Linux @lemmy.ml dontblink @feddit.it 2w ago

If I enforce some settings for users as root, is there any way they would be able to bypass them?

Let's say I want to enforce certain settings, such as the use of a proxy in network settings for certain users.

Isn't this easily bypassable by for example by installing TOR browser or using a VPN app in the user space?

How does system mangers can be sure users will only use the system as planned by the sysadmin? I'm especially interested in network settings, but in general I would be interested to know more about this/be pointed towards the right direction.

Thank you!

You're viewing a single thread.

17 comments

Hopefully smarter people than I chime in, but if the users aren't part of sudoers then they shouldn't be able to install anything. However app images exist, and I'm not sure if those TOR out without network control
- besides just downloading and running a binary, there are plenty of package managers that work in the user space and don't need root access.
  
  If you are setting up a secure system though you would only use a package manager that needed sudo
  
  Trying to "secure" a turing-complete computer system by some arbitrary limits like that will never work. Unless you manage to directly prevent traffic that isn't going through your proxy, it's all pointless as people will just hack stuff together, be it by downloading binaries themselves and placing them in the home dir, or even by running them in-memory.
  
  Who's setting up the system is not necessarily the same person using it.
  
  If you only allow users as non sudoers, is what I assumed
- You can simply just download a binary and run it.
  
  Mounting home and temp partitions with noexec should prevent that.
  
  Many electron apps will break because they install some executables into ~/. config
  
  So double win!
  
  Nah, still easy to circumvent. This should work: https://github.com/hackerschoice/memexec, or (for dynamic exes) just call them through ld-linux.
  
  Sure but will it bypass your established network routing if it can't change it?
  
  And that would be enough to bypass root settings?
  
  If someone wants to prevent users to mess with the system should he just disallow downloads entirely/confine the user into an intranet?
  
  Depends on the root setting. And depends on your goal. What is the purpose of the proxy? I doubt that it is easy to bypass, but you still could run a Proxy or VPN as user, this would not bypass the proxy but any filtering/blocking would not be possible. Etc

17 comments