hidepid

tag-icon tag-icon server kernel ssh security multi-user
hidepid

我想为几个人运行一个老式的 shell 服务器,即用户可以通过 ssh 访问权限运行软件(他们自己的或提供的)的服务器。我关心的是用户之间的适当分离。

我不希望他们查看彼此的进程、访问彼此的文件(除非明确允许)等。最好不要被每个特权升级错误所困扰,也不要因为每次内核小更新而重新启动服务器。如果能保留运行常见服务(如 Web 和邮件托管)的选项,并采取这些安全措施,那就再好不过了。

以前我使用过 grsec,但是这需要使用较旧的内核并处理自己编译的麻烦。有没有更现代、更 Ubuntu 的方式来确保共享服务器上的用户分离?

也许你可以用 AppArmor 来做点什么?或者也许有一个为共享环境预先配置的内核存储库?或者一个基于容器的解决方案?这些最近很流行。

答案1

hidepid

procfsLinux 上现在支持该hidepid选项。从man 5 proc

hidepid=n (since Linux 3.3)
      This   option   controls  who  can  access  the  information  in
      /proc/[pid]  directories.   The  argument,  n,  is  one  of  the
      following values:

      0   Everybody  may  access all /proc/[pid] directories.  This is
          the traditional behavior, and  the  default  if  this  mount
          option is not specified.

      1   Users  may  not  access  files and subdirectories inside any
          /proc/[pid]  directories  but  their  own  (the  /proc/[pid]
          directories  themselves  remain  visible).   Sensitive files
          such as /proc/[pid]/cmdline and /proc/[pid]/status  are  now
          protected  against other users.  This makes it impossible to
          learn whether any user is running  a  specific  program  (so
          long  as  the program doesn't otherwise reveal itself by its
          behavior).

      2   As for mode 1, but in addition the  /proc/[pid]  directories
          belonging  to other users become invisible.  This means that
          /proc/[pid] entries can no longer be used  to  discover  the
          PIDs  on  the  system.   This  doesn't  hide the fact that a
          process with a specific PID value exists (it can be  learned
          by  other  means,  for  example,  by "kill -0 $PID"), but it
          hides a process's UID and  GID,  which  could  otherwise  be
          learned  by  employing  stat(2)  on a /proc/[pid] directory.
          This greatly complicates an  attacker's  task  of  gathering
          information   about  running  processes  (e.g.,  discovering
          whether some daemon is  running  with  elevated  privileges,
          whether  another  user  is  running  some sensitive program,
          whether other users are running any program at all,  and  so
          on).

gid=gid (since Linux 3.3)
      Specifies  the  ID  of  a  group whose members are authorized to
      learn  process  information  otherwise  prohibited  by   hidepid
      (ie/e/,  users  in this group behave as though /proc was mounted
      with hidepid=0.  This group should be used instead of approaches
      such as putting nonroot users into the sudoers(5) file.

因此,使用 挂载/proc足以hidepid=2隐藏 Linux > 3.3 上其他用户进程的详细信息。Ubuntu 12.04 默认自带 3.2,但您可以安装较新的内核。Ubuntu 14.04 及以上版本可轻松满足此要求。

ACL

第一步,rwx从每个主目录中删除其他人的权限(如果需要,也删除组的权限)。当然,我假设包含主目录的文件夹对除 root 之外的任何人都没有写入权限。

然后,使用 ACL 授予 Web 服务器和邮件服务器等服务对相应目录的访问权限。例如,要授予 Web 服务器进程对用户主页的访问权限,假设www-data是用户,并且~/public_html是主页保存的位置:

setfacl u:www-data:X ~user
setfacl d:u:www-data:rX ~user/public_html

类似地,为邮件流程和邮箱目录添加 ACL。

至少在 Ubuntu 14.04 及更高版本上,ACL 在 ext4 上默认启用。

/tmpumask

另一个问题是/tmp。设置umask文件不可由组或世界读取,这样用户的临时文件就不能被其他用户访问。

通过这三种设置,用户就不能访问其他用户的文件,或者检查他们的进程。

相关内容