securing directories and binaries

Arun Binaykia arun at binaykia.com
Fri May 26 20:42:01 UTC 2006


I am trying to provide a security solution for FC4 in a office desktop
environment. Here are issues.


1) I need to provide access to certain directories and the contents only
from selected process running on the machine. Other than these selected
process no other processes should be allowed access. 

For example my secured directory is /home/user/documents. I want all OO
process to have read write access. While protect it from gaim which has
no business in there. I want to be able to give read access to evolution
but no write access. No other process without explicit permissions
should be doing anything in there.

The DAC security model is not good enough. Because the user should be
able to run trusted processes (OO) and lowly trusted process
(gaim/yahoomessenger)(or a downloaded executable) at the same time. 

No offense to gaim developers, I use it all the time.

The reason behind this is to protect users from linux malware. A simple
example of malware is script that does "rm -rf ~". Hypothetically if a
user gets an email with attached malware, and instructions on how to see
a compromising picture of an attractive tennis star. Some users could be
dumb enough to do it. Does anyone know of a framework/solution that can
prevent a user from doing such a thing.

I am advocating linux as a business desktop and need some sort of
safeguard from situations like this.

2) I have a cron job that periodically checks the binaries in a system.
It calculates hash and matches it from a previously stored value. If the
values have changed, I get a page that a file is changed. This is for
verification of integrity of binaries. 

There is a window of opportunity where a hacked binary can go unnoticed.
Is there a way to verify the hash of a file before it is executed, every
time.

Please point me to any solutions out there.

Thank You in advance
Arun




More information about the fedora-list mailing list