LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-03-2002, 09:07 PM   #1
jpc82
Member
 
Registered: Oct 2001
Distribution: Gentoo
Posts: 139

Rep: Reputation: 15
user Restrictions


I've resently started using Linux more and more and now I have two Linux box in my house.

My one project at the moment is getting my family onto the network. So what I want to do is create a user that only has access to thier home folder. I don't want them to be able to be able to get into any of the other folder in the root dir. except home

This how the the network will be setup

root = full access obviously

Jay = my regular user acount

Jackie = gf regular user acount

Family = restricted access to only home folder

btw i'm running RH7.2
 
Old 02-04-2002, 01:35 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
You'll have to ask yourself *why* you would want to restrict users to /home, because the stuff in other dirs usually is owned by root (and/or other privileged accounts), which regular users can't mess with.

In general there are 2 options, both with their own cons/pros.
1. You could restrict a user to it's own homedir by either letting it use a chrooted env, or use a restricted bash shell.
The restricted bash shell you definately do not want, because it'll keep 'em busy in their ~/, but won't even allow dir traversal into subdirs :-]
The chroot option restricts them to their ~/, with full movement, but you will need to create a full environment (/bin, /dev, etc) for *each* user. To save diskspace and sanity when I need a solution like this I use rootjail, which will set you up with a bare skeleton, copying all necesary parts to the chrootdir, and busybox as a all-in-one solution for replacing necessary binaries, it's one compact package.

2. You could assure yourself regular users can't work in other dirs by either mounting them on separate (-o ro) partitions, (BSD does this by defining slices at installtime, dunno why Linux doesn't promote this behaviour...) or at least chattr +iu your binaries, configs etc, etc.

*Also look into PAM's user restrictions in /etc/security for defining login(times, places, hogging memory, max processes per user, etc etc)
**If you're going for option 2 at least patch your kernel with GRSecurity or LIDS, which in the case of GRS takes away capabilities from regular users, and in the case of LIDS even those of root. GRS is easier, LIDS has more restrictive settings, but in both cases they shield off processes from users.

Last edited by unSpawn; 02-04-2002 at 01:39 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
User name restrictions AndeAnderson Linux - Newbie 4 04-11-2005 03:29 PM
User restrictions on RH9 B|uSmurf Linux - Software 1 10-21-2003 07:24 AM
User and Group access restrictions? KendersPlace Linux - Security 1 08-20-2003 05:32 PM
Restrictions X3781 Linux - General 1 01-07-2003 12:55 PM
setting user restrictions artman62 Linux - Networking 1 08-31-2002 04:49 AM


All times are GMT -5. The time now is 01:57 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration