Ticket #7606 (closed enhancement: fixed)

Opened 5 years ago

Last modified 5 years ago

Confine DS-backup ssh+rsync

Reported by: martinlanghoff Owned by: douglas
Priority: normal Milestone: xs-0.4
Component: school server Version: not specified
Keywords: ds-backup Cc: martin.langhoff
Action Needed: never set Verified: no
Deployments affected: Blocked By:
Blocking:

Description

DS-Backup is using ssh+rsync - we need to confine the SSH access with one or more of

* rssh * chroot * SELinux

Rahul has already done an initial RSSH package for us - see https://bugzilla.redhat.com/show_bug.cgi?id=456182

Change History

Changed 5 years ago by martinlanghoff

rssh is in the XS repo now, so task now breaks into

  • provide a config file in xs-config that allows rsync and sftp
  • change idmgr to set the appropriate shell, and also add users to a "xousers" group
  • idmgr upgrade script to add shell & group membership to preexisting accts
  • idmgr to depend on rssh, & version of xs-config
  • test that ds-backup clients still work correctly

Changed 5 years ago by martin.langhoff

  • owner changed from martinlanghoff to martin.langhoff

Changed 5 years ago by martin.langhoff

  • milestone changed from xs-0.3 to xs-0.4

Changed 5 years ago by douglas

  • owner changed from martin.langhoff to douglas
  • status changed from new to assigned

Changed 5 years ago by cjb

Hm, I don't understand. Why do we need to do this? Doesn't the benefit kids would get from access to a machine that they're likely to understand more about than their administrators outweigh security reasons (which haven't been explained here) for not allowing them access?

I'm fine with compartmentalizing users to their own uid, but this work seems to go farther than that into limiting them to no shell access whatsoever. That sounds like a mistake to me.

Changed 5 years ago by douglas

hi cjb,

You might be right, but that sounds like a different bug ("give kids secure shell access").

I'll close this one soon.

Changed 5 years ago by martin.langhoff

  • cc martin.langhoff added

Hi Chris - for now at least...

  • There's nothing in the XS for kids that can be used via shell.
  • XS provides infrastructure, so we don't want them to experiment with it as they are likely to unknowingly mess up everyone's access.
  • The "admins" of the machine are the NOC, not the teacher, so it is fair to assume that they know linux.
  • We hand out an account to anyone who does an XML-RPC dance with us.

With the last point in mind, I want to limit the access that a user created with a weakly authenticated mechanism has. Privilege escalation bugs are a serious concern.

If we later provide facilities to be explored via shell, we'll revisit this. In the meantime, they have their own Linux machine to play with, with the advantage that if a kid messes up, it only affects that kid and his/her files are hopefully backed up so can be retrieved after a reflash.

Changed 5 years ago by martin.langhoff

The rpms are done and published, and the rssh.conf has made it into xs-config too. Calling it done.

Changed 5 years ago by martin.langhoff

  • status changed from assigned to closed
  • resolution set to fixed
Note: See TracTickets for help on using tickets.