Context Navigation

Security for Debian Based Distributions

This hopefully limits the run time to two hours, disk usage to 60MB, write access to /home/shepherd, processes limit to 20 and increase latency with nice. Maybe also limits cpu time to 6 minutes, limit memory to 200k and create file size limited to 14MB but these might not work. It also uses a restricted shell.

It would be nice if it was possible to limit cpu % with maybe usleeps for frame capture devices, limit read access / programs executable without a chroot jail, disk quota for diskusage and limit network usage.

Get shepherd, shepherd.sh, shepherd.cron and shepherd.checker from below.

sudo -i
adduser --system --group --disabled-password --shell /bin/sh shepherd
cp shepherd.sh /home/shepherd
chown 0:0 /home/shepherd/shepherd.sh
chmod +x /home/shepherd/shepherd.sh
cp shepherd /home/shepherd/
su - shepherd
perl shepherd

Configure shepherd.

exit
rm /home/shepherd/shepherd

Test it with

su - shepherd -c /home/shepherd/shepherd.sh

Set up daily execution.

cp shepherd.checker /usr/local/bin/
chown 0:0 /usr/local/bin/shepherd.checker
chmod +x /usr/local/bin/shepherd.checker
cp shepherd.cron /etc/cron.d/shepherd
chown 0:0 /etc/cron.d/shepherd

Change 00 6 in /etc/cron.d/shepherd to an appropriate time you want shepherd to run. And add three hours to the shepherd.checker entry.

Obtain shepherd with

wget http://www.whuffy.com/shepherd/shepherd

shepherd.sh

#!/bin/rbash

# Run this with "sudo -i; su - shepherd -c /home/shepherd/shepherd.sh"

STOPIT=/var/local/shepherd.stopit
LOG=/home/shepherd/shepherd-log.txt

if [ -f $STOPIT ]; then exit 0; fi

savelog -c 9 -n -q $LOG
ulimit -t 1440 -m 204800 -v 204800 -f 14336 -u 20
alias ls=exit
# Could use "--noupdate"
nice time -v ~/.shepherd/shepherd 2>&1 | tee $LOG
du -h | tee -a $LOG

shepherd.cron

# /etc/cron.d/shepherd: crontab entry for the shepherd

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

#randomly
00 6   * * *   shepherd     sleep $(expr $RANDOM \% 3600) && /home/shepherd/shepherd.sh > /dev/null
00 9   * * *   root         /usr/local/bin/shepherd.checker

shepherd.checker

#!/bin/sh

STOPIT=/var/local/shepherd.stopit
OK=1

if [ -f $STOPIT ]; then exit 0; fi

if ( pgrep -U shepherd > /dev/null ); then
  echo "Killing shepherd because running to long!"
  pkill -U shepherd
  sleep 10
  pkill -9 -U shepherd
  OK=0
fi

SIZE=$(du -s -B 1024 /home/shepherd/)
SIZE=${SIZE%%/*}

if (( $SIZE > 61440 )); then
  echo "Disabling shepherd because using to much disk space!"
  OK=0
fi

if [ "$OK" != "1" ]; then
  touch $STOPIT
  exit 1
fi

exit 0

Download in other formats:

Plain Text