Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
02-06-2007, 07:49 AM
|
#1
|
|
Member
Registered: Mar 2005
Posts: 33
Rep: 
|
Commands to dissalow regular users to execute
Hello!
I have to install Kubuntu on several PCs at work and I was wondering which commands not to allow users to execute to increase security as high as possible. I've removed the user they will login with from the root group and now i want to remove the executable flag from group and other for some executables. I hope you'll tell me some executables as well.
So far, I've denied access to: ssh, telnet, scp, nmap, ping, tranceroute. Anything else?
Thanks.
|
|
|
|
|
02-06-2007, 07:53 AM
|
#2
|
|
Senior Member
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126
Rep:
|
gcc, if any.
Plus some recommends to mount /tmp so that no files can be executed from there. But it must be thoroughly tested to make sure that it does not affect any used service adversely...
Last edited by J_Szucs; 02-06-2007 at 07:59 AM.
|
|
|
|
|
02-07-2007, 02:46 AM
|
#3
|
|
Member
Registered: Oct 2003
Location: UnitedKingdom
Distribution: Debian Lenny
Posts: 351
Rep:
|
AFA the security of commands is concerned, allowing a user to be user _alone_ will always protect a system. No other person _except_ root can do harm to a running server with improper commands. So just remove the root access to them and things must settle down. Now, if you are not able to remove root access to them, then it is very difficult to manage !
For any mount point where you do not want people to execute (AFA ext3 is concerned) , in fstab or during mounting add the option noexec (see man mount)
|
|
|
|
|
02-07-2007, 06:10 AM
|
#4
|
|
Moderator
Registered: May 2001
Posts: 24,808
|
@OP: I have to install Kubuntu on several PCs at work and I was wondering which commands not to allow users to execute to increase security as high as possible.
What you're talking about is called hardening. Since .*buntu is based off Debian you're in luck. Debian provides a good Security HOWTO. Accidentally (or not) the (co)author also is (co)maintainer of the auditing application called Tiger. Now I don't have any idea about your situation, so IMHO answering this should start with some questions.
What is the purpose of these machines?
Who uses the machines?
Are they accessable from outside your local network?
What (publicly) accessable services do they run?
Why Kubuntu? (That's not a distro war question, OK)
@bhaslinux:
No other person _except_ root can do harm to a running server with improper commands.
Define "improper"?
How does getting privileged access by exploiting vulnerable applications fit in your picture?
And how about situations where you don't even need root account privileges to abuse the server?
So just remove the root access to them and things must settle down.
As far as I know GNU/Linux is no Plan9, so what do you *exactly* mean by "just remove the root access"?
|
|
|
|
|
02-07-2007, 09:23 AM
|
#5
|
|
Member
Registered: Nov 2005
Posts: 144
Rep:
|
Quote:
|
Originally Posted by J_Szucs
Plus some recommends to mount /tmp so that no files can be executed from there. But it must be thoroughly tested to make sure that it does not affect any used service adversely...
|
I tried exactly that with Kubuntu 6.06, and it lead to some kind of error whenever I used "apt-get install". |
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 05:36 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
