简体繁体 English

如何限制Linux内核级别的特权用户访问？

[英]How to limit privileged user access at Linux Kernel level?

原文 2015-06-17 09:00:49 1 2 linux/ security/ linux-kernel/ kernel

I found this answer on learning Linux Kernel Programming and my question is more specific for the security features of the Linux Kernel. 我在学习Linux内核编程时找到了这个答案，我的问题更具体针对Linux内核的安全功能。 I want to know how to limit privileged users or process's access rights to other processes and files in contrast to full access of root. 我想知道如何限制特权用户或进程对其他进程和文件的访问权限，而不是root的完全访问权限。

Until now I found: 直到现在我发现：

user and group for Discretionary Access Control (DAC), with differentiation in read, write and execute for user, group and other 自由访问控制（DAC）的用户和组，区分读取，写入和执行用户，组和其他
user root for higher privileged tasks 用户root用于更高权限的任务
setuid and setgid to extend users's DAC and set group/user ID of calling process, eg user run ping with root rights to open Linux sockets setuid和setgid扩展用户的DAC并设置调用进程的组/用户ID，例如用户运行ping权限以打开Linux套接字
Capabilities for fine-grained rights, eg remove suid bit of ping and set cap_net_raw 细粒度权限功能，如删除的SUID位ping ，并设置cap_net_raw
Control Groups ( Cgroups ) to limit access on resources ie cpu, network, io devices 控制组（ Cgroup ）以限制对资源的访问，即cpu，网络，io设备
Namespace to separate process's view on IPC, network, filesystem, pid 命名空间，用于分隔IPC，网络，文件系统，pid上的进程视图
Secure Computing ( Seccomp ) to limit system calls 安全计算（ Seccomp ）限制系统调用
Linux Security Modules ( LSM ) to add additional security features like Mandatory Access Control, eg SELinux with Type Enforcement Linux安全模块（ LSM ）添加其他安全功能，如强制访问控制，例如带有类型强制执行的SELinux

Is the list complete? 清单是否完整？ While writing the question I found fanotify to monitor filesystem events eg for anti virus scans. 在编写问题时，我发现fanotify监视文件系统事件，例如反病毒扫描。 Probably there are more security features available. 可能有更多安全功能可用。

Are there any more Linux security features which could be used in a programmable way from inside or outside of a file or process to limit privileged access? 是否有更多Linux安全功能可以从文件或进程内部或外部以可编程方式使用以限制特权访问？ Perhaps there is a complete list. 也许有一个完整的清单。

2 个解决方案

The traditional unix way to limit a process that somehow needs more privileges and yet contain it so that it cannot use more than what it needs is to "chroot" it. 传统的unix方法限制一个过程，该过程以某种方式需要更多特权并且包含它以使其不能使用超过它所需要的是“chroot”它。

chroot changes the apparent root of a process. chroot改变了进程的明显根。 If done right, it can only access those resources inside that newly created chroot environment (aka. chroot jail) eg it can only access those files, but also, only those devices etc. 如果做得好，它只能访问新创建的chroot环境（也就是chroot jail）中的那些资源，例如它只能访问那些文件，而且只能访问那些设备等。

To create a process that does this willingly is relatively easy, and not that uncommon. 创建一个自愿地做到这一点的过程相对容易，并不常见。

To create an environment where an existing piece of software (eg a webserver, mailserver, ...) feels at home in and still functions properly is something that requires experience. 创建一个现有软件（例如网络服务器，邮件服务器......）在家中感觉并且仍能正常运行的环境需要经验。 The main thing is to find the minimal set of resources needed (shared libraries, configuration files, devices, dependent services (eg syslog), ... ). 主要的是找到所需的最小资源集（共享库，配置文件，设备，依赖服务（例如syslog），...）。

您可以添加EFS，AppArmor，Yama auditctl，ausearch，aureport类似于fanotify的工具：Snort，ClamAV，OpenSSL，AIDE，nmap，GnuPG