Skip to content
Advertisement

How to limit privileged user access at Linux Kernel level?

I found this answer on learning Linux Kernel Programming and my question is more specific for the security features of the Linux Kernel. I want to know how to limit privileged users or process’s access rights to other processes and files in contrast to full access of root.

Until now I found:

  • user and group for Discretionary Access Control (DAC), with differentiation in read, write and execute for user, group and other
  • user root for higher privileged tasks
  • setuid and setgid to extend users’s DAC and set group/user ID of calling process, e.g. user run ping with root rights to open Linux sockets
  • Capabilities for fine-grained rights, e.g. remove suid bit of ping and set cap_net_raw
  • Control Groups (Cgroups) to limit access on resources i.e. cpu, network, io devices
  • Namespace to separate process’s view on IPC, network, filesystem, pid
  • Secure Computing (Seccomp) to limit system calls
  • Linux Security Modules (LSM) to add additional security features like Mandatory Access Control, e.g. SELinux with Type Enforcement

Is the list complete? While writing the question I found fanotify to monitor filesystem events e.g. for anti virus scans. Probably there are more security features available.

Are there any more Linux security features which could be used in a programmable way from inside or outside of a file or process to limit privileged access? Perhaps there is a complete list.

Advertisement

Answer

The traditional unix way to limit a process that somehow needs more privileges and yet contain it so that it cannot use more than what it needs is to “chroot” it.

chroot changes the apparent root of a process. If done right, it can only access those resources inside that newly created chroot environment (aka. chroot jail) e.g. it can only access those files, but also, only those devices etc.

To create a process that does this willingly is relatively easy, and not that uncommon.

To create an environment where an existing piece of software (e.g. a webserver, mailserver, …) feels at home in and still functions properly is something that requires experience. The main thing is to find the minimal set of resources needed (shared libraries, configuration files, devices, dependent services (e.g. syslog), … ).

User contributions licensed under: CC BY-SA
2 People found this is helpful
Advertisement