Using AppArmor to Create Confined Root Shells
Novell Support TID: Using AppArmor to Create Confined Root Shells
AppArmor can be used to create “roles” (in the Role Based Access Control sense) that operate as restricted shells in Linux. This even works on root shells. For instance, suppose you have some junior system administrators in your enterprise, and their job is to do system log analysis looking for problems. They need root access to do this, but you don’t feel comfortable trusting them; they might be evil, or they might just make mistakes. So you want to allow them to only have part of root’s privilege to access the system log, but not the power to mess with the database, reboot the machine, etc.
To do this, you create a role using AppArmor with the following steps:
- Creating a “special” shell for this role, e.g. call it logbash for the role of syslog analyst.
- Create an AppArmor profile for logbash that restricts anyone running logbash to only do the necessary operations.
- Make logbash be the default login shell for people who will be operating in this role.
- Change the UID of these people to 0 so that they have root’s privilege, but use their own password and are restricted to run logbash, so you don’t have to share root’s password.