LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-29-2003, 05:49 PM   #1
artistik
Member
 
Registered: Aug 2003
Location: south carolina
Distribution: Slackware 11
Posts: 60

Rep: Reputation: 15
how to stop users on the system from access /etc /var /bin /boot ... etc...


how would i stop users on my systems from access/viewing anything in any other dir then there /home/user/ dir?
 
Old 11-29-2003, 06:00 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
First off, are you sure you want to do that? There are usually several settings that are read from scripts in /etc when a user logs into the system... Also, why would you keep them out of /bin? There are lots of very necessary programs in there (cp and ls, to name a few).

If you're really sure that's what you want to do, then look into rbash (the restricted bash shell). man bash
 
Old 11-29-2003, 06:04 PM   #3
artistik
Member
 
Registered: Aug 2003
Location: south carolina
Distribution: Slackware 11
Posts: 60

Original Poster
Rep: Reputation: 15
i actually...just want it so they cant pico stuff....and access stuff they shouldnt be doin...
 
Old 11-29-2003, 06:22 PM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Do you want to prevent reading, or writing? It sounds like you mean writing (pico is a text editor, but there are many other text editors).

By default nothing important should be writable by ordinary users, so you should be OK there. Even though a user can open a file in pico, or vi it doesn't mean they can save their changes. Take /etc/hosts for instance... Log in as a normal users, type pico /etc/hosts. You will see the contents of the file displayed. Now trying making some additions to the file, then saving it... You will get a "permission denied" error.
 
Old 11-29-2003, 06:25 PM   #5
artistik
Member
 
Registered: Aug 2003
Location: south carolina
Distribution: Slackware 11
Posts: 60

Original Poster
Rep: Reputation: 15
ahh i see now....was just wondering if there was a way to stop them from leaving there home dir....but guess not... heh.
 
Old 11-29-2003, 06:40 PM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Sure you can stop them from leaving their home directory. Refer back to my first suggestion. First you need to decide exactly what you do and don't want to allow users to do. You seem very confused on that point.
 
Old 11-29-2003, 08:11 PM   #7
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
You should check LIDS (http://www.lids.org/)
They (and everybody that's using it) think that even root has too much
power on the system.
Check the website though, more info there.
I think everybody should be using LIDS, and I'm sure the security experts
will agree.
 
Old 12-01-2003, 11:09 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
First you need to decide exactly what you do and don't want to allow users to do. You seem very confused on that point.
I agree with Chort. Being able to describe (in (more) detail) what you want is a necessity for us to be able to come up with good solutions.


I think everybody should be using LIDS, and I'm sure the security experts
will agree.

I agree in general with that remark in the sense of resource restrictions, I don't use LIDS myself tho. I used to use kernel patches like OpenWall with 2.2.x and use Grsecurity with 2.4.x.
If you're running LIDS, maybe it would be a good idea to write a short LinuxAnswer about it?
 
Old 12-01-2003, 05:31 PM   #9
artistik
Member
 
Registered: Aug 2003
Location: south carolina
Distribution: Slackware 11
Posts: 60

Original Poster
Rep: Reputation: 15
i want to be able to stop users on my system.....from even reading stuff like /etc/hosts.allow i know they cant write to it...but i dont even want them to be able to see whats in any file...pretty much keep them in there /home/user directory...so if they type cd /etc or pico /etc/hosts.allow if will tell them permission denied....and yes im confused..im still new to linux

Last edited by artistik; 12-01-2003 at 05:33 PM.
 
Old 12-01-2003, 06:06 PM   #10
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Probably what you want is to set your user's shells to rbash (you may need to create a script to make it invoke bash -r). Like I said in my very first post do
$ man bash
and look for information on "RESTRICTED SHELL"

Note that configuring your system this way a) is not trivial and b) will cause your users to complain about a lot of things. You'll have to do a lot of work to set it up so they can do anything useful. If you go around changing the permissions on everything to not be readable by users then there will be a lot of daemons and such that won't be able to read configuration files (if they run w/o root privilages). Also if you take this method, you're likely to miss some key files and users will be able to read them any way because you were not thurough.

Rather than saying things like "I don't want to allow anyone out of /home" you should set reasonable goals like "don't allow users to modify system configurations" and "don't allow users to read files that could allow them to make educated attacks on my system". Then you will want to investigate lock-down scripts like Bastille or msec (if you're using Mandrake), and investigate other things like grsecurity and LIDS. There isn't one magic switch that you can flip that says "make everything secure".

By the way, if you try to dive into system hardening without understand what you're doing or more importantly, why, then you're in for a world of hurt. You should read up and educate yourself BEFORE you attempt to seriously modify your system. You're going to save yourself from a lot of reinstalling. An excellent starting point would be Building Internet Firewalls from O'Reilly. Building Secure Servers with Linux is another book from O'Reilly that may interest you.

The bottom line is that security doesn't come cheaply. First and foremost you must understand WHY things happen. Why does security get compromised? Why do controls fail? Why do programs misbehave? After you know these things you can understand the types of changes that you might make to a system to secure it.
 
Old 12-01-2003, 06:16 PM   #11
artistik
Member
 
Registered: Aug 2003
Location: south carolina
Distribution: Slackware 11
Posts: 60

Original Poster
Rep: Reputation: 15
ahh ok...guess i will just bypass that question for now...till i learn a bit more...ty.
 
Old 12-01-2003, 06:42 PM   #12
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
Quote:
Originally posted by unSpawn
If you're running LIDS, maybe it would be a good idea to write a short LinuxAnswer about it?
Ok, will do that tomorrow.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't stop anonymous vsftp users lagu2653 Linux - Networking 2 11-17-2005 09:54 PM
stop users from su'ing Phonics3k Linux - Security 4 11-12-2005 10:03 PM
Samba access by Windows users locking out directory access with Konqueror harry_fine Suse/Novell 1 12-18-2004 05:33 AM
Giving users access to the system... TCasp77 Slackware 5 02-28-2004 01:18 PM
Allow Users FTP access to /var/www in Red hat 7.2 dsolecki Linux - General 6 02-04-2003 01:12 AM


All times are GMT -5. The time now is 04:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration