Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello, I am a windows network admin and new to Linux. I have been given the task of setting up Fedora Core 1 workstations in a public environment. So far I have installed Fedora Core 1 and setup a user other than the root. I would like this user to only be able to run the programs on the machine and access the internet. I need to restrict this user from changing any and all preferences on the machine. Also, I would like to prevent the user from accessing anything on the machine where they could do harm (for instance restricting the terminal and denying them access to program files). In windows I am able to control this using group policies. I would appreciate a step-by-step process (since I am new to Linux) on how I can achieve this. Any help would be greatly appreciated. Thanks!
plenty of ways, theirs group policies in linux to (m$ stole the idea from UNIX to begin with ... like so many other things)
or you could use RSBAC for more control (and more hardace)
owell, again here it is... the only config files the user can manipulate will be his own, if you are dead serious about them not editing these (which is impossible, a lot of programs require to write to these just for them to work)
also, no user (on any sane distro) can install (this also means uninstall) any programs, or even edit any system files (they can still trash there own, but you can set it up so that every time a user logs in, every file he owns is deleted, and copy the contents from another "safe" directory over to the users making the files nice and clean).. tho you really cant prevent users from running other programs, ... ok, you can, but its hard work (points to the group stuff) you'll have to change, and set those up, and add the changes to a startup script so that each time the system boots the selected programs get there permissions changed so only someone like the almighty root user can use them (needs to be placed in startup scripts so that if you update the programs, a simple reboot will "fix' the updates into your twisted computer
when you compile the kernel, be sure to include grsec patch's, and restrict the /proc system (grsec patch's allow this) so users can see what other users are doing, or see what the network is doing (they can still use it, just not see things like who is using it) ..... also make sure you have trusted path execution enabled, to prevent people from running programs you don't want them running
and its sad to say, there really is no step by step guide, the best way to learn is to just dive in and hope you can learn to swim before you drown ....... so, go dive in
Wow, OK - How do I get rid of the preferences folder (under the redhat) for the user I create? Also how do I restrict the terminal so they can not do too much in it? Thanks for your help!
i guess you could always try to restrict access to bash (and any other shells) to root ..... that would prevent any access thru the terminals, or use of terminal's .............. it might also tho break lots of programs, and prevent users from logging on in graphical mode (or in text mode)
...... but would be kinda pointless as it would only make it harder to mess up your system (if they wanted) but no were near impossible...
still, its not recommended as most people couldn't do anything in Linuxes command line anyway, and for those that can, theres really no point in restricting there access since they wouldn't be able to do anything all that harmful (delete there files or corrupt there file on purpose is about as much harm they can do if you set your system up right) ........ but if you are really worried about it, then don't install development tools (compilers, debuggers, etc) as then they cant compile or make there own hacks on your system ... also don't install emacs or vi (you can leave ed , as if someone wanted to, they could use cat (a very important command, needed just to run a system) to simulate ed ) also leave out any text editors that you don't want (except ed, ok well , you might be able to get away with deleting it, but its so unusable as a text editor that you might as well leave it)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.