid]  directories.   The  argument,  n,  is  one  of  the
      following values:

      0   Everybody  may  access all /proc/[pid] directories.  This is
          the traditional behavior, and  the  default  if  this  mount
          option is not specified.

      1   Users  may  not  access  files and subdirectories inside any
          /proc/[pid]  directories  but  their  own  (the  /proc/[pid]
          directories  themselves  remain  visible).   Sensitive files
          such as /proc/[pid]/cmdline and /proc/[pid]/status  are  now
          protected  against other users.  This makes it impossible to
          learn whether any user is running  a  specific  program  (so
          long  as  the program doesn't otherwise reveal itself by its
          behavior).

      2   As for mode 1, but in addition the  /proc/[pid]  directories
          belonging  to other users become invisible.  This means that
          /proc/[pid] entries can no longer be used  to  discover  the
          PIDs  on  the  system.   This  doesn't  hide the fact that a
          process with a specific PID value exists (it can be  learned
          by  other  means,  for  example,  by "kill -0 $PID"), but it
          hides a process's UID and  GID,  which  could  otherwise  be
          learned  by  employing  stat(2)  on a /proc/[pid] directory.
          This greatly complicates an  attacker's  task  of  gathering
          information   about  running  processes  (e.g.,  discovering
          whether some daemon is  running  with  elevated  privileges,
          whether  another  user  is  running  some sensitive program,
          whether other users are running any program at all,  and  so
          on).

gid=gid (since Linux 3.3)
      Specifies  the  ID  of  a  group whose members are authorized to
      learn  process  information  otherwise  prohibited  by   hidepid
      (ie/e/,  users  in this group behave as though /proc was mounted
      with hidepid=0.  This group should be used instead of approaches
      such as putting nonroot users into the sudoers(5) file.

因此,在 Linux > 3.3 上安裝/procwithhidepid=2足以隱藏其他使用者進程的詳細資訊。 Ubuntu 12.04 預設附帶 3.2,但您可以安裝更新的核心。 Ubuntu 14.04 及更高版本可以輕鬆滿足此要求。

ACL

第一步,rwx從每個主目錄中刪除其他人的權限(如果需要,也可以刪除群組的權限)。當然,我假設包含主目錄的資料夾對 root 以外的任何人都沒有寫入權限。

然後,使用 ACL 授予 Web 伺服器和郵件伺服器等服務對適當目錄的存取權限。例如,要授予 Web 伺服器進程存取使用者主頁的權限,假設www-data是使用者並且~/public_html是儲存主頁的位置:

setfacl u:www-data:X ~user
setfacl d:u:www-data:rX ~user/public_html

同樣,為郵件進程和郵箱目錄新增 ACL。

至少在 Ubuntu 14.04 及更高版本上,ACL 在 ext4 上預設為啟用。

/tmpumask

另一個問題是/tmp。設定umask以使檔案不是群組可讀或全域可讀的,這樣其他使用者就無法存取使用者的臨時檔案。


透過這三個設置,用戶應該無法存取其他用戶的文件或檢查他們的進程。

相關內容