LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-20-2003, 05:22 PM   #1
KendersPlace
Member
 
Registered: Feb 2003
Location: Phoenix, AZ - USA
Distribution: RedHat 8, Micro$haft
Posts: 33

Rep: Reputation: 15
User and Group access restrictions?


I have read everything I can find about user and group management, but I'm still kind of unclear about a few things.

I've read many times how to use user and group add commands, but I haven't found any good explanations on how to really administer security. From the initial looks of it, linux security isn't very flexible.

Problem 1:
I check all the execuables in the /usr/sbin directory (RH 8.0), and I see that almost every command has world execute permission - even the "useradd" command itself! This means I can add a user who can also add his own users - that seems like a major security issue.

I need to add some logins for some part time techs for some very basic monitoring, but the way it looks, they basically have free reign to do anything on the system except for just a few things.


Second:
I'm apparently missing something, as the linux group security system seems terribly unusable. in /etc/group, can you add one group to another group the same way you would add a user?

It looks like I can only assign 3 levels of permission to any directory - the user, group, and world. Well what if I have 2 different groups that need DIFFERENT levels of access to the same directory?? For example, company "owners" should have read/write to my finance directory, but account auditors should only have read access. So I have 5 owners and 15 auditors - how do I do this?

And finally - let's say I want to make all of my "sales reps" members of 5 groups. From the look of it, I have to manually add each salesperson's login to the /etc/group file for EACH group they are members of. That is just plain dumb. I should be able to hire "joebob", add him ONCE to the "salesreps" group and be done with it.

Are there any really good web references out that that clearly explain all this user/group security stuff? Anything I find explains all the command switches for "groupadd" and explains what each field in /etc/group represents and drops it at that. I need more depth.

Thanks for any help or direction!
 
Old 08-20-2003, 06:32 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
Problem 1:
I check all the execuables (..) This means I can add a user who can also add his own users

Tried to do that as non-privileged user?

I need to add some logins (..) they basically have free reign to do anything on the system except for just a few things.
If they need root privileges, yes.
If you need to you can always try using all sorts of "fascist logging" methods :-]


Second:
Have a look at ACL (soz, aint got the addy). In some ways it's still an underdevelopped cludge, but the parts that (seem to) work should (could would) give you access to "enhanced" group support like you need.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
samba : access denied for some user in same NT group on a folder mtrento Linux - Networking 0 06-27-2005 11:01 AM
User and Group Access to Folders nutthick Linux - Security 5 12-19-2004 08:22 PM
User Group for Restricting Internet Access kyleinc Linux - General 6 04-17-2004 06:49 AM
reboot so user can access fs space limited by group recently added to? bdp Linux - General 4 09-27-2003 02:21 AM
user Restrictions jpc82 Linux - Security 1 02-04-2002 02:35 AM


All times are GMT -5. The time now is 01:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration