I want to limit what a authenticated user can do on my Linux server. I've set the default shell to rbash, but I know a knowledgeable user can switch shells. Can I use file permissions to deny execution rights to /bin/bash to anyone who is not in a particular group? And if that works, how do I find out what other shells are installed on my server (Ubuntu 9.10)?
View 7 RepliesI have the following inside /etc/security/limits.conf(I have specified root separately because * will not include it.)
user2 - core unlimited
* - core 0
root - core 0
[code]....
Im am working on a system which runs on RedHat Enterprise I have been asked by superiors to see if the following is possible. (sudoers file config change i guess)
Example
User1 has root access
user2 has root access, but must not be able to access ctmag (user account)
I know the obvious here is that if user2 can switch to root then it won't work. But i just need to prevent user2 from su - ctmag. A password is set on the account ctmag, but as user2 has root access it switches without a password prompt
Is there anyway i can prevent user2 from switching to ctmag but still have access to root?
I'm looking for a way to limit:
-memory usage (mb/user)
-cpu usage
-processes (amount and no same process multiply)
-connections (amount of connections (to specific host))
-bandwidth (kbps/user and even owerall for regular users)
-disk usage
-available commands
For every other users than me/root.
I am new to the Ubuntu Community and just starting to build my Ubuntu 10.04 Server. I am a novice in Ubuntu, though maybe not a full n00b any more
I travel around a lot with my laptop, (also Ubuntu 10.04). However, my ISP does not allow me to send email via their SMTP when I am not in their IP range.
Since I have this little server I am building, I thought it would be nice if I could have my own SMTP relay. The objectives would be simple:
- I do not need a mailbox or POP server (yet).
- I wish to send email from any place in the world. I can not use a filter on IP ranges or local networks only.
- If my server could do this, I just configure Evolution on my laptop to send mail to my home IP address, using some sort of authentication and/or security/encryption (whichever is easy to implement).
- My server then just forwards my mail to my ISP. Since the server is inside the IP range, it can be handled as usual.
I have been digging through several howto's and the ubuntu server guide, searching some forums etc. Even while I don't fully grasp the things explained, I can't get the idea that one of those is "Just what I need".
Even still, if there is some other service outside my own that can do this (a public SMTP relay maybe?) I would also be happy to consider as long as it is safe and does not "eavesdrop" on my messages.
I wanna make a small web server for local use , I've installed apache, every thing works fine I'm the root
I wanna protect the folder that contain the htdocs files (www), i don't want any users that not in root group to access (not even read)
I changed the permission of the htdocs folder as next
Owner: www (apache user)
per: creat , delete
group: root
per: creat , delete
other: none
it only works on the main folder that i changed its permissions ! not all sub folders and files ! were my steps right ? and are their anyway to change all folders and files at once ?
As I was researching on how to create a kiosk Ubuntu setting I came upon a suggestion to create the user with '/usr/bin/screen' shell option.Hope you all would forgive me for this noob question but what does this mean? I saw when I checked the Advance Settings Advance tab that there are a couple of possible options there, what do they mean and how will they affect the user profile I'm creating? I tried google for this and if my understanding is correct, these shells are suppose to be programmable and a scripting language for linux but I'm confused on what effect this has on the user profile I'm creating?One thing I notice though is that with the '/usr/bin/screen' option, the user account is refused of the Applications > Accessories > Terminal option.When I googled each one of the options I'm getting more confused as to the relevance of this to the user profile.
View 3 Replies View RelatedI wanted to set up Computer Lab. loading Fedora 11 OS and one system acting as a Server to store Users(Student) Login Informations. When students do a programs, all programs (eg, C++ programs) files should be saved in the local fedora system but when login to the system, the login should be validate by a Server System.
View 5 Replies View RelatedI have shared keys setup on my domain, so I never type my password to login anymore.
I've forgotten my password now. This is a problem because only my user can sudo. Password authentication for root has been disabled, so without my password, I cannot do maintenance on my web server.
Is there a way to reset my password as my [now only] key-authenticated user?
Specifically, can this be done on CentOS 4?
I am trying to create a certificate case user logon via ssh. On the server I have openSSH and a few users. I want to be able to assign a user a certificate to connect remotely via SSH.
View 1 Replies View RelatedI would like to limit any process from using more than 500 MB of RAM. AFAIK this is done using RSS in /etc/security/limits.conf but the process called gnome-panel apparently is using 618436 kB of VmRSS. How can this be ?
/etc/security/limits.conf
* hard rss 512000
username@debian:~$ cat /proc/3002/status
Name: gnome-panel
[code]...
...a malicious individual could damage or take control of your system"See: https://dl-web.dropbox.com/get/Publi...png?w=ae903921and: https://dl-web.dropbox.com/get/Publi...png?w=2c144a02So should I really go ahead and install the updates or what may have gone wrong at the Ubuntu repository?
View 9 Replies View RelatedI have configured my Laptop running OS 11.1 as an ftp server with vsftpd behind a router on my home network. I have managed to get it working so that I have authenticated users who can connect and write using the external ip address. The problem is that the authenticated user, rather than being allowed access only to the folder in question (/srv/ftp), can browse my entire directory structure.
When I tried this from a different computer (a Mac) from within my home network (but connecting through the external IP address) with fileZilla, using a user name I established as the authenticated ftp user (not my own uname), I could even download and write to other locations in the directory. I had another person try from outside the network, and they could browse the entire directory, but couldn't download from it. how can I confine an authenticated FTP user to the designated ftp directory?
That would seem like an elementary feature to be able to enable only a few system applications access to the Internet. That would prevent trojans to download your HD for examples. I looked around and played with iptables but I couldn't not find anything that do the job. I loaded the xt_owner kernel for iptables but the --cmd-owner command is lacking. That was my holy grail but could not get --cmd-owner to work. iptables -I OUTPUT -m owner --cmd-owner "firefox" -j LOG --log-prefix "Testing " How can I protect my machine against the enemy within.
OpenSuse 11.2
Kernel: 2.6.31.12-0.2-desktop
I have some init scripts that launch some daemons that I wrote. I want Linux to generate a coredump anytime something crashes. I activated coredumps in /etc/security/limits.conf by adding the next line:
* hard core 100000 After rebooting, I run ulimit -a and I can see that coredumps are not activated: > root@computer:~# ulimit -a > core file size (blocks, -c) 0 First, I checked if there is any file script on my system that deactivates coredumps (greping ulimit -c 0 ), but I didn't find anything so far.
Then, I created a bogus c program..to double check if it's working, and I can confirm that it's not. The program is this
[Code]...
I was planning to re-install ufw. When I selected it and then install in Synaptic Package Manager a box appeared saying ufw was not authenticated.
View 2 Replies View RelatedIs it fair to say that connLimit and hashlimit are very similiar on Linux i.e. while hashlimit caters to limits for groups of ports, they both set the connection rate limit per host? How in IPTables, do I configure a policy that limits connections on a port that encapsulates the total sum of all connections from all hosts? i.e. I do not want to allow more than 6000conn/minute for port range that is the sum of all connecting hosts?
View 3 Replies View Relatedcreated a user but i forgot to change the home directory permission.so after user created when i go to the user and group mangement i cant see that permission filed related to the home permission directory.my purpose is to stop accessing other user to my home directory,how it can be possible??
View 4 Replies View RelatedI've been looking for this feature for months and couldn't find a solution for this. Does anyone know how to create users and limit the user to a specified directory?
View 6 Replies View RelatedWhat security mechanisms are used by recent versions of the Linux operating system during user authentication?
View 3 Replies View RelatedI am novice user of Fedora 14. I want to set up root user for Fedora 14.
How do I do it?
what is the /bin/ksh shells
View 1 Replies View RelatedSetting up firewall
View 12 Replies View RelatedI'm using ubuntu and i need to know if it is possible to make a "prototype" account that sets the defaults for new users when a new account is made. How would i go about doing this. I would like to have the same start up programs, panel, themes, background, etc...
View 6 Replies View RelatedI am creating a music server. I have the video of the box connected to my TV. This is an OLD computer, so I'm trying to lean up the normal software running as much as possible. I have the computer logging in as guest if no one logs in within 30 secs. Right now, it logs into gnome for everyone. Btw, I'm running FC8 on this computer. It is running gdm. I would like it to have it use something lighter like twm when logged in as guest. But I still want a full gnome session when anyone else logs in.
View 1 Replies View Relatedi have configured nis server on my system but i am getting error while setting password for nis user logan i am not able to understand what couldbe wrong?
[root@station137 ~]# yppasswd -p logan
yppasswd: can't find the master ypserver: Internal NIS error
[root@station137 ~]#
After discovering that the firewall was wide open I decided to finally study the iptables docs and learn how to add rules. Now, I've not yet finished reading guides and documentation but I'd like some advice before I set the default policy on the input chain to deny. I have added a permissive rule for the loopback adapter so that programs that use it do not become mute suddenly. I will also use netstat to see what ports to open for each program that connects to the internet. I'm not that interested in what ports to open but how to find what ports to open.
View 3 Replies View RelatedI am setting my firewall rules using the command iptables.My question is i wanna know what command i can use that list rule 2 and 3 for instance in my table?i want to create rule that: The host is administered using SSH, scp and sftp so allow incoming SSH traffic and securing remote file copying and transferring.
View 2 Replies View RelatedWe are a school and we share a samba folder with students and teacher groups. What we are trying to do is:
- Give students group users the permissions to rwx own files in folder
- Students must not be able to do anything with others files. I mean nothing so, at most, they could see the files in folder but not read it.
- Teachers can do anything with files in folder
As you can imagine, the idea is that students deliver their exams in that folder without the ability to read/copy the other students files. With sticky bit we can restrict students permissions to their own files, that is ok, but how to restrict all the permissions on other students files without restricting student access to that folder?
First and foremost please give me your opinions on what I want/should to do for security. I would like to set up my system sp that the session times out and requires a password to unlock the screen. Also I would like a firewall and maybe virus detection just in case. I want to set up a guest user with minimal to no privileges. How should I go about doing this?
View 14 Replies View Related