[sheepdog-users] dog located in /usr/sbin, but executable by other

Marcin Mirosław marcin at mejor.pl
Mon Nov 24 14:26:44 CET 2014


W dniu 24.11.2014 o 13:43, Vasiliy Tolstov pisze:
> 2014-11-24 15:41 GMT+03:00 Marcin Mirosław <marcin at mejor.pl>:
>> Hi!
>> But still user can run it:
>> /lib/libc.so.6 /usr/sbin/dog
>> A little better way is `chmod o-a /usr/sbin/dog` but it doesn't help if
>> user use own binary and connect to sheep. With ifconfig is a little
>> diffrent story, even when ifconfig allow normal user to change network
>> configuration there is kernel protection. Kernel will reject such change
>> if it's not made by super user.
>> As far I can see sheepdog isn't created with security in mind. So
>> securing sheepdog cluster is a little problematic task.
> 
> 
> Why not check uid/euid and deny all? Or more elegant - check CAP, and
> allow all that have needed CAPS ?

But dog can work over TCP. So you should block on firewall connections
from not allowed users and use isolated VLAN for sheepcluster.




More information about the sheepdog-users mailing list