Results 1 to 6 of 6

Thread: apparmor protecting files from users

  1. #1
    Join Date
    Sep 2006
    Beans
    45

    apparmor protecting files from users

    Hi,

    It seems that AppArmor can't be effectively used to protect read access
    to files from users (including roots). It is possible to create a profile
    for, eg, 'cat', but then the users can use 'less'.

    Is this true? Should use SELinux instead for this?

    Thanks!

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: apparmor protecting files from users

    What are you wanting them to not have read access to?
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: apparmor protecting files from users

    Quote Originally Posted by freemant View Post
    Hi,

    It seems that AppArmor can't be effectively used to protect read access
    to files from users (including roots). It is possible to create a profile
    for, eg, 'cat', but then the users can use 'less'.

    Is this true? Should use SELinux instead for this?

    Thanks!
    Depends on what you are wanting to do and how familiar you are with selinux.

    I restrict users with "jailbash"

    http://ubuntuforums.org/showpost.php...56&postcount=5

    Jailbash would restrict root as well (assuming you set jailbash as roots default shell).

    IMO the advantage of selinux is that it is more mature, meaning more tested and there are more default policies then apparmor. There are also better tools to manage selinux.

    BUT writing a selinux policy form scratch can be a bit of work.

    The advantage of apparmor is that the syntax is very easy to learn, but you often have to write your own policies and at times documentation and debugging tools are lacking.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  4. #4
    Join Date
    Sep 2006
    Beans
    45

    Re: apparmor protecting files from users

    Thanks for the replies. What I'd like to do is to protect the DB access credential (in a file) from the OS admin (root) so that even root can't modify the DB (on the DB server).

    I don't understand how jailbash would meet the requirement as root must be able to run 'cat' and 'less' to perform his rightful duties.

  5. #5
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: apparmor protecting files from users

    Quote Originally Posted by freemant View Post
    Thanks for the replies. What I'd like to do is to protect the DB access credential (in a file) from the OS admin (root) so that even root can't modify the DB (on the DB server).

    I don't understand how jailbash would meet the requirement as root must be able to run 'cat' and 'less' to perform his rightful duties.
    Well, you will have to write an apparmor profile to do this for you. It is not *that* hard to allow access to cat, less, or any other command yet restrict access to other files and binaries. If you deny access to a file, foo, with apparmor, you can not read foo with cat or less.

    I am not sure selinux will do this out of the box, but if so, or if you prefer selinux, stay with selinux.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  6. #6
    Join Date
    Sep 2006
    Beans
    45

    Re: apparmor protecting files from users

    After studying apparmor more, I think that this can be done by:
    1) using a jailbash.
    2) using a profile for jailbash to restrict access to that secret file, while allowing access to almost everything (required by root to perform normal duties).
    3) configuring the profile so that jailbash executes all child processes with inherited transition (ix) so that they inherit the profile of jailbash to prevent them from accessing that secret file.
    4) amending 3) so that for selected child processes, they run with their own probably more restricted profiles.

    While this can be done, I think 4) will take a lot of effort. The ideal solution would be for apparmor to support intersecting the profiles for the parent and the child (e.g., combining the explicit deny rules).

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •