LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-14-2004, 10:09 AM   #1
pe2338
Member
 
Registered: Dec 2002
Location: Bucharest,RO
Distribution: debian etch, sarge and sid
Posts: 407

Rep: Reputation: 30
groups for a monitor user


I had an agreement with my ISP that he would give to our dorms Internet for free.

One of the conditions for this to happen was that I would create an account on the server to be used in case of attacks and stuff like that.

I don't want to give too much rights to the user, so I thought that inserting the user into a few groups would be the solution.

By now I found that adm would be enough (reading syslog and other logs) but I fear that this group is too much for this...


What should I do? What groups should I use?


I don't feel comfortable about some guy going through my files on the server...

Could a http interface be enough? (should apache stay in a jail?)

Please help me with this...

Maybe sudo with group adm or a gid script that reads syslog?

PS: I would really love if somebody would answer fast
 
Old 05-15-2004, 05:12 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,394
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
One of the conditions for this to happen was that I would create an account on the server to be used in case of attacks and stuff like that.
First find out what this account user needs (tasks).
 
Old 05-15-2004, 08:56 PM   #3
pe2338
Member
 
Registered: Dec 2002
Location: Bucharest,RO
Distribution: debian etch, sarge and sid
Posts: 407

Original Poster
Rep: Reputation: 30
the user has to be able to see the logs and configuration files (at least for the ones concerning the internet connection - iptables, squid.conf ...)

(when I saw the notification mail, I said to myself: "well if unSpawn answered then I'm on good hands )

Last edited by pe2338; 05-15-2004 at 09:00 PM.
 
Old 05-16-2004, 05:34 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,394
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
the user has to be able to see the logs and configuration files (at least for the ones concerning the internet connection - iptables, squid.conf ...)
View only? Doesn't need to execute emergency tasks? Then there's three ways I can imagine:
- set him/her up with an unprivileged user account and some sudo aliases. Watch out for viewers that allow a user to execute commands. OTOH, depending on how much you would trust ISP personnel (IMNSHO, not much), you could go the other way and:
- set up a simple webbased HTTPS logbrowser.
- Or only allow for (chrooted) SSH login, provide minimal binaries (Busybox) and set up a cronjob to scp logs in.
 
Old 05-16-2004, 08:21 AM   #5
pe2338
Member
 
Registered: Dec 2002
Location: Bucharest,RO
Distribution: debian etch, sarge and sid
Posts: 407

Original Poster
Rep: Reputation: 30
yes, only view

Quote:
- set him/her up with an unprivileged user account and some sudo aliases.
[....]
Or only allow for (chrooted) SSH login, provide minimal binaries (Busybox) and set up a cronjob to scp logs in.
I run ssh on an outside interface and I don't want anybody but one user to be able to log in... how can I do that?

Actually, I want that on the chrooted environment ssh to allow only one user, and on the non chrooted environment just one user (there are more than 3 accounts on the server but some of them are accessed only from the inside)

what aliases would do?

Quote:
- set up a simple webbased HTTPS logbrowser.
I don't think the isp would agree...
 
Old 05-18-2004, 02:37 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,394
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
run ssh on an outside interface and I don't want anybody but one user to be able to log in... how can I do that?
sshd_config, allowgroups directive, or PAM login, module listfile.


I want that on the chrooted environment ssh to allow only one user, and on the non chrooted environment just one user
Use a chroot shell for the chrooted user. I prefer setting it up with an app called "jail".


what aliases would do?
I don't know what your logs are. Examine syslog.conf and your running apps for the files they log to.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
UK Linux User Groups floppywhopper Linux User Groups (LUG) 0 04-14-2005 09:20 PM
user groups technochef Linux - General 2 10-31-2004 05:00 PM
one user 2 groups alaios Linux - General 5 10-20-2004 08:33 AM
Linux User Groups? gsmonk Linux - General 1 09-01-2003 05:20 PM
a user can be in two groups? joeslazenger Linux - Newbie 2 08-13-2002 02:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration