[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is it possible to stop an user from stopping rsyslog or equivalent w
|
From: |
Jeffrey Walton |
|
Subject: |
Re: Is it possible to stop an user from stopping rsyslog or equivalent while still granting most privileges? |
|
Date: |
Tue, 14 Sep 2021 12:24:48 -0400 |
On Mon, Sep 13, 2021 at 11:35 AM conan zhan <conanzhan@onionmail.org> wrote:
> ...
> So is there a way to ban a sudo-er from the following actions:
>
> 1) run a command the root does not allow. ETC. A line with both stop &
> rsyslogA
> line withchmod
>
> 2) use root role;
>
> 3) escape current bash environment ?
>
> These three altogether would create a role that gives maintainers Largest
> privileges so long as they CANNOT delete the record in Black-Box.
>
> I don't know how much work needs to be done to create such role, but there
> seems
> to be a way to walk around by a shell with censorship on command before
> execution? Since you can limit a user on what shell can be used by useradd
> [someuser] -s
I believe you need to use SELinux. Under SELinux, root is just another
user who can be managed, restricted and contained. The policies are
mandatory, so root and equivalent users cannot side-step them.
I don't believe AppArmor provides the same containment as SELinux.
AppArmor is app-centric, not user-centric.
Jeff