making secure limitations for non-root users

Jim Kutsch jimkutsch at yahoo.com
Sat Sep 20 17:40:33 EDT 2008


In the 1980s, I had a Unix system  connected to a ham radio via packet radio 
interface hardware.  I was using it myself but wanted the users via radio to 
run email and Netnews and be isolated from the rest of the system where I 
kept my stuff.  I set up a chroot environment in which users had a very 
little piece of the entire system.  It required only an amazingly few things 
to be available in the root of the chroot directory.  If I remember 
correctly, I had to have /etc/passwd, /etc/group, /etc/getty, a few things 
in /bin and /usr/bin, and the software I allowed these remote users to 
access.  There was even a login called "newuser" with no password that ran a 
customized add user script so a user could create his/her own account.

Since you are learning Linux, I'd recommend you go explore chroot and start 
thinking about how very little you really need in the isolated environment.

Have fun.

Jim


----- Original Message ----- 
From: "Tyler Littlefield" <tyler at tysdomain.com>
To: "Speakup is a screen review system for Linux." <speakup at braille.uwo.ca>
Sent: Friday, September 19, 2008 5:40 PM
Subject: Re: making secure limitations for non-root users


I'll dig around for that kernel patch.
Like, limiting them to viewing home dirs, other people's dirs. I can do
chmod a-r /home, and then chmod o-rx /home/user, but would there be anything
else I'd need to limit for security reasons? I'd not like to scrue up perms
on logs, but would rather not them see /var/log.


Thanks,
_|_|_|_|_|  _|        _|_|_|_|
    _|      _|_|_|    _|          _|_|_|
    _|      _|    _|  _|_|_|    _|
    _|      _|    _|  _|        _|
    _|      _|    _|  _|_|_|_|    _|_|_|
Visit TDS for quality software and website production
http://tysdomain.com
msn: tyler at tysdomain.com
aim: st8amnd2005
skype: st8amnd127
----- Original Message ----- 
From: "Gregory Nowak" <greg at romuald.net.eu.org>
To: "Speakup is a screen review system for Linux." <speakup at braille.uwo.ca>
Sent: Friday, September 19, 2008 3:38 PM
Subject: Re: making secure limitations for non-root users


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tom has already told you what the best approach would be. However, let
> me try to specifically answer your questions.
>
> On Thu, Sep 18, 2008 at 12:39:40PM -0600, Tyler Littlefield wrote:
>> I would, however like to limit them in disk space (I can figure that
> one out),
>
> Ok.
>
>> in port usage (not sure how to do this one, would like to limit what
> ports they can open),
>
> The only thing I can think of for that is the obvious, a
> firewall. However, that would apply to everyone on the system. There
> is something called owner match support, when you're configuring the
> firewall stuff in the kernel, however, I'm not sure if that does what
> it actually suggests, or something else. Sorry, that's all I can tell
> you there, maybe a firewall howto somewhere would tell you more.
>
>> programs they can run,
>
> The best way I can think of to do that, is to create a group on your
> system, where all the binaries you want users to access are a part of
> that group. Then, add the users you want to be able to access those
> binaries to that group as well, and leave the rest binaries/users
> out. On my debian system, there is a group called bin, but most of my
> binaries are in root's group. I'm not sure if the bin group is
> reserved for something else, or if it is there for what its name
> suggests, and it's up to the system admin to use it as he/she wishes.
>
>> and also what they can view on the system.
>
> You need to be more specific. What do you want them to be able to
> view, man pages, text files, contents of specific directories, what?
>
> Greg
>
>
> - --
> web site: http://www.romuald.net.eu.org
> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> skype: gregn1
> (authorization required, add me to your contacts list first)
>
> - --
> Free domains: http://www.eu.org/ or mail dns-manager at EU.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkjUG8gACgkQ7s9z/XlyUyDY8QCeMyiUbYUWG+XeixZqmeq2vnxW
> zckAoLvhv/znPYpTPB1hr6BxFVZl81/r
> =+v8G
> -----END PGP SIGNATURE-----
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
> __________ NOD32 3457 (20080919) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>

_______________________________________________
Speakup mailing list
Speakup at braille.uwo.ca
http://speech.braille.uwo.ca/mailman/listinfo/speakup 




More information about the Speakup mailing list