1 |
On Sunday 18 January 2009 00:09:31 Grant wrote: |
2 |
> I have some users on a system and some services. How can I make sure |
3 |
> only certain users can log into certain services? Do I need to |
4 |
> explicitly define which users can log into each service? Are there |
5 |
> different types of users so that some can only log into certain |
6 |
> services? |
7 |
> |
8 |
> For example, I know any user that has their shell set to /bin/nologin |
9 |
> can't log into a shell. How can I check on users' shell settings? |
10 |
> |
11 |
> - Grant |
12 |
|
13 |
To do this you configure each service separately (there is no central |
14 |
registry-type thing for this). You don't say what "services" you are |
15 |
interested in, so I have to make some assumptions. |
16 |
|
17 |
apache, samba, ftp servers, all have their own authentication methods. You |
18 |
have to research what methods they provide, and choose which is most |
19 |
appropriate. For instance, Samba can auth against kerberos/ldap or using a |
20 |
local smbpasswd file. For a specific user to be able to access something via |
21 |
samba, you ensure they have an entry in AD or a line in smbpasswd. |
22 |
|
23 |
For more simple local services, you can use user and group permissions. I have |
24 |
to restrict cron and wget at work, I find the easiest way is to: |
25 |
chown root:trusted /usr/bin/wget |
26 |
chown root:trusted /usr/bin/crontab |
27 |
users authorized to use wget/cron must then be put in the trusted group. |
28 |
|
29 |
cron has it's cron.allow and cron.deny files that you can also use. |
30 |
|
31 |
sshd has config options to limit who can do what in sshd_config. |
32 |
|
33 |
If you post back with more specifics about what you want to achieve, we can |
34 |
assist you better. |
35 |
|
36 |
|
37 |
-- |
38 |
alan dot mckinnon at gmail dot com |