1 |
>> I have some users on a system and some services. How can I make sure |
2 |
>> only certain users can log into certain services? Do I need to |
3 |
>> explicitly define which users can log into each service? Are there |
4 |
>> different types of users so that some can only log into certain |
5 |
>> services? |
6 |
>> |
7 |
>> For example, I know any user that has their shell set to /bin/nologin |
8 |
>> can't log into a shell. How can I check on users' shell settings? |
9 |
>> |
10 |
>> - Grant |
11 |
> |
12 |
> To do this you configure each service separately (there is no central |
13 |
> registry-type thing for this). You don't say what "services" you are |
14 |
> interested in, so I have to make some assumptions. |
15 |
> |
16 |
> apache, samba, ftp servers, all have their own authentication methods. You |
17 |
> have to research what methods they provide, and choose which is most |
18 |
> appropriate. For instance, Samba can auth against kerberos/ldap or using a |
19 |
> local smbpasswd file. For a specific user to be able to access something via |
20 |
> samba, you ensure they have an entry in AD or a line in smbpasswd. |
21 |
> |
22 |
> For more simple local services, you can use user and group permissions. I have |
23 |
> to restrict cron and wget at work, I find the easiest way is to: |
24 |
> chown root:trusted /usr/bin/wget |
25 |
> chown root:trusted /usr/bin/crontab |
26 |
> users authorized to use wget/cron must then be put in the trusted group. |
27 |
> |
28 |
> cron has it's cron.allow and cron.deny files that you can also use. |
29 |
> |
30 |
> sshd has config options to limit who can do what in sshd_config. |
31 |
> |
32 |
> If you post back with more specifics about what you want to achieve, we can |
33 |
> assist you better. |
34 |
|
35 |
As far as open ports, most of my systems only run sshd and cupsd. |
36 |
I've set AllowUsers in sshd_config to only allow my own non-root user |
37 |
to log in, and I've locked down cupsd.conf. However, one of my |
38 |
systems runs things like apache2, postfix, courier-imap, saslauthd, |
39 |
mysql, and sshd. I set them up to be secure when I installed them, |
40 |
but I wonder about the different users on my system (none of them with |
41 |
shell access) and their access to the different services. Should I go |
42 |
through each of these services and set up something similar to |
43 |
AllowUsers so that only certain users have access to certain services? |
44 |
|
45 |
On the subject of users, there are a lot of users in /etc/passwd, |
46 |
although most of them have /bin/false or /sbin/nologin. There are 8 |
47 |
users who have a different shell defined. The first 3 are fine: |
48 |
|
49 |
root /bin/bash |
50 |
user /bin/bash |
51 |
cart /bin/bash |
52 |
|
53 |
The next 3 are probably fine: |
54 |
|
55 |
sync /bin/sync |
56 |
shutdown /sbin/shutdown |
57 |
halt /sbin/halt |
58 |
|
59 |
But I don't recognize the following 2. Should I userdel them? |
60 |
|
61 |
operator /bin/bash |
62 |
guest /dev/null |
63 |
|
64 |
mysql only needs to connect to a daemon running on the same system, |
65 |
and I think it does so via a unix socket as opposed to tcp. I can see |
66 |
from netstat that /var/run/mysqld/mysqld.sock is connected, there is |
67 |
no mention of a tcp mysql connection, and nmap does not show a mysql |
68 |
port to be open. Is there anything else I should do as far as locking |
69 |
down mysql? I'm the only one with shell access to the system. |
70 |
|
71 |
I would appreciate any other security advice regarding any of the |
72 |
above-mentioned services. |
73 |
|
74 |
Thanks, |
75 |
Grant |