Let’s say I want to enforce certain settings, such as the use of a proxy in network settings for certain users.
Isn’t this easily bypassable by for example by installing TOR browser or using a VPN app in the user space?
How does system mangers can be sure users will only use the system as planned by the sysadmin? I’m especially interested in network settings, but in general I would be interested to know more about this/be pointed towards the right direction.
Thank you!
You could spawn their processes in a isolated network namespace, connected to a proxy via tun interface. You can then setup firewall rules on that interface to block all traffic, except the proxy an maybe your own dns - that should all be out of the users „reach“.
Nice try, dad.
You create a block at the network level for any traffic that isn’t going through the proxy.
Yes, and no.
Some settings are harder to circumvent, like partition limits, cgroups, and sysconfig. Others are more suggestion than limit, like shell. DNS server and ssh server settings only require a knowledgeable person to circumvent.
It is best to use layers. Helpfully provide working configs. Kindly provide limits to dissuade ill use. Keenly monitor for the unexpected. Strongly block on many layers the forbidden. Come down like the hammer of god on anyone and anything that still gets through.
Hopefully smarter people than I chime in, but if the users aren’t part of sudoers then they shouldn’t be able to install anything. However app images exist, and I’m not sure if those TOR out without network control
besides just downloading and running a binary, there are plenty of package managers that work in the user space and don’t need root access.
If you are setting up a secure system though you would only use a package manager that needed sudo
Who’s setting up the system is not necessarily the same person using it.
You can simply just download a binary and run it.
Mounting home and temp partitions with
noexecshould prevent that.Many electron apps will break because they install some executables into ~/. config
So double win!
Sure but will it bypass your established network routing if it can’t change it?
And that would be enough to bypass root settings?
If someone wants to prevent users to mess with the system should he just disallow downloads entirely/confine the user into an intranet?
Depends on the root setting. And depends on your goal. What is the purpose of the proxy? I doubt that it is easy to bypass, but you still could run a Proxy or VPN as user, this would not bypass the proxy but any filtering/blocking would not be possible. Etc
