I am looking at creating two user accounts for "contract system admins"..These guys will be performing sys admin duties for a sever -- however, I am still concerned about security of data. For example, the server contains password information for our database, etc.Besides making them sign an NDA, etc. what other security mechanisms could I put in place to ensure that they don't just go buck wild. For example, when someone makes a sudo command, is this logged?
what are some recommendations for general security practices?
I'm configuring a fresh install of Debian 8 and I'm having a problem creating new user accounts, using XFCE.I'm using the console for setting new user accounts, without any problems yet when I log in the user accounts to check if everything is ready to use I get a persistent message from the system warning the session is in kiosk mode.I've went through several step by step guides I've found over the net, went to the XFCE wiki trying to find an answer for this, with no success. I've even tried deleting user accounts and recreating it but the problem persists.
I have a small office network here which consists of three machines running Fedora 10 and a dev server running CentOS 5.2. I have no Windows machines, and have no intention of having any. I would like to use the CentOS server as the Linux equivalent to a domain controller in Windows. Use case is simple - I will still have a local root account on each machine, obviously, but I want the three staff users to be network accounts. I want them (like a Windows domain) to be able to login on any computer using their network user credentials and *not* have local credentials on any computer.
I've been Googling like mad on this, but I can't find a definitive answer or a sensible HOWTO for this use case in Linux. Others have suggested I do it all in Samba, but I cannot find an example Samba configuration that behaves as I describe above. Another article I found suggested OpenLDAP.I'm lost. What's the best way to do this with a CentOS controller machine and Fedora 10 workstations? Can anyone point me to some good resources on the matter?
I have a windows 2003 active directory and dansguardian transparent web filter. I want that dansguardian filters according by whom is logged on the workstation. Can this be possible?
way to automate adding and removing users from 10 different Fedora 7 servers. We use them as print servers and our users have a user name and password to authenticate with when printing. We also use Samba to talk to a W2k3 server that tracks and charges the users for what they print. The set up was done by a vendor and after 6 months of being in production the scripts they created has flaws.
I need a way for a script to run as often as possible that will remove, change, or delete user accounts from the servers and from Samba. how to most effectively achieve this?
It would be ideal to have a file that gets written to when a change needs to be made then a script to make these changes?
My Linux is Fedora release 13. I found there are a few users created not by me. I am not sure if the system got hacked somehow. Then the hackers created these users, i.e. (1) oracle, (2) exim, (3) test, (4) cox. I tried to delete all of these four users by using "usrdel" command but the system said "I cannot delete these users as the users are logging in". If my system got hacked ?? or these users are created by the system itself?
I am trying to disable accounts after 5 unsuccessful login attempts. I am following the guidelines in this article:
[URL]
This is on an Oracle Enterprise 5.4 box, which is essentially RHEL 5.4 Here is what my /etc/pam.d/system-auth looks like:
-------- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run.
[code]....
Unfortunately, the account does not seem to be locked or disabled. As root, runninng 'su test2 -c <some-command>' always sucessfully runs <some-command>, and leaves the failed attempt count at 6. /etc/shadow does not have an * or ! anywhere in the encrypted password for the 'test1' user.
What am I doing wrong? I thought that with the max attempts set to 0 in faillog, that the deny= parameter would be used. I thought I should be using su <user> -c <command> from the root account to test if the disable feature is working.
Once again, nobody seems to understand security properly when they decide to add nifty new features. After upgrading to 10.04 from 9.10, I now have a listing of all the user accounts under "Switch from" when I go the the logout menu at the upper right side of the task bar. This is a terrible security hole that should never have been allowed in the first place, and is just as annoying as the default behavior of listing all the user accounts on the login screen.
We have 4 servers having rhel 5.2. We have several users logged in on one of them. We have nis server/client running on them and have common home area mounted on all of them. Now we want to disable/block the accounts of the users who have not accessed our servers in last 2 months from today.What logic should we apply to do so? We were checking stat of .bashrc of each user but is not correct logic. We are going to write shell script for the same. We dont want to do anything in users home area or their files.
I am trying to create users accounts reading from a file. I can get it to show if the user already exists but I want it to instead of not creating the user account to create e.g. Scott1 etc.The code i have so far is :
i'm configuring sendmail for a little office but i was requested for two domains e.g. [URL] and [URL] i've created this two domains but at the moment i create a user account how could i make the difference between wich domain the user belongs?
I have been using a cron job to duplicate a folder into another users account every day and someone suggested using symbolic links instead although I cannot get them to work. In summary user GAMER generates log files that they want to access via HTTP, however I only have a web-server in the user account SERVER, in the past I would copy the logs folder from GAMERS account into SERVER/public_html/. and then chmod the files so the server could access them. Trying to use symbolic links I set up a link from root (as only root can access both accounts) I used: ln -s /home/GAMER/game/logs/ /home/SERVER/public_html/logs
However it seems that only root can use this link, I tried chmoding the link, all the files in the gamers /game/logs/*, /game/logs itself to 777 as well as changing chown and chgrp to server the files still cannot be read. When viewed from servers account my shell shows the link and where it is to hi-lighted in black with red text. /home/GAMER/game/ (chmod & chgrp) drwxrwxrwx 3 SERVER SERVER 4096 2011-01-07 15:46 logs /home/SERVER/public_html (chmod -h & chgrp -h)
I am trying to figure out a way to pull the user information from local users on a Linux server. I have approximately 40 servers running SUSE and Ubuntu that are using Microsoft Active Directory in order to authenticate. Our internal auditing group has made us disable root ssh ability, I was doing this with clusterssh, but I can login as me then su on the server to conduct root, admin, work. This is an ongoing request to get the local users and it is a painfully slow process since I have to login to each server to get the /etc/passwd file. Is there another way to get the local user information? They are now asking about seeing the last logon date or if the account is disabled, any thoughts there as well?Most of our auditors think Windows and I am trying to make my life easier but not sure what options I have. I need to get local accounts and if they are active or disabled plus last logon date. I'm sure there will be more but if I can get the basics adding more shouldn't be too difficult but I guess I'll cross that bride when I get there.
