LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Commands to dissalow regular users to execute (https://www.linuxquestions.org/questions/linux-security-4/commands-to-dissalow-regular-users-to-execute-526042/)

huxflux 02-06-2007 07:49 AM
Commands to dissalow regular users to execute
 
Hello!

I have to install Kubuntu on several PCs at work and I was wondering which commands not to allow users to execute to increase security as high as possible. I've removed the user they will login with from the root group and now i want to remove the executable flag from group and other for some executables. I hope you'll tell me some executables as well.

So far, I've denied access to: ssh, telnet, scp, nmap, ping, tranceroute. Anything else?

Thanks.

J_Szucs 02-06-2007 07:53 AM
gcc, if any.
Plus some recommends to mount /tmp so that no files can be executed from there. But it must be thoroughly tested to make sure that it does not affect any used service adversely...

bhaslinux 02-07-2007 02:46 AM
AFA the security of commands is concerned, allowing a user to be user _alone_ will always protect a system. No other person _except_ root can do harm to a running server with improper commands. So just remove the root access to them and things must settle down. Now, if you are not able to remove root access to them, then it is very difficult to manage !

For any mount point where you do not want people to execute (AFA ext3 is concerned) , in fstab or during mounting add the option noexec (see man mount)

unSpawn 02-07-2007 06:10 AM
@OP: I have to install Kubuntu on several PCs at work and I was wondering which commands not to allow users to execute to increase security as high as possible.
What you're talking about is called hardening. Since .*buntu is based off Debian you're in luck. Debian provides a good Security HOWTO. Accidentally (or not) the (co)author also is (co)maintainer of the auditing application called Tiger. Now I don't have any idea about your situation, so IMHO answering this should start with some questions.
What is the purpose of these machines?
Who uses the machines?
Are they accessable from outside your local network?
What (publicly) accessable services do they run?
Why Kubuntu? (That's not a distro war question, OK)



@bhaslinux:
No other person _except_ root can do harm to a running server with improper commands.
Define "improper"?
How does getting privileged access by exploiting vulnerable applications fit in your picture?
And how about situations where you don't even need root account privileges to abuse the server?


So just remove the root access to them and things must settle down.
As far as I know GNU/Linux is no Plan9, so what do you *exactly* mean by "just remove the root access"?

Lotharster 02-07-2007 09:23 AM
Quote:
Originally Posted by J_Szucs
Plus some recommends to mount /tmp so that no files can be executed from there. But it must be thoroughly tested to make sure that it does not affect any used service adversely...
I tried exactly that with Kubuntu 6.06, and it lead to some kind of error whenever I used "apt-get install".


All times are GMT -5. The time now is 01:08 PM.