I also limit the other of the network commands that are executed without root
That doesnât really do anything. You donât need the commands to access the information and anyone could easily just download a copy to their home directory and run them anyway.
I donât know why you are doing this but if it is about security you arenât increasing it by any meaningful amount.
Indeed, many third-party programs e.g. ip
or old ifconfig
⌠read a lot of clear network informations from any Kernel without requiring permission.
For example:
Everyone can run $ cat /proc/net/fib_trie to show clear IP informations, but there are many clear configurations in /proc/net/*
, /proc/sys/net/ipv4/*
, /proc/sys/net/ipv6/*
and more âŚ
Yes I know itâs not the best practice, but it looks like OP doesnât care.
ip also reads the network information from the proc
If reading the proc directory is reserved for root, then commands like ip must also have access to root
If this is true, the proc directory should be readable and modifiable only by the root user
Is it possible to mount the proc directory for the root user?
That is a good way how to screw up your system. But the answer is technicaly yes, it is possible to limit /proc
to only root
access.
What is your end goal? Prevent user from accessing internet? Or just mess with them so they cannot use perfectly harmless tools like ip
?
Completely restricting proc to rooting has difficulties for normal users.
But must perform commands such as ip, ifconfig and read basic network and other import formation with root access
Now, I donât know if this is related to kernel compilation or firmware
Now I have questions about which distribution has met this standard
I just want to know how to make different paths in the /proc/* path specific to the root user
This is related to your network hardware that can tell any Kernel and BIOS firmware what your local IP address is. But the IP address can be changed by your local router due to Dynamic Host Configuration Protocol (DHCP) or your custom IP configuration in your router.
Any Kernel does not restrict network information for normal users in the higher layer of OSI model by default.
But you can change your own Kernel to restrict network information what you want.
Iâm not sure restricting commands to only root when theyâre normally available sounds like a very good plan.
Instead, is it possible when new users are made to simply and explicitly set a denial acl of some kind? Basically, those types of users will only have access to exactly what you specify, OR maybe those users are automatically specifically denied access to the list of âthingsâ you specify.
(Stumbling over generic terms to explain a theoretical solution in complete abstract â Iâve certainly earned my name today! lol)
Hmm Iâm still a little unsure, but I think this article talks about the âthingiesâ Iâm thinking of (using ACLâs).
Basically, add your users to a custom group like âmyrestrictionsâ. Then go to the ACLâs of the things you want to restrict and set the group acl to â for the âmyrestrictionsâ group. Not sure if you can prioritize that group permission ahead of the default permissions, but if you can, that should do the trick, and then youâre not changing any global things that are sort of âconcerning and scaryâ to other folks commenting in this thread. (Iâm broadly and crudely charactarizing, no offense to others in this discussion intended. Using words is hard sometimes lol).
Start
OK yeah here I figured it out.
- Create a group that you will add all users to that you want to restrict.
sudo groupadd restrictedusers
- Add the user to that group
sudo usermod -a -G restrictedusers username
- change the acl of the items you want restricted
sudo setfacl -m group:restrictedusers:--- /usr/bin/ip
Log the user off so the group and permission changes will take effect and voila! That way youâre not changing default/global permissions, and also by adding users to a group then you can just specify the group on the given thing you want to restrict.
The final thing I highly recommend is keeping a script with all of the names of the files/dirs you have set restrictions to. As another commenter mentioned, there might be an issue with some updates resetting permissions. Or even better, maybe just make a script/service that, for each file/dir entry in a txt file, will check the FACLs for the settings you need, and if theyâre not there itâll automatically re-add them. Furthermore, configure the script that, if it did have to fix some permissions, then it also forces all users in the ârestrictedusersâ group to log off so the permissions take effect properly. Thatâs probably the most effective way to do it AND easily maintain and update it.
I still cannot see the end goal. Restricting usage for the sake of restriction? Sounds weird to me.
Anyway, you can use ACLs or simple chmod 700 /usr/bin/ip && chown root:root /usr/bin/ip
. If so then you should set up a pacman hooks that will set your desired access permission after relevant updates.
You can also look into SELinux or AppArmor - perhaps it can help you set your desired access rights.
+1
None of these things make any material difference to an attacker. There are many, many ways to get this information. Closing them one vector at a time is a pointless battle.
@Newuser2 can you share why you are trying to restrict this access?
For example, we change the MAC address, then a program can easily obtain the original MAC address using the ip command.
It still can do that without the ip command, even after all the changes you madeâŚ
If you want to block a program from accessing system information, run it in a VM, a container or a secure sandbox.
Of course not with solutions suggested by friends
firejail better?
Yes, if you are trying to restrict what a certain program can do, running it in something like firejail is a better solution than trying to modify your system itself.