I have couple of users in one machine. I can access the /etc/passwd,/etc/shadow and /etc/group files in this box. I have another box. I want to create some user accounts in the second box by just looking in the passwd, shadow and group files in the first box. I would just copy over the corresponding lines into the corresponding for whichever accounts I want to create as new and also change the lines for which I want to update the account information. Is this possible and will also the passwords work fine? Please also let me know there is any good tool for automatically doing this kind of stuff. Both the boxes that I have are Ubuntu machines though one is running Ubuntu 8.04 and the other is 10.04.
I've a user account in a remote machine. but it doesn't have a home directory in that machine.Is it possible to create a home directory without having root account details. If yes, how it can be done.
In my machine, there are 2 mount points - / and /userdata. From the root user, I want to create an oracle user at the /userdata mount point, i.e the home of the oracle user should be mounted on /userdata.
I am trying to create a certificate case user logon via ssh. On the server I have openSSH and a few users. I want to be able to assign a user a certificate to connect remotely via SSH.
This may be a rookie mistake, but I created a user (new user) in Linux on a Ubuntu system and didn't actually create the home directory for this user. Now, when I log in, it says there are problems... If I delete the path home/<new user> and try to log in the system tells me I can use root as home directory but I will likely experience problems, and then it won't let me log in. What is the best way to create this directory with the appropriate permissions? Should I just create another user and delete this one?
I recently used the newusers command to generate several user accounts from a text file. That process seemed to go well until I tried to su into one of the new accounts.
This behavior appears for all the accounts that were created from the text file and the newusers command. It seems that several configuration files that should have been autogenerated for these new users were never created. I was able to confirm this was the problem by copying .bashrc and .bash_profile from a user that was created with the "useradd" command into the /home/newaccount directory. After logging off and logging into the newaccount again, the issue is corrected.For the record, I just read this forum post and I'm looking for an alternative to this. If this is the most efficient way to accomplish my goal, then I'll try the route mentioned in the thread. I'm still open to alternatives.
creating template (phpldapadmin 1.2.0.5). I create new template where im creating User Account (possixAccount) but i need to create Generic: Ldap Alias that will be created in other ou than account and i need both in one template.
I'm installing a new laptop for a friend of mine and he wants 3 user accounts, similair to how he runs his windows setup.
1, an admin account, we have called this account peacemaker. 2. his account 3. an account for his girlfriend.
The problem we have is that if we want to do anything from the terminal that requires elevated priviledges, sudo does not accept his password or that of peacemakers. we have done sudo -i -u peacemaker but it still doesn't accept either password, stating his account is not in the sudoers list.
I'm not a massive expert here, but research brought me to this page:[URL]... But that then just means his account has admin rights, which is what we were trying to avoid. We wanted a setup similair to windows where if you want to run someting with elevated privledges if pops up asking for the admin password. This works in the gui, but not in the terminal.
So in short, my question is, is there anyway of having the terminal accept peacemakers user rights from the his normal user account? If I add the account to the sudoers list like it suggests, does this again just give his account the prilvedges rather than saying supply me with the password for peacemaker.
this is probably not really needed and he can just have his account as the main user, but coming from a windows background, he would prefer the 3 user accounts model (2 normal users, 1 admin)
We have a web server and are trying to meet a clients requirementes around accountability.Basically, everything in the system should be accomplished using user accounts that are individually identifiable. So basically, no root user, since that's anonymous.So how should we set up these user accounts?Being administrators, we want them to have easy access to files not owned by them, such as ones uploaded using FTP accounts or via apache.We want to be as secure as possible though.
My current thought is to add them to the root group so they have full read access throughout the system, and add them to sudo, but I worry that gives them too much control.
jump into a Linux class in college with only 3 weeks left in the course. I thought I would be able to catch on, and go figure, it didn't exactly happen that way. I was given an assignment to do, and I am so far lost it isn't even funny. I need to create a directory structure, set up file security, create a step by step instruction manual on how to copy/delete said files, and create a guide to common Linux commands. How would I create these files in root and share them with the other users? and where can I find a list of common commands and their functions?
I'm using ubuntu and i need to know if it is possible to make a "prototype" account that sets the defaults for new users when a new account is made. How would i go about doing this. I would like to have the same start up programs, panel, themes, background, etc...
Is it possible to install Ubuntu Server and have user accounts and log into the server via a Windows XP machine? Sorry if its a stupid question! Many thanks
I am trying to make subversion to use the user account from bugzilla. I surf the net and found many threads related but most of them are out-of-dated. I have install the following software on ubuntu10.10
I've just rebuilt a server that had SLES10 to Slackware64 13.0. I wanted to keep all users and their passwords, so I copied all user entries in the old SLES /etc/passwd and /etc/shadow files to the corresponding new Slackware files. It turns out that the passwords are not interpreted correctly. I presume that SLES uses a different hashing function than slackware. Is there an easy way to convert these hashes, or will I have to reset all passwords and force users to change at login?
