如何确保老式 shell 服务器上的用户分离

Question

我想为几个人运行一个老式的 shell 服务器，即。一种用户可以获得 ssh 访问权限，以便他们可以运行软件（他们自己的或提供的）。我关心的是用户之间的适当分离。

我不希望他们查看彼此的进程、访问彼此的文件（除非明确允许）等。最好不要被每个权限提升错误所困扰，或者每次小内核更新时都不会重新启动服务器。在这些安全措施到位的情况下，保留运行公共服务（如网络和邮件托管）的选项将是完美的。

回到我使用 grsec 的那一天，但这需要使用较旧的内核并处理自己编译的麻烦。是否有更现代、更 Ubuntu 的方式来确保共享服务器上的用户分离？

也许你可以用 AppArmor 做点什么来达到这个效果？或者也许有一个为共享环境预先配置的内核存储库？还是基于容器的解决方案？这些最近很流行。

Answer 1

hidepid

procfs 在 Linux 上现在支持 hidepid选项。来自man 5 proc：

hidepid=n (since Linux 3.3)
      This   option   controls  who  can  access  the  information  in
      /proc/[pid]  directories.   The  argument,  n,  is  one  of  the
      following values:

      0   Everybody  may  access all /proc/[pid] directories.  This is
          the traditional behavior, and  the  default  if  this  mount
          option is not specified.

      1   Users  may  not  access  files and subdirectories inside any
          /proc/[pid]  directories  but  their  own  (the  /proc/[pid]
          directories  themselves  remain  visible).   Sensitive files
          such as /proc/[pid]/cmdline and /proc/[pid]/status  are  now
          protected  against other users.  This makes it impossible to
          learn whether any user is running  a  specific  program  (so
          long  as  the program doesn't otherwise reveal itself by its
          behavior).

      2   As for mode 1, but in addition the  /proc/[pid]  directories
          belonging  to other users become invisible.  This means that
          /proc/[pid] entries can no longer be used  to  discover  the
          PIDs  on  the  system.   This  doesn't  hide the fact that a
          process with a specific PID value exists (it can be  learned
          by  other  means,  for  example,  by "kill -0 $PID"), but it
          hides a process's UID and  GID,  which  could  otherwise  be
          learned  by  employing  stat(2)  on a /proc/[pid] directory.
          This greatly complicates an  attacker's  task  of  gathering
          information   about  running  processes  (e.g.,  discovering
          whether some daemon is  running  with  elevated  privileges,
          whether  another  user  is  running  some sensitive program,
          whether other users are running any program at all,  and  so
          on).

gid=gid (since Linux 3.3)
      Specifies  the  ID  of  a  group whose members are authorized to
      learn  process  information  otherwise  prohibited  by   hidepid
      (ie/e/,  users  in this group behave as though /proc was mounted
      with hidepid=0.  This group should be used instead of approaches
      such as putting nonroot users into the sudoers(5) file.

因此，安装/proc有hidepid=2足够隐藏其他用户在Linux上> 3.3过程的细节。Ubuntu 12.04 默认带有 3.2，但您可以安装更新的内核。Ubuntu 14.04 及更高版本很容易满足这个要求。

ACL

第一步，rwx从每个主目录中删除其他人的权限（如果需要，也可以删除组）。当然，我假设包含主目录的文件夹对除 root 之外的任何人都没有写权限。

然后，使用 ACL 授予 Web 服务器和邮件服务器等服务访问适当目录的权限。例如，要授予 Web 服务器进程访问用户主页的权限，假设www-data用户是~/public_html是保存主页的位置：

setfacl u:www-data:X ~user
setfacl d:u:www-data:rX ~user/public_html

同样，为邮件进程和邮箱目录添加 ACL。

至少在 Ubuntu 14.04 及更高版本上，默认情况下在 ext4 上启用了 ACL。

/tmp 和 umask

另一个问题是/tmp。设置umask使文件不是组可读的或世界可读的，以便其他用户无法访问用户的临时文件。

使用这三个设置，用户不应能够访问其他用户的文件，或检查他们的进程。