Changing a user's group at login depending on the time of day

Steve2001 · 09-27-2004, 07:38 AM

Hope fully one of you knowledgeable Linux people will be able to help me.

I am trying to do the following:

Restrict access to the internet (or the network) for a particular user based on the time of day they log in, i.e. if the user logs in prior to say 16:00 they cannot connect to the internet but after that time they can. I suspect it may be easier to restrict network access rather than specifically Internet access, by some how disabling eth0.

I suspect I could do this by a script that runs when the users logs in and depending on the time removes them from a particular group or disables eth0, but I'm not sure which scripts run when a user logs in and which group allows access to the network, let alone familiar with scripts to write one!

I have a home LAN (with a Windows PC and a Linux PC [Suse 9.1 and using eth0 for the network connection]) connected together and accessing the Internet through a Netgear router.

Any ideas or pointers to further info. that may help would be very helpful.

Thanks

DoubleOTeC · 09-27-2004, 08:07 AM

so i take it you want to restrict the person on the Linux machine?

in BASH - the shell you might be using - the file run at startup is the .bashrc file in the user's home directory. A line could be added to this file to either perform the desired task or call a script to do it.

Disabling the network device would be very simple using the command ifdown eth0

Steve2001 · 09-27-2004, 08:10 AM

Yes, that's right, its only the Linux machine I want to restrict.

Although setting eth0 as down will work, will the user be able to set it back to up?

DoubleOTeC · 09-27-2004, 08:23 AM

hmmmmmm.....that's a valid point

The device can be set to not allow user control, that is allow only root manipulation.

I do however suspect, this will hamper the effectiveness of shutting it down on the user's login as the ifdown of the device will have to be run by a user with no permisson to control the device....

hmmmmm.....

Steve2001 · 09-30-2004, 03:26 AM

One thing always leads to another!

How would you actually set eth0 to only be controlled by root?

Then I will see what effect issuing the ifdown command has when a non-root owner logs out. Presumably it would just report and error and carry on?

However, the problem would remain on writing a script to set eth0 up or down depending on the time of day the user logged in.

Does this sound at all sensible?

1 Set control of eth0 to be root.
2 Write start up script for the user to check time of day and enable/disable eth0 if required (the script would then have to issue these commands as root due to step 1).
3 Make the users login script access forbidden to the user so they can neither remove it, modify it or discover root’s password.

It would still leave the problem of writing the script but that is another issue, I really just want to get a sensible idea together before going in to the detail.

DoubleOTeC · 09-30-2004, 06:09 AM

OK...i'm not familiar with SUSE...

But in RedHat there is a network-scripts folder. ( /etc/sysconfig/network-scripts/). In this directory there is a file ifcfg-eth0.

Editting this file and adding in a line saying USERCTL=No should handle this

Steve2001 · 09-30-2004, 07:38 AM

Thanks, I'll give that a go to-night when I get home and see what happens

Thanks for your help.

smokybobo · 09-30-2004, 08:32 AM

Just to give an alternate idea, if you use PAM, you can set it up to so you have less scripting/programming work to do i.e. let pam do the add group/remove group based on time of day thing. Then you can have a cron script shut down the network connection based on time of day. Then all that's left is control of all programs/scripts that can bring up the connection. Easiest would be to set up sudo based on group so that anyone in a specific group can bring up/bring down the network connection.

I don't use it but the following is the comments in the relevant file:

From /etc/security/group.conf on my Debian system:

Code:

##
## Note, to get this to work as it is currently typed you need
##
## 1. to run an application as root
## 2. add the following groups to the /etc/group file:
##		floppy, games, sound
##
#
# *** Please note that giving group membership on a session basis is
# *** NOT inherently secure. If a user can create an executable that
# *** is setgid a group that they are infrequently given membership
# *** of, they can basically obtain group membership any time they
# *** like. Example: games are allowed between the hours of 6pm and 6am
# *** user joe logs in at 7pm writes a small C-program toplay.c that
# *** invokes their favorite shell, compiles it and does
# *** "chgrp games toplay; chmod g+s toplay". They are basically able
# *** to play games any time... You have been warned. AGM
#
# this is an example configuration file for the pam_group module. Its
# syntax is based on that of the pam_time module and (at some point in
# the distant past was inspired by the 'shadow' package)
#
# the syntax of the lines is as follows:
#
#       services;ttys;users;times;groups
#
# white space is ignored and lines maybe extended with '\\n' (escaped
# newlines). From reading these comments, it is clear that
# text following a '#' is ignored to the end of the line.
#
# the first four fields are described in the pam_time directory.
# The only difference for these is how the time field is interpretted:
# it is used to indicate "when" these groups are to be given to the user.
#
# groups
#	The (comma or space separated) list of groups that the user 
#	inherits membership of. These groups are added if the previous
#	fields are satisfied by the user's request
#

