General :: Security - Setup User That Can Only Access A Repository Via Ssh?
Feb 21, 2011
I have a mercurial repository on a secure server, to which I want to grant secure access to an external user.
I added for him a user account and publickey ssh authentication so that now he could push/pull changesets via ssh.
My question is: how can I make this new user account completely disabled from doing anything or accessing any data on the server other than accessing the repository? E.g. he shouldn't even have the possibility to enter an interactive shell session.
a friend of mine is doing a small website-project in school (group of ~6 people). They want to use git as VCS and need acces to a server. I have an account on the server from university, but - of course - no root access.
I could create private/public keys for them, to SSH into my account, but I don't want them to have this power I found 'git-shell', which seems to be used for restricted access with git (although I'm not sure whether I understood the functionality).
My question is: Is it possible to configure SSH keys in that way, that the server runs them (and only them) in git-shell in a specified directory (using ~/.ssh/{config,authorized_keys})?
So that they can - log in with their SSH key - use git, execute scripts etc. - use git push/pull from their private+school PC - work only in a specific directory (like chroot) eg. ~/web-project/
I have a LAMP server running. Currently there are not vhosts, just the basic single site apache2 running a web app. I want to set up ftp access to the www root, but my attempts have failed. When I try to ftp using the user I created, I get dumped in the users home directory. I can also browse the entire file system. What I can't do is upload content to the www root. I get permission errors. How can I set ftp up to allow a user to access the www root only?
I am trying to give access to ONE single user to start and shutdown tomcat server. The problem being, when I enter syntax: username ALL= /etc/init.d/tomcat5, /usr/local/tomcat/webapps, PASSWD:ALL This gives the user access to start and stop tomcat but also gives user access to start and stop other services within /etc/init.d - such as httpd etc... What is the proper way to give user access to start and stop service, and limiting that power to only one service....
I would like to set up a user account with no network access. Reason is that sometimes my little daughter plays with the computer (for example watching movies on dvd's) and I want to prevent internet access in case she plays unattended. Is there a simple way to do that? I am using ubuntu 10.04.
I am interested in setting up an apt repository on my server to host some of my packages.How would I go about doing this? It's a shared server.Basically, I want to do what Google did in regards to the way they host Chrome downloads for Linux.
I am trying to get a non-root account on one of our servers to run a script with sudo capability. To that end, I went into the /etc/sudoers file, and added the following syntax:
Code: ## Enable the nagios user to run the check_iptables.sh script as root nagios ALL=NOPASSWD: /usr/local/nrpe/libexec/check_iptables.sh, /sbin/iptables
I restarted the nagios service, and tested the results. The results were the user account still could not run the script due to the user, nagios, not having permission to run the iptables binary.
Is there another step(s) that I need to take in order to get the sudo access available to the user account?
I heard we can set security in /etc/hosts.allow and /etc/hosts.deny on user base also like something user@domain or something if so how can I restrict a user to access particular service by his/her user name in a particular host via /etc/hosts.allow or /etc/hosts.deny
I managed to make an old parallel port scanner work in ubuntu 11.04 with SANE. Everything's perfect but one thing: scanner applications work only if they are executed as a root.After further researching, I've found the cause is that only the root has read and write permissions on the device /dev/parport0 which is my parallel port. If I set the right permissions giving sudo chmod a+rw /dev/parport0 I solve my problem, but just untill next reboot... the system resets root only permissions at each restart. I would like to make that change permanent... what can I do?
Im am working on a system which runs on RedHat Enterprise I have been asked by superiors to see if the following is possible. (sudoers file config change i guess)
Example User1 has root access user2 has root access, but must not be able to access ctmag (user account)
I know the obvious here is that if user2 can switch to root then it won't work. But i just need to prevent user2 from su - ctmag. A password is set on the account ctmag, but as user2 has root access it switches without a password prompt
Is there anyway i can prevent user2 from switching to ctmag but still have access to root?
I get the problem to acess root password when i am in user login, means wahen i am in user login and want to install software from terminal then he asked root password, when i supplied root password but he give me login incorrect.
I installed git and gitosis as described here in this guide Here are the steps I took:
Server: Gentoo Client: MAC OS X
1) git install emerge dev-util/git
2) gitosis install
cd ~/src git clone git://eagain.net/gitosis.git cd gitosis python setup.py install
[Code]....
