I had an agreement with my ISP that he would give to our dorms Internet for free.

One of the conditions for this to happen was that I would create an account on the server to be used in case of attacks and stuff like that.

I don't want to give too much rights to the user, so I thought that inserting the user into a few groups would be the solution.

By now I found that adm would be enough (reading syslog and other logs) but I fear that this group is too much for this...


What should I do? What groups should I use?


I don't feel comfortable about some guy going through my files on the server...

Could a http interface be enough? (should apache stay in a jail?)

Please help me with this...

Maybe sudo with group adm or a gid script that reads syslog?

PS: I would really love if somebody would answer fast

One of the conditions for this to happen was that I would create an account on the server to be used in case of attacks and stuff like that.
First find out what this account user needs (tasks).

the user has to be able to see the logs and configuration files (at least for the ones concerning the internet connection - iptables, squid.conf ...)

(when I saw the notification mail, I said to myself: "well if unSpawn answered then I'm on good hands )

the user has to be able to see the logs and configuration files (at least for the ones concerning the internet connection - iptables, squid.conf ...)
View only? Doesn't need to execute emergency tasks? Then there's three ways I can imagine:
- set him/her up with an unprivileged user account and some sudo aliases. Watch out for viewers that allow a user to execute commands. OTOH, depending on how much you would trust ISP personnel (IMNSHO, not much), you could go the other way and:
- set up a simple webbased HTTPS logbrowser.
- Or only allow for (chrooted) SSH login, provide minimal binaries (Busybox) and set up a cronjob to scp logs in.

yes, only view

I run ssh on an outside interface and I don't want anybody but one user to be able to log in... how can I do that?

Actually, I want that on the chrooted environment ssh to allow only one user, and on the non chrooted environment just one user (there are more than 3 accounts on the server but some of them are accessed only from the inside)

what aliases would do?

I don't think the isp would agree...

run ssh on an outside interface and I don't want anybody but one user to be able to log in... how can I do that?
sshd_config, allowgroups directive, or PAM login, module listfile.


I want that on the chrooted environment ssh to allow only one user, and on the non chrooted environment just one user
Use a chroot shell for the chrooted user. I prefer setting it up with an app called "jail".


what aliases would do?
I don't know what your logs are. Examine syslog.conf and your running apps for the files they log to.