| 1 |
On Sunday 18 January 2009 00:09:31 Grant wrote: |
| 2 |
> I have some users on a system and some services. How can I make sure |
| 3 |
> only certain users can log into certain services? Do I need to |
| 4 |
> explicitly define which users can log into each service? Are there |
| 5 |
> different types of users so that some can only log into certain |
| 6 |
> services? |
| 7 |
> |
| 8 |
> For example, I know any user that has their shell set to /bin/nologin |
| 9 |
> can't log into a shell. How can I check on users' shell settings? |
| 10 |
> |
| 11 |
> - Grant |
| 12 |
|
| 13 |
To do this you configure each service separately (there is no central |
| 14 |
registry-type thing for this). You don't say what "services" you are |
| 15 |
interested in, so I have to make some assumptions. |
| 16 |
|
| 17 |
apache, samba, ftp servers, all have their own authentication methods. You |
| 18 |
have to research what methods they provide, and choose which is most |
| 19 |
appropriate. For instance, Samba can auth against kerberos/ldap or using a |
| 20 |
local smbpasswd file. For a specific user to be able to access something via |
| 21 |
samba, you ensure they have an entry in AD or a line in smbpasswd. |
| 22 |
|
| 23 |
For more simple local services, you can use user and group permissions. I have |
| 24 |
to restrict cron and wget at work, I find the easiest way is to: |
| 25 |
chown root:trusted /usr/bin/wget |
| 26 |
chown root:trusted /usr/bin/crontab |
| 27 |
users authorized to use wget/cron must then be put in the trusted group. |
| 28 |
|
| 29 |
cron has it's cron.allow and cron.deny files that you can also use. |
| 30 |
|
| 31 |
sshd has config options to limit who can do what in sshd_config. |
| 32 |
|
| 33 |
If you post back with more specifics about what you want to achieve, we can |
| 34 |
assist you better. |
| 35 |
|
| 36 |
|
| 37 |
-- |
| 38 |
alan dot mckinnon at gmail dot com |
Archives