SSH asked password for user git. Why ssh should allow me to login as user git? The git user doesn't have a password. The ssh key I created is for the user expert. How this should work?
I'd like to add a user to my server that will only have access to a mount point over sshfs. Is there any way I can provide them this access without actually giving them permission to open a terminal on my server? I tried /bin/false and /sbin/nologin already, but /bin/false didn't allow the mount point to be made and /sbin/nologin prevented a login completely (also stopped the mount point from working).
How to create a user account on a Linux desktop machine with restrictions on connecting to the LAN, WAN, PCMCIA ports, Firewire, CDROM and generally any user controllable output options?
I have the task to set up a machine for users working with sensitive data that should not be leaving the machine where it is processed. This means disabling access to the ethernet device, lan, all other ports as mentioned earlier, and any other way of leaking the data.
In Mac OSX this was achieved using "Parental controls" from the System preferences; this even allows a selection of the applications that can be used. Under XP, Device Manager offers the option to click various devices and "Disable" them, which worked so far just fine. Some will point out that the latter mentioned OS may be easy to circumvent the security of in other ways, but that has been mitigated with other measures and it's not the point anyway. For the operator users in question, the aforementioned measure proved successful and worked.Using OSX and XP to do this was a 10-15 minutes job with testing included.
So far all guides and tutorials pointed to useradd, groups an facl, but in actual practical terms did not help at all, in fact most of the research did not render any practical results so far. I surely don't expect to point and click, and would gladly run a set of commands from CLI. If I had them. I would really would like to achieve the same restricted user account configuration in a concise, comprehensive and practical manner under Linux too. Preferably tested on humans before, and known to be workign, of course. The machines that need to be set up are two laptops running Ubuntu. So how can this be accomplished in Linux?
I set up a servber on my local machine, & also PHp - Both working fine.I'm trying to load up MYSQL i have installed it, & *can* start/stop the server. however if I do anything else with it, I get this error :-
Quote:
root@gordon-desktop:~# sudo mysqladmin -u root -h localhost password MYPASSWORD mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user 'root'@'localhost' (using password: NO)'
Query :-
1) How do I know MYSQL is actually active ? (apart from the message it says that its statrted (or stopped).
2) Is there a way to
a) Find out the usernames that are recorded on the MYSQL server ? b) set / RESET the 'root' username (I know MYSQL root user is different to PC root user) c) anything else I can do on the PHP / website code to see if MYSQL is working
(as yet, no tables / databases etc have been set up - as I can't get past this error message - I get the same error when setting up a database.)
Ps I did allow my usermname (when logged in to ubuntu) to edit / create files in the /usr/www/ directory (but it is still OWNED by 'root' - that directory)
I made a Desktop User account. When I went on that account, it allowed me to execute sudo as if I was an administrator. I don't know what might be causing this. I do have ufw set up and blocking incoming connections. Do you guys know what might be at the root of this?Also, when I used sudo from the user account (which I shouldn't have been able to do), I provided the password for my admin account.
I'm planning to centralize users and passwords and also create controls for user access to some equipment, for example, Linux Servers, Switches, routers and firewalls. In case of failure of the link between the ACS and AD or equipment to the ACS, this device would use local username and password.
At the moment, my AD structure is a Microsoft, Cisco ACS servers and Linux Standalone. I wish that both linuxs servers and network equipment were authorized by Cisco ACS on the accounts that are in Microsoft AD.
The configuration of the Cisco ACS to use the AD is done and no problems, the network equipment is OK too, but am having difficulties configuring the server for this solution.
I'm developing an application in which one user must run java software that I'm compiling as another user. I wanted to give user A permission to see the bin direcory of my workspace, which is in the home directory of user B. I was wondering how can this be done? I gave the bin direcotry full read/execute premissions, but since it's in my home directory user A can't navigate to it.
I know there are a few ways I could get around the problem but they arn't very elegant. I was wondering if there is a simple method for giving a user access to a specific directory without giving access to all the parent directories. I tried symbolic link but user A still can't access it, and a hard link to a directory isn't allowed in Linux. I don't feel like making a hard link to every single file in the bin directory, and I'm not sure that would work anyways, since every recompile overwrites them.
