Limit execution to specific users

Support for security such as Firewalls and securing linux
Post Reply
User avatar
KernelOops
Posts: 347
Joined: 2013/12/18 15:04:03
Location: xfs file system

Limit execution to specific users

Post by KernelOops » 2020/10/08 07:06:32

Does anyone know if it is possible to restrict execution of /usr/bin/perl (or other similar /usr/bin file) to a specific list of users?

Thank you.
--
I love my computer - all my friends live there.
--

User avatar
jlehtone
Posts: 3101
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Limit execution to specific users

Post by jlehtone » 2020/10/08 08:11:02

File permissions? (If complex, then with ACLs.)
SELinux contexts?

That can get tricky, if system service with various accounts use those executables.
Furthermore, does 'dnf update' (re)set permissions?

User avatar
KernelOops
Posts: 347
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Limit execution to specific users

Post by KernelOops » 2020/10/08 08:22:13

Indeed its tricky.

The packages that I've seen, do not reset file permissions for existing and modified files, so that is not a problem.

A simple binary like /usr/bin/wget can be easily restricted via file permissions, like 0700 (-rwx------), then only root is able to run wget.

But, as you mention above, this will cause many problems for a binary file that is executed by system services that run as their own user, for example /usr/bin/perl.

I don't know how to use ACLs, maybe someone who knows more could provide some information. I'll take a look at SELinux and see if there is anything close to what I want.
--
I love my computer - all my friends live there.
--

gostal
Posts: 52
Joined: 2019/09/23 15:26:45

Re: Limit execution to specific users

Post by gostal » 2020/10/08 14:45:59

Perhaps ordinary file permissions suffice.

Create a specific group for the Program in point e.g. Progusers. Choose a descriptive name.
Set the group of the program to be that group instead of root.
Set permissions to 774 or 754 if group members should not be able to change the file, only run it. Restrict world access to 4 or 0.
Make all users allowed to run the program a member of Progusers

Should work if not selinux gets in the way but it should be possible to create a rule for that purpose should it occur.
Desktop Dell T5810 Intel(R) Xeon(R) CPU E5-1650 v4 @ 3.60GHz, 72 GB RAM, Radeon Pro WX 7100
CentOS 7.8.2003

Post Reply

Return to “CentOS 8 - Security Support”