Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My boy has access to my linux-server, and I feel
a bit uncomfortable with the idea of him downloading
& installing stuff from friends/the net, but don't want to
completely restrict his access either.
I'd love to get a notification for files he creates/installs.
Which would be the recommended solution/way to do
that?
I would say just don't give him root/su access, if he needs to install something, he can talk to you first, then you can install it for him. It sounds like a pain, but since you have a user, you are now a sysadmin
If you are really paranoid, you could make a script that mails you the output of ls -R every night to see what files that he has installed in his home dir.
Heh ... guess I *am* really paranoid!
He's been using some tcl based MSN client the other day... and I also wouldn't want him
to install network sniffers, for instance
One can never be too paranoid! You will get a message in your syslog if he sets up a sniffer. It will look something like: kernel: eth0: Promiscuous mode enabled.
He has to be root in order to install a sniffer too!
True
Tinkster: if you have regular users they won't be able to do much at all . They can't install programs, they can't change settings if you are paraonid you can even chroot him in seperate space and then you're safe. At most he'll be able to run a irc bot, and find some script kiddies to exploit your server , but that will just make you learn more about security.
One can download, compile and run stuff from ones home
without being root? Well, I just tried it with my normal user
account, and could ... :)
sniffit for instance will check whether you are root or not
and refuse to work if you aren't, but I tend to believe that
I could change that behaviour using emacs ....
whether the system will stop me from using the interface
directly without being root I don't know, tcpdump for instance
says tcpdump: socket: operation not permitted... :)
I don't have any other "hacker tools" at hand but am eager
to learn what is possible and what's not.
Btw Kahuna, I've been an admin for ages, both at work and
home, just never was worried about the users activities :} since
I knew they weren't technically fit/interested ;)
To deny users executing stuff in their ~/ you could move /home to a separate partition and then mount it -o noexec,nodev,nosuid :-]
If you want to be alerted you could run any script that does md5sum checking and listing of (new) files, or you could easily config an integrity checker like Aide to just check the users ~/.
IMHO chrooting would be way too much hassle for jailing human users. You'll have to provide a copy of unix tools (base tools could be replaced with busybox), but then there's /dev and /etc entries as well, and maybe you need to mount /proc for proc tools to work (ps and the likes).
Tcpdump, sniffers usually make use of libpcap, which needs some LINUX_CAPABILITIES (caps intended) to sniff the wire. On a regular system those capabilities are reserved for, and can only be used/inherited by apps started as root, same goes for like binding to ports < 1024 and network mgmnt like setting the promiscuous flag on interfaces. That's why those apps complain about uid or euid being nonzero.
Tinkster, Yes a user can install programs from his/her home directory, but the system permissions will prevent him/her from really screwing things up (Provided that your OS is all patched up).
You could not edit the code of sniffit with Emacs to sniff the network as non-root. It's not the code that allows a person to do this, but whether they have the permission to set the network device (etho, ppp0, whatever) to promiscous mode.
To set a net device to PROMISC requires root level access.
Will following the Linux-Security-Howto tighten
my server suffciently for "internal attacks"? :}
I'm not too concerned about external attacks,
hosts.allow basically just allows the LAN to use any
server-services ... and iptables is a good enough
firewall for everyday use on a dial-up ;)
true that in order to do whatever with interfaces (ethx) you need to be root so sniffit and other won't work. But there are bunch of local exploits in forms of scripts so anyone can try them.
tripwire is probably the best call, since it will efficiently monitor all fs changes
Otherwise system can be exploitable from outside if on internet 24/7, despite iptables
although, keep in mind that once tripwire detects something bad, it's too late for ya, since your system is probably compromised
ie tripwire = monitoring <> prevention or protection
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.