I have a NIS server and a web server as a client. I have a regular linux user (without root privileges) "techsupport1" on NIS server. On the client web server, I have root user, and my clients. Now what I want to achieve is, allow my user "techsupport1" to access the web server, but instead of logging in using root user, I'd like the client to use username "techsupport1", but in the same time, give that user root privileges on the web server (client). The reason, is that I have more than one user who need to manage the web server (client), so I want to be able to clearly see in the bash_history, who has been running what commands. right now, when I login as a techsupport user to the web server (client) from my NIS server
[code]...
I don't have root privileges, also my gid is matching to gid of a customer who has the same 517 on the web server. How can I configure, so when a tech support agent 1, logs in to web server, NIS grants root privileges, but keeps the techsupport username?
I have got a RHEL 5.6 server configured to authenticate via a Windows 2008 domain controller via LDAPS.Everything is working fine, except from the following: When I create a new user in Active directory and check the option "user must change password at next logon", the new user cannot logon and gets an "access denied" message. In /var/log/secure, I find the following:
Mar 1 14:43:21 cpssvn10 sshd[5363]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.3.12 user=testuser2 Mar 1 14:43:21 cpssvn10 sshd[5363]: pam_ldap: error trying to bind as user "CN=CPSS Testuser 2,OU=IBM,DC=cpss,DC=smarterplatform,DC=com" (Invalid credentials) Mar 1 14:43:23 cpssvn10 sshd[5363]: Failed password for testuser2 from 192.168.3.12 port 4583 ssh2
As soon as I uncheck the "user must change ..." option, the user can log on without problems. Also password change via the passwd command works.
I have a remote virtual server for a few websites, it's running on Fedora Core release 6 (Zod). I want to setup an FTP user so I can have someone do some work for me. He only needs very limited access. I have searched for help and thought I found out what I needed to do, but when I try to test the connection, after the password is sent I get the message "530 Login incorrect", followed by "Critical Error", "Could not connect to server". (I am using FileZilla for my FTP client) Below is what I did to add the user
"thisisit" is the name of the directory I want to give access to and "myuser" is the user I am adding. I use passwd myuser to add a password. I've tried -s /dev/null also (to prevent this user having shell access) but it's the same. The worse thing is, I did a similar thing last year for a customer so he could upload images to my site. That login works fine. I have looked at the passwd file and both users seem to be setup the same, yet the new user does not work. What am I overlooking?The two entries in my passwd file are The one that doesn't work
myuser:x:10025:10025::/var/www/vhosts/mywebsite.com/httpdocs/thisisit/:/dev/null And below the use I created lat year that DOES work. mycustomer:x:10008:10008::/home/ftp/mycustomer/:/dev/null
Hello, I'm trying to set up a read only FTP user; basically, they have the ability to browse a particular images folder and download, but not write (or delete accidentally). I've got it set up so the FTP user logs in directly to the folder, so I'm good with that; but they still have write permissions. We have an application built in PHP that copies image uploads to this folder; it also resizes them in the same folder. So in addition to the main FTP user (me) who needs write access to this folder, whatever the Apache/PHP user is (not sure?) also needs write access. Is there a simple way to affect read/write permissions on a user level?
i'm using centos 5 and i want to save my setup when switching the user.when i switched user from user1 to user2 and then i logged in user1 back without shutting down, i couldn't see any working window on user1. But since it's working on the CPU, i guess it's working but i cannot just see the window(such as terminal in my case) i was using. i have been using scientific linux which have "save current setup" when logging out. but centos seems not to have that check box!i want to know whether centos can contain the setup for each user when switching user.
Been messing around with Ubuntu 9.1 for the last few weeks and am loving it so far. Been trying to get in the terminal and learn a little something, to no avail. LOL I have been googling and searching the site today for info on networking. My Linux box is a desktop, with my main HDD mounted with music, and movies and some other stuff. My intent is to network the two laptops in the house (Windows XP and Windows 7) to the Linux box so I can listen to my music and watch movies when not in the office. I have found some info, mostly involving Samba, and plan to install Samba tonight and fiddle with it. My issue was with security. I have read a few posts and they talk about the fact that if you share files in this manner, the set up is not secure at all. Is this something i should really be concerned about? If the folders I share only have my music and videos in them,
jump into a Linux class in college with only 3 weeks left in the course. I thought I would be able to catch on, and go figure, it didn't exactly happen that way. I was given an assignment to do, and I am so far lost it isn't even funny. I need to create a directory structure, set up file security, create a step by step instruction manual on how to copy/delete said files, and create a guide to common Linux commands. How would I create these files in root and share them with the other users? and where can I find a list of common commands and their functions?
