Linux Security – How to Prevent a Process from Writing Files

apparmorcapabilitieslinuxSecurityselinux

I want to run a command on Linux in a way that it cannot create or open any files to write. It should still be able to read files as normal (so an empty chroot is not an option), and still be able to write to files already open (especially stdout).

Bonus points if writing files to certain directories (i.e. the current directory) is still possible.

I’m looking for a solution that is process-local, i.e. does not involve configuring things like AppArmor or SELinux for the whole system, nor root privileges. It may involve installing their kernel modules, though.

I was looking at capabilities and these would have been nice and easy, if there were a capability for creating files. ulimit is another approach that would be convenient, if it covered this use case.

Best Answer

How about creating an empty chroot, then bind-mount the main filesystem as read-only inside the chroot?

Should probably be something like this to create a read-only bind-mount:

mount --bind /foo/ /path/to/chroot/
mount -o remount,ro /path/to/chroot/

You can bind-mount other directories which you want the jail to have write access to as well. Be careful if you need to bind-mount special directories (/dev/, /proc/, /sys/), mounting them as-is may be insecure.

Related Solutions

Linux – How to prevent writing to CIFS from stalling for minutes on end

By default cifs mounts use protocol 1.0, which besides obsolete, is largely inefficient and does not recover well from sleep for several reasons.

Depending on what is your server technology, you can go from using vers=2.1 at least, or vers=3.0.

I would advise checking with documentation or vendor which version of the SMB protocol it supports, or at least using 3.0 and consulting the output of the mount command to see the negotiated version.

Changing for a more recent CIFS version protocol should solve some or all of your stalling issues and give you more efficient transfer speeds.

Please see the related question CIFS randomly losing connection to Windows share for more details.

Please do note that the stalling will improve, but won't go away when copying large files. That behaviour is a feature e.g. the files go to buffers, and the filesystem waits for the server notification the copy has been finished with success.

Why are not all permitted capabilities of a linux process effective all the time

The difference between effective/permitted capabilities is similar to the difference between real/effective UIDs in setuid programs. The idea isn't to stop a rogue app from escalating privs (you wouldn't grant them privs in the first place, same as you wouldn't setuid them) but to allow a program to run with minimal privileges and only escalate where necessary. This helps minimize the impact of bugs

A very contrived example: I want to have a program that will let me send a SIGHUP to processes owned by the user or to allow a God user to send SIGHUP to init.

This program has the CAP_KILL capability set on the file.

The pseudo code might look something like:

drop_effective CAP_KILL
repeat forever:
  get_process_id_from user
  if process_id==1 and user_is_God:
    set_effective CAP_KILL
    kill(-1,1)
    drop_effective CAP_KILL
 else:
   kill(-1,process_id)

The obvious bug, here, is that I don't check that the user is allowed to send the signal in the first place. Because I've dropped the effective CAP_KILL permission I won't be allowing the user to kill processes other than their own.

Very contrived, for sure! But the idea is to run as far as possible with "least privileges" and only enable privileges when necessary.

Now this won't necessarily protect against buffer overflow attacks because the injected code could enable permitted privileges, so capability aware code should also drop permitted privileges once they are no longer needed; eg a webserver might drop CAP_NET_BIND_SERVICE after it has bound to port 80. You can't enable something not in your permitted set!

Best Answer

Related Solutions

Linux – How to prevent writing to CIFS from stalling for minutes on end

Why are not all permitted capabilities of a linux process effective all the time

Related Question