LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-03-2011, 05:05 PM   #1
netfreighter
LQ Newbie
 
Registered: Dec 2008
Posts: 4

Rep: Reputation: 0
Linux User Access Restrictions to Network, USB ports, PCMCIA, CDROM


How to create a user account on a Linux desktop machine with restrictions on connecting to the LAN, WAN, PCMCIA ports, Firewire, CDROM and generally any user controllable output options?

I have the task to set up a machine for users working with sensitive data that should not be leaving the machine where it is processed.

This means disabling access to the ethernet device, lan, all other ports as mentioned earlier, and any other way of leaking the data.

In Mac OSX this was achieved using "Parental controls" from the System preferences; this even allows a selection of the applications that can be used. Under XP, Device Manager offers the option to click various devices and "Disable" them, which worked so far just fine. Some will point out that the latter mentioned OS may be easy to circumvent the security of in other ways, but that has been mitigated with other measures and it's not the point anyway. For the operator users in question, the aforementioned measure proved successful and worked.
Using OSX and XP to do this was a 10-15 minutes job with testing included.


So far all guides and tutorials pointed to useradd, groups an facl, but in actual practical terms did not help at all, in fact most of the research did not render any practical results so far. I surely don't expect to point and click, and would gladly run a set of commands from CLI. If I had them.

I would really would like to achieve the same restricted user account configuration in a concise, comprehensive and practical manner under Linux too. Preferably tested on humans before, and known to be workign, of course...
The machines that need to be set up are two laptops running Ubuntu.

So how can this be accomplished in Linux?
 
Old 05-03-2011, 06:20 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
My initial thought on this would be to take advantage of the Linux concept that everything is a file. In other words, all of the devices you mentioned are accessed through file operations on the 'file' located in the /dev directory. Couple this with the Linux permissions, owner, group, others, and make the user part of a group that does not have permission to access these devices and leave 'others' off. You may even be able to flip that around and make the user part of a group and set the group permissions to none. If that works, it may have less impact on the system as a whole.
 
Old 05-04-2011, 04:15 PM   #3
netfreighter
LQ Newbie
 
Registered: Dec 2008
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Noway2 View Post
My initial thought on this would be to take advantage of the Linux concept that everything is a file. In other words, all of the devices you mentioned are accessed through file operations on the 'file' located in the /dev directory. Couple this with the Linux permissions, owner, group, others, and make the user part of a group that does not have permission to access these devices and leave 'others' off. You may even be able to flip that around and make the user part of a group and set the group permissions to none. If that works, it may have less impact on the system as a whole.
One or two examples maybe? How to disable USB for one user?
thanks
 
Old 05-05-2011, 04:33 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I looked at the permissions on the system that I am using for /dev and it looks like these files are owned by root with no group or user permissions already. These 'files' are then accessible only with root privilege and via kernel space such as by a driver module. This may work to your advantage. In fact, I inserted a USB stick and while logged in as a user, was unable to mount the device to access it. If I switched to root access, I was able to mount it successfully, however. This is because by default, only root can mount a device **UNLESS** it is already listed in your /etc/fstab. From that perspective, the default Linux hardware permissions will prevent your users from being able to mount media and this is inline with your purpose.

In regards to the network, again, it will require root access to configure a network. If you don't configure the network and don't provide root access, they won't be able to configure one. You will need to turn off DHCP otherwise if they plug into a wired network it may configure automatically. One way to do this would be to turn off the init scripts in /etc/rc.d. This way they would need root privilege in order to execute them and start up networking.

What is likely working against you is the fact that you are using Ubuntu. Unfortunately for you, Ubuntu was designed to be user friendly and oriented towards beginners. Consequently, many things like auto mounting of media have already been configured to work and assumes that this is what a user would want. Additionally, Ubuntu is designed such that the root account is locked and the primary user has sudo privilege using their normal login password. You can undo this and unlock the root account, take away the sudo privilege, etc as it is still Linux underneath, but it will be more work on Ubuntu than a more conventional distribution.

One thing to watch out for, if you look in /etc/group, you will see a lot of hardware groups. It is possible that the user has been automatically added to these groups to implement the Ubuntu design. Similarly, things could be defined in files, like /etc/fstab, and /etc/inittab that could be pre-configured to make things work.

One final word of caution here. As I think through these things, I am constantly reminded of the very wise philosophy that "physical access equals root access" and this is something you need to SERIOUSLY consider. This means that with physical access to the machine, there are ways around what you are trying to accomplish. For example, use a live-cd on boot up. Have you disabled that? No problem, open the case, and wipe the bios of any passwords, etc.
 
1 members found this post helpful.
Old 05-05-2011, 11:38 PM   #5
netfreighter
LQ Newbie
 
Registered: Dec 2008
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks for the advice.

This particular flavour of Ubuntu indeed is an impediment, whatever I tried so far, the regular user still has access to ethernet by just plugging in the cable to a DHCP LAN.
I would consider installing Debian instead, if I had a command set to test beforehand and make sure the task can be accomplished before changing the installed distro.

Time is running out however, so eventually Windows licences may be obtained instead. One machine already has the COA for XP and may soon be a goner.
All the advice is very sensible, however in this case a list of steps that are immediately actionable would be needed.

From the BIOS everything that could be disabled has already been disabled. Not all BIOS provide sufficient refinements, unfortunately. Some consumer laptops are far less capable than the cheapest wristwatch.
 
Old 05-06-2011, 05:14 AM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I think the list of actionable items may be quite small, provided you use a conventional Linux distribution, which using Debian would be a good move. Once you have a basic Debian installed the following is what I would check for;
1) make sure that the only things listed in /etc/fstab are the hard drive media, like your main partitions and the swap space
2) create a basic user, after you have the system up and running. Don't do this as part of the install process. You will want this user to be in a group by themselves
3) in your /etc/init.d/ you will need to turn off the networking. I am not 100% certain what the correct method to do this in Debian is, but from the init script itself: http://www.debian.org/doc/debian-policy/#contents this link should tell you. If nothing else, use chmod -x on this file to stop it from executing. This will keep networking off.

At this point, the user should NOT be able to mount any media or get a connection with a network cable plugged in. Do not add this user to the sudoers list and do not give them the root password. They will not be able to change permissions on anything they do not own, they will not be able to execute system scripts, they will not be able to start or stop services, mount hardware, etc.

If you find that any sort of media still appears in a place like /media/cdrom0 when inserted and want an extra layer of caution, make the /media folder owned by root and set the permissions to 700 instead of the default 755.

Try the above, see where that gets you, and if you have issues, lets see if we can target them with them with specifics.
 
Old 05-06-2011, 08:29 AM   #7
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
I'm on Debian but I would use udev rules instead of changing the devices directly.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Network user cannot access usb drive Neruocomp Linux - General 1 02-15-2011 03:49 PM
Setting user account restrictions for cable network with server on Debian 4.0! aliasgherman Linux - Networking 1 04-10-2007 09:29 PM
How to access usb ports as non-root user m.harshavardhan Linux - Software 5 07-07-2005 06:19 AM
how can a non-root user access usb ports m.harshavardhan Linux - Software 2 06-29-2005 10:18 AM
User and Group access restrictions? KendersPlace Linux - Security 1 08-20-2003 05:32 PM


All times are GMT -5. The time now is 07:34 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration