0

I am working on an embedded Linux platform. In our platform there is only root user. Now we want to bring in security options like

1. Low Privileged user.
2. Allowing to run only executables from a particular location(only read permission).
3. Use Linux Containers

We have managed to add a low privileged user using the /etc/passwd file. But I have no idea how to do the rest. Is there any better options to implement security in the linux system. Any documentation or links are much appreciated.

jsaji
  • 900
  • 1
  • 15
  • 31

1 Answers1

1

Option two is achieved by the noexec flag on mounting. The slight challenge is figuring out exactly what to mount where; you'd want to mount / as noexec to get safety by default, but you need /sbin/mount to be executable. But you can probably make / read-only and mount all the writeable filesystems as noexec.

MSalters
  • 173,980
  • 10
  • 155
  • 350
  • The above answer works for me. Is there any way i can impose an rule, like only binaries with specific set of names are only allowed to execute?? – jsaji May 08 '14 at 04:20
  • @Griffin: That wouldn't be too secure. The usual approach would be `chroot` to an environment with just the trusted executables. A more flexible approach would be SElinux policies. – MSalters May 08 '14 at 06:32