LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   how to stop users on the system from access /etc /var /bin /boot ... etc... (https://www.linuxquestions.org/questions/linux-security-4/how-to-stop-users-on-the-system-from-access-etc-var-bin-boot-etc-121081/)

artistik 11-29-2003 05:49 PM
how to stop users on the system from access /etc /var /bin /boot ... etc...
 
how would i stop users on my systems from access/viewing anything in any other dir then there /home/user/ dir?

chort 11-29-2003 06:00 PM
First off, are you sure you want to do that? There are usually several settings that are read from scripts in /etc when a user logs into the system... Also, why would you keep them out of /bin? There are lots of very necessary programs in there (cp and ls, to name a few).

If you're really sure that's what you want to do, then look into rbash (the restricted bash shell). man bash

artistik 11-29-2003 06:04 PM
i actually...just want it so they cant pico stuff....and access stuff they shouldnt be doin...

chort 11-29-2003 06:22 PM
Do you want to prevent reading, or writing? It sounds like you mean writing (pico is a text editor, but there are many other text editors).

By default nothing important should be writable by ordinary users, so you should be OK there. Even though a user can open a file in pico, or vi it doesn't mean they can save their changes. Take /etc/hosts for instance... Log in as a normal users, type pico /etc/hosts. You will see the contents of the file displayed. Now trying making some additions to the file, then saving it... You will get a "permission denied" error.

artistik 11-29-2003 06:25 PM
ahh i see now....was just wondering if there was a way to stop them from leaving there home dir....but guess not... heh.

chort 11-29-2003 06:40 PM
Sure you can stop them from leaving their home directory. Refer back to my first suggestion. First you need to decide exactly what you do and don't want to allow users to do. You seem very confused on that point.

iceman47 11-29-2003 08:11 PM
You should check LIDS (http://www.lids.org/)
They (and everybody that's using it) think that even root has too much
power on the system.
Check the website though, more info there.
I think everybody should be using LIDS, and I'm sure the security experts
will agree.

unSpawn 12-01-2003 11:09 AM
First you need to decide exactly what you do and don't want to allow users to do. You seem very confused on that point.
I agree with Chort. Being able to describe (in (more) detail) what you want is a necessity for us to be able to come up with good solutions.


I think everybody should be using LIDS, and I'm sure the security experts
will agree.
I agree in general with that remark in the sense of resource restrictions, I don't use LIDS myself tho. I used to use kernel patches like OpenWall with 2.2.x and use Grsecurity with 2.4.x.
If you're running LIDS, maybe it would be a good idea to write a short LinuxAnswer about it?

artistik 12-01-2003 05:31 PM
i want to be able to stop users on my system.....from even reading stuff like /etc/hosts.allow i know they cant write to it...but i dont even want them to be able to see whats in any file...pretty much keep them in there /home/user directory...so if they type cd /etc or pico /etc/hosts.allow if will tell them permission denied....and yes im confused..im still new to linux :)

chort 12-01-2003 06:06 PM
Probably what you want is to set your user's shells to rbash (you may need to create a script to make it invoke bash -r). Like I said in my very first post do
$ man bash
and look for information on "RESTRICTED SHELL"

Note that configuring your system this way a) is not trivial and b) will cause your users to complain about a lot of things. You'll have to do a lot of work to set it up so they can do anything useful. If you go around changing the permissions on everything to not be readable by users then there will be a lot of daemons and such that won't be able to read configuration files (if they run w/o root privilages). Also if you take this method, you're likely to miss some key files and users will be able to read them any way because you were not thurough.

Rather than saying things like "I don't want to allow anyone out of /home" you should set reasonable goals like "don't allow users to modify system configurations" and "don't allow users to read files that could allow them to make educated attacks on my system". Then you will want to investigate lock-down scripts like Bastille or msec (if you're using Mandrake), and investigate other things like grsecurity and LIDS. There isn't one magic switch that you can flip that says "make everything secure".

By the way, if you try to dive into system hardening without understand what you're doing or more importantly, why, then you're in for a world of hurt. You should read up and educate yourself BEFORE you attempt to seriously modify your system. You're going to save yourself from a lot of reinstalling. An excellent starting point would be Building Internet Firewalls from O'Reilly. Building Secure Servers with Linux is another book from O'Reilly that may interest you.

The bottom line is that security doesn't come cheaply. First and foremost you must understand WHY things happen. Why does security get compromised? Why do controls fail? Why do programs misbehave? After you know these things you can understand the types of changes that you might make to a system to secure it.

artistik 12-01-2003 06:16 PM
ahh ok...guess i will just bypass that question for now...till i learn a bit more...ty.

iceman47 12-01-2003 06:42 PM
Quote:
Originally posted by unSpawn
If you're running LIDS, maybe it would be a good idea to write a short LinuxAnswer about it?
Ok, will do that tomorrow.


All times are GMT -5. The time now is 12:07 PM.