• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Restricted Access to Certain Binaries

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux

View previous topic :: View next topic  
Author Message
Weaver
Trusted SF Member
Trusted SF Member


Joined: 04 Jan 2003
Posts: 0
Location: WI, USA

Offline

PostPosted: Fri Oct 08, 2004 8:05 pm    Post subject: Restricted Access to Certain Binaries Reply with quote

Does anyone know of a *nix equivalent to Windows "Software Restriction Policies"? Basically, what I want to do is not allow certain binaries with a specific name or that match a given hash to run on a Linux machine.

This isn't terribly difficult to implement in Windows using the above mentioned policies. However, I have not been able to find a *nix equivalent.

If I have to write a kernel module this would definitely be a good excuse to learn more about kernel programming (something I have only dabbled in).

The setup needs to be able to do the following:

A list is kept in some form, listing both the name and a hash of the binaries that are NOT allowed by given users.

The module/program will then note when a binary of given name or hash is being executed, using a logical OR on the name or hash. If the UID is not in the "allowed" list of UID's, then they are not able to execute the binary.

Again, if anyone knows of any existing software/modules, please let me know. If anyone has any insight as to the level of kernel knowledge required to implement such a module, please let me know.

Thanks.

-Weaver
Back to top
View user's profile Send private message
Cass
Lurker
Lurker


Joined: 14 Aug 2003
Posts: 14
Location: Scotland

Offline

PostPosted: Fri Oct 08, 2004 11:06 pm    Post subject: Reply with quote

Hi Weaver,

Im not sure if im understanding your requirements correcly but linux has built in tools to restrict access to files and folders. The commands im thinking of are :

chown :- change the owner of a file to certain user
chgrp :- Change binary to be accessable by users in a certain group
chmod :- change the overall permissions of the file

# chown cass filename.ksh

will change the file to be owned by me, if you run

# chmod 700 filename.ksh

only the user cass will be able to run this.

if i run this command

# chgrp mygroup filename.ksh

the run

# chmod 770 filename.ksh

owner cass and any users in the mygroup group will be able to run the file.

The group can be found at :-

/etc/group

have a read at the man page for each of the above commands for further info

if i have misunderstood you apoilogies for wasting your reading time Wink

Ohh also you could check out the NSA extentions to the linux kernel, this can add further granularity on this.

http://www.nsa.gov/selinux/index.cfm

edit :- You also whn i think about it implement acl's , run a google on them for linux acl for a lot more info.

Rgds
Cass
Back to top
View user's profile Send private message
Weaver
Trusted SF Member
Trusted SF Member


Joined: 04 Jan 2003
Posts: 0
Location: WI, USA

Offline

PostPosted: Fri Oct 08, 2004 11:27 pm    Post subject: Reply with quote

Thanks for the response. I am familiar with the *nix permission system and have employed its services many times. Unfortunately that isn't exactly what I am looking for here.

Here is the situation. This is going to be for campus machines running Linux or Mac OSX. We want to restrict access to certain programs/binaries. The permission system would work fine for system binaries, but would not work if a user were to download and run the binary from their home directory.

I don't expect this to be the end-all solution, but if we could block by name and/or hash that would be initially sufficient.

-Weaver
Back to top
View user's profile Send private message
Cass
Lurker
Lurker


Joined: 14 Aug 2003
Posts: 14
Location: Scotland

Offline

PostPosted: Fri Oct 08, 2004 11:42 pm    Post subject: Reply with quote

hmm this will be difficult i think to do, its the download to local system that is the hard part, the only way i would think is to restrict access to the files users can download, if you dont trust the users in quesiton block the access to it, if this is a lan file server we're talking about have authentication to get the files, ie acl's for the likes of nfs shares. passwd auth for ftp etc... also it might be possible to restrict exec access to binarys by mounting the homedir noexec if this is nfs we spek about. might not prevent users running from the likes of /var/tmp though, or be practical for other allowed use Sad.....

I am unfortunatly unfamiliar with windows policys to get an exact handle of what you need, best i can think of at the mo Smile

Cass
Back to top
View user's profile Send private message
Weaver
Trusted SF Member
Trusted SF Member


Joined: 04 Jan 2003
Posts: 0
Location: WI, USA

Offline

PostPosted: Sat Oct 09, 2004 1:08 am    Post subject: Reply with quote

Thanks for the ideas, I'll keep working on it. I think a kernel module might be my best bet.

-Weaver
Back to top
View user's profile Send private message
Cass
Lurker
Lurker


Joined: 14 Aug 2003
Posts: 14
Location: Scotland

Offline

PostPosted: Sat Oct 09, 2004 1:46 am    Post subject: Reply with quote

it sounds like this is something that should be available on linux, i havnt heard of something similar anyway, if you do decide to write a kernel module for this im sure it'd be worthwhile and useful to others.. keep us posted if it happens.

Cheers
Caas
Back to top
View user's profile Send private message
0x54
Just Arrived
Just Arrived


Joined: 01 Aug 2004
Posts: 0


Offline

PostPosted: Sat Oct 09, 2004 7:00 am    Post subject: Reply with quote

you could do this with systrace,
though thats kind of a heavy duty solution and *will* take a long long long time to configure. to long perhaps, though, when i give folk shells (for whatever reason), their systraced (stsh <3).

(i know that isnt a usefull suggestion, due to the effort required to configure it Sad)
Back to top
View user's profile Send private message
hads
Trusted SF Member
Trusted SF Member


Joined: 23 May 2002
Posts: 3
Location: New Zealand

Offline

PostPosted: Sat Oct 09, 2004 7:59 am    Post subject: Reply with quote

I realise this isn't exactly what you are asking for but just incase you haven't thought of it, how about the noexec option for mount? Could be of use somewhere in the scheme of things.

HTH.
Back to top
View user's profile Send private message
dlab
Just Arrived
Just Arrived


Joined: 28 Oct 2004
Posts: 0


Offline

PostPosted: Fri Oct 29, 2004 12:29 am    Post subject: Reply with quote

Yeah, if you have all user-writable directories in their own partitions, you can try using the noexec option, which would prevent running binaries from those mounts.

//[b][/b]dev[b][/b]/hda3 /home ext3 defaults,sync,acl,noexec 1 1

or if you don't have partitions for those, try

mkdir /loop
dd if=//[b][/b]dev[b][/b]/urandom of=/loop/home bs=1M count=2048 # 2 Gig /home
*wait*
mkfs -t ext3 home
*should warn you about it not being a block device.*
*edit /etc/fstab and add:
/loop/home /home ext3 defaults,async,acl,noexec,loop 1 2

make sure you do this for all dirs that are writable by users, like /var/spool/mail, /tmp, /usr/tmp, and /var/tmp..
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register