0

I'm searching for a way to "protect" a Linux operating system against (root) users that can potentially misbehave.

My threat model is the one of university students, having access to root password of desktops (to deal with network configuration, install packages, and so on), but without any access to the UEFI, and my goal is to be able to restore the system in its original state after a simple reboot (without having to resilver the whole system).

It seems to me a ram-backed overlayfs on the whole system would probably allow for such a behaviour if I were to restrict root to have read-write access on the disk block devices, and prevent root from "removing" this overlay, in a way or another (maybe with SELinux ?).

Is there a name for such a technique / setup, name that would allow me to find resources about doing this on Linux such as e.g Ubuntu ? Is that easily achievable or would it be a nightmare to think about all the restrictions that would need to be put in place regarding e.g. devices ?

user19917937
  • 1
  • 1
  • 2
    In general don't grant root access and ensure that systems will boot in a good working configuration. Instruct your users to install / configure the software they need in their home directory. i.e. docker containers, snap packages, virtual python environments etc. If/ when root access can't be avoided, i.e. when teaching a sysadmin class - lock the bios, set a boot order to boot from network before disk, run a network boot server that presents a menu to allow booting from local disk or allows the user to select a fresh install that will deploy a base system in a known good state. – HBruijn Jul 06 '23 at 08:39
  • you can look into sudo , user with specific access to command mentioned in visudo file ,even though they can run commands as root but only the permitted one by root which i assume is you https://kifarunix.com/run-only-specific-commands-with-sudo-in-linux/ – Biswajit Mohanty Jul 06 '23 at 09:04
  • 1
    "_My threat model is the one of university students ..._", for such I've seen hardware solutions with PCI Recovery / Guard Cards. For a full reset just a restart was necessary. – U880D Jul 06 '23 at 09:39
  • 1
    `root` is GOD. Absolutely. You can't "protect Linux from root". If you are sure you need to give plain root on some machine, consider setting up netboot and write a custom init script which copies the image from seed server during boot and right, establishes an overlay with it. Then it will be refreshed every reboot, no matter what the "root" did. Notice that this way you move security into the seed server, where the "student" is *not* root and so they can't do anything. – Nikita Kipriyanov Jul 06 '23 at 10:09
  • I disagree that root is "god". For example, using kerberos / nfs, you cannot access the files of an user even if you are root if you don't have some ticket. In the same way, the kernel might refuse to provide access to some devices, even to the root user, and if the kernel cannot be tampered with, then root is not "god". My question is not some XY-problem, I'm not searching for a way of limiting the access to the root account with e.g. sudo or other mechanisms. – user19917937 Jul 06 '23 at 10:20
  • 1
    Here’s a suggestion in the same spirit as using a RAM-backed overlayfs. Boot into a hypervisor that launches a VM having full pass-through to all hardware devices, apart from the block devices. The VM FS should be a snapshot that is removed and recreated at boot time. The student has root access only on the VM, not the hypervisor. Theoretically, this would solve your problem, but I haven't investigated it so I don't know how well kvm allows for the full passthrough of e.g. graphic cards, etc that might be required for giving the same experience as running naively on the hardware. – fraxflax Jul 06 '23 at 12:08
  • 1
    I support @U880D s comment that hardware recovery cards are the best solution for that case. – raj Jul 06 '23 at 13:27

0 Answers0