#
# Here is a simple example: running 'xsh' on tty* (any ttyXXX device),
# the user 'us' is given access to the floppy (through membership of
# the floppy group)
#

#xsh;tty*&!ttyp*;us;Al0000-2400;floppy
# another example: running 'xsh' on tty* (any ttyXXX device),
# the user 'sword' is given access to games (through membership of
# the sound and play group) after work hours.  (The games group owns
# high-score files and so on, so don't ever give users access to it.)
#

#xsh; tty* ;sword;!Wk0900-1800;sound, play
#xsh; tty* ;*;Al0900-1800;floppy



#
# End of group.conf file
#

JZL240I-U · 09-30-2004, 10:50 AM

Why don't you use cron.daily to switch off eth0 at, say 8:00 and switch it back on at 16:00?

Steve2001 · 09-30-2004, 11:14 AM

cor.. suggestions thick and fast, thanks.

Firstly, I'm very new to Linus what is PAM?

Use of cron.daily looks interesting.

So I'll get back to you when I've given your suggestions a go.

P.S.

In my further investigations (since I really only want to restrict internet asscess) I have discovered that I could use Squid to restirct access on a time basis. i.e run Squid on the same m/c as the user uses. point the brower at Squid's 3128 port, however, to prevent the user from not using the Squid proxy, I would need to configure my router to push all HTTP stuff to Squid's 3138 port rather than port 80, but looking at my Netgear wgr614 manual I don't think this can be done, and I don't want to get tangled up in configuring Squid at this early stage in becoming familiar with Linux!

Steve2001 · 10-11-2004, 03:29 AM

Just to update you, thanks for all your advice but maybe I should have gone straight in and plumped with Squid, this I have now done. I have over the last few days got to grips with Squid and DansGuardian. So I can restrict Internet access using ACLs in Squid.

I have found another post here (http://www.linuxquestions.org/questi...r+dansguardian) giving details of how to make sure only DG is used to access the Internet.:

# allow only squid to be able to connect to port 80
iptables -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner squid -j REJECT --reject-with tcp-reset

#allow only DG to be able to connect to 3128.
iptables -A OUTPUT -p tcp --dport 3128 -m owner ! --cmd-owner dansguardian -j REJECT --reject-with tcp-reset

After I have run DG from the cmd line and typed in the two iptable instructions it seems to work OK but would like DG to always to start when the machine strts and also tghe iptable redirection to be permanent.

However, Squid starts OK when the machine is booted but DG does not, I have added DG to the services to start using chkconfig and if I list the services, it is in the list of running services for runlevel 3 and 5. However it will not accept browser requests (the browser has 127.0.0.1:8080 set as the proxy) until on the cmd line I type dansguardian on.

I an attmept to get it to run automatically I have put:

dansguardian on
iptables -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner squid -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -p tcp --dport 3128 -m owner ! --cmd-owner dansguardian -j REJECT --reject-with tcp-reset

in the boot.local script, the redirection using iptables seems to be OK but I still have to manual start dg on the comd line.

Also, if I start the SuseFirewall the iptable routing rules are obliterated and the internet is accessable directly without using Squid or DG.

Basically, how do I configure DG to be running after the machine has started and how can I run the firewall and have port 80 only accessible by Squid and port 3128 only asscessable to DG?

Thanks for any leads, I feel I have learnt a lot over the last few weeks and certainly know a lot mor about Linux than I did but these two last niggles just need ironing out and it will be marvoulous.