[systemd-devel] grant users access to certain services only
Dominick Grift
dac.override at gmail.com
Fri Aug 21 03:37:09 PDT 2015
On Fri, Aug 21, 2015 at 08:25:56PM +1000, Daurnimator wrote:
> On 21 August 2015 at 19:57, Dominick Grift <dac.override at gmail.com> wrote:
> > i think it kind of sucks that systemctl --user list-units can be used to
> > determine who is currently logged in.
>
> You can see with `loginctl list-users` too
My restricted users currently cannot run loginctl. If they could then
there may or may not be a way to transperantly deny access to that info
using selinux (not sure i would have to try it)
>
> I once tried to prevent getting a list of users, but it's hard... I locked out:
> - `w` and `who` (uses /var/run/utmp; do chmod o-r)
> - `grep -h '^Uid:' /proc/*/status | sort -u` (prevent with procfs
> option hidepid=2)
> - ls /run/user (do chmod o-r)
I think i do have it working currently (at least mostly). Except for systemctl --user
list-units
I am basically using SELinux to isolate processes based on roles and
types
access to wtmp is denied with TE
access to process state is isolated using RBACSEP
access to df -h is restricted to generic file systems only (tmpfs fs
doesnt show up
access to pts/ttys and other "files" are isolated using RBACSEP
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150821/b12f2d2f/attachment.sig>
More information about the systemd-devel
mailing list