Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have ask some hardcore Linux users about limiting the shell, although some finds it interesting, other just laugh's at me and STARES at me like a Junior High Student.
Well anyway, Does anyone knows how I can Limit my Fedora core 2 box to a single shell. Becuase I figured, If my box will allow only 1 shell and the only shell is being used by the localhost. An intruder will have a difficult time in getting access.
Kindly help!
__________________________________________
man is our friend my friend!
I think you're jumping ahead to the solution stage without really understanding (or at least explaining) the problem you are trying to solve.
Linux has something called "single user mode" which does what you say, but almost certainly isn't what you want. If you want to prevent anyone logging into the box over the network, there are better ways to do it.
If you can explain what you are trying to achieve, I think more help may be forthcoming.
I understand the single user mode (runlevel1). but I want only 1 or 2 bash shells only. Because my THEORY (don't know if it is STUPID or what) is ;
If there is only 1 bash shell available and it is already being used by the local administrator (meaning no more SHELLS available). it would be very difficult to hack that box. Because even if the Hacker has the ROOT password. It is useless because he will never get a shell.
I hope you understand what I'm trying to say.
Again, thank you for you kind reply..
_______________________________________
man is our friend my friend!
Yes, you have a point. If there is only one shell, nobody else would be able to use the computer while you're on it. But that also means that the 'mail' user isnt going to be able to function, or the 'pop' user. 'mysql' wont be able to log in. 'http' wont be able to serve requests. etc. and what happens when your x-server freezes and you want to ctrl+alt+f2 so you can login and kill it. Your login will be denied. Then you have to reboot
Linux is a multiuser envirnment, I think that is one of the things many people find most appealing about it.
However, your idea does have some practical uses in cetain scenarios. If somebody wanted to use a linux box as a web browsing kiosk, without serving anything else that would requre a user, it would make sense to block it to only one user.
It's an interesting idea, but I can imagine it would be hard to implement it (I'm assuming it would have to be written into the kernel), and for the few people that would use it, I dont think it would be worth the effort.
Originally posted by paeng16 thanks for your reply.
I understand the single user mode (runlevel1). but I want only 1 or 2 bash shells only. Because my THEORY (don't know if it is STUPID or what) is ;
If there is only 1 bash shell available and it is already being used by the local administrator (meaning no more SHELLS available). it would be very difficult to hack that box. Because even if the Hacker has the ROOT password. It is useless because he will never get a shell.
I hope you understand what I'm trying to say.
I do understand. It is an interesting idea, but if your objective is to secure a computer there are better ways to do it.
For example :
If you want to allow people to log on remotely but only have one person at a time, part of the logon script could check the number of people currently logged on and kill the session if there was already someone there.
You could also have something where the login script creates an /etc/nologin file to prevent anyone else logging in; then logging out removes it again (but you'd need to login as root at the console if the box crashed or the session was killed uncleanly).
If you only want a local administrator to log on, why not just have no remote logon methods (e.g. don't run sshd or telnetd or, even simpler, just put ALL:ALL in /etc/tcp.deny and leave tcp.allow empty.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.