Security :: User Access Restrictions To Network, USB Ports, PCMCIA, CDROM

May 3, 2011

How to create a user account on a Linux desktop machine with restrictions on connecting to the LAN, WAN, PCMCIA ports, Firewire, CDROM and generally any user controllable output options?

I have the task to set up a machine for users working with sensitive data that should not be leaving the machine where it is processed. This means disabling access to the ethernet device, lan, all other ports as mentioned earlier, and any other way of leaking the data.

In Mac OSX this was achieved using "Parental controls" from the System preferences; this even allows a selection of the applications that can be used. Under XP, Device Manager offers the option to click various devices and "Disable" them, which worked so far just fine. Some will point out that the latter mentioned OS may be easy to circumvent the security of in other ways, but that has been mitigated with other measures and it's not the point anyway. For the operator users in question, the aforementioned measure proved successful and worked.Using OSX and XP to do this was a 10-15 minutes job with testing included.

So far all guides and tutorials pointed to useradd, groups an facl, but in actual practical terms did not help at all, in fact most of the research did not render any practical results so far. I surely don't expect to point and click, and would gladly run a set of commands from CLI. If I had them. I would really would like to achieve the same restricted user account configuration in a concise, comprehensive and practical manner under Linux too. Preferably tested on humans before, and known to be workign, of course.
The machines that need to be set up are two laptops running Ubuntu. So how can this be accomplished in Linux?

View 6 Replies


ADVERTISEMENT

Security :: User Bypassing Demo Restrictions?

Jan 17, 2010

I have a user that has already used up a demo 24hr trial on my website. At present, I only check the customer id and the IP address to search for duplicates. On the whole this works but it's not foolproof. We now have 1 user from China that is changing their IP address everyday to get access to the free trial. Any options on what to do? I thought of downloading a cookie to their computer that the website could pick up - again not foolproff but most people don't disable cookies. Any other options?

I could ban China temporarily until the user gives up but if they find another proxy to chain then their IP address will be different again.

View 14 Replies View Related

General :: User Processes That Are Given Direct Access To I/O Ports ?

Oct 5, 2010

Normally all I/O goes through the kernel so that it can schedule the operations and prevent processes from stepping on each other. A few special user processes are allowed to slide around the kernel, usually by being given direct access to I/O ports. X servers are the most common example of this isn't it ? give examples for any other processes that are allowed to slide around the kernel ?

View 3 Replies View Related

Ubuntu Servers :: Grant User Access To Open Ports

Nov 19, 2010

I have a JavaCL program trying to open a port on 41xxx and it is getting permission denied unless I run it as root. I would like to grant a single user this permission for opening this port. This program runs fine on a vanilla ubuntu install but not on server. Where does Ubuntu handle user permissions for opening ports?I understand this is typically a no-no on a server but this is an unusual circumstance.

View 1 Replies View Related

Security :: Face-book Game 'Farmville' Wants Access To Ports?

Jun 26, 2010

My friends all request that I join Farmville so they can build their points. I don't play games but tried to oblige them. My firewall went nuts and I received requests to "open" certain ports. Can some one tell me what is going on and is this a security risk or not. I am 4 years deep into Linux and I haven't used microcrap in as many years but I am still learning, as there is so many things to master with Linux.

View 4 Replies View Related

OpenSUSE Network :: Root User Has Access To Remote Folders/files Of Any User?

Jan 21, 2010

Prelude: OpenSUSE 11.2 (2.6.31.8-0.1-desktop), installed Novell client 2.0 SP2 (novell-client-2.0-sp2-sle11-i586.iso).

I found that if any usual user is logged into a NDS-tree, then _local_ root has full access to user's network shares, including the user's home directory located on remote Netware-server. Is it by design or
have I missed something? Nevertheless in windows local admin has no access to network resources mounted of any other user. If you runas shell (as admin) then admin in principle can't "see" network shares which were mounted (connected) by other users - they are accessible ("visible") per session.

View 3 Replies View Related

OpenSUSE Network :: Laptop Samba PDC User And Local User Access Their Own Data?

May 30, 2011

Take a physical user FRED. FRED is a linux user ( known by linux on his laptop ) FRED is a Samba user ( Known by samba on the samba pdc server ) When he logs locally (with username/password) on its standalone laptop (with no network), he is known as FRED:user. He access his data in /home/FRED/. When he logs through samba (with username/password) on the domain MY_DOM, he is known as MY_DOMFRED:MY_DOMdomain user. He access his data in /home/MY_DOM/FRED/. ) Is it possible that the human FRED has only one repository and have full access to its repository regardless of how it was connected. If yes, how to do it

2) If not, Is it possible that the human FRED has full access to /home/FRED/.............. and /home/MY_DOM/FRED/.

View 4 Replies View Related

Server :: Postfix Per User Smtpd Restrictions?

Feb 16, 2010

I have searched other post on here and they appear to be relevant but when I enter in the exact same commands it denies relay access to everyone. I have also used the postmap command to refresh the database.

Feb 16 15:54:48 EMAIL2 postfix/smtpd[6512]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <josh.dobs@gmail.com>: Recipient address rejected: Relay access denied; from=<msolis@EMAIL2.drewmedical.com> to=<josh.dobs@gmail.com> proto=ESMTP helo=<192.168.1.51>

I used this page as reference. [URL]

Below is my main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.

[Code]....

View 2 Replies View Related

Ubuntu Servers :: Postfix Per User Smtpd Restrictions?

Feb 15, 2010

Been trying for some time to get Postfix to not allow some internal users to send email externally. I have found some good resources online but none of them work. The user is still able to send email internally and externally.

I used the following web pages to assist me... [URL]

Below is my main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.

[Code]....

View 3 Replies View Related

Fedora Networking :: Internet Access Restrictions?

May 31, 2011

I have a work network of about 20 boxes most of which are running Windows 7 and one of them is a file server using linux and another is Windows server 2003. Now the local IP is distributed by the router, and no regulation of internet access is done by any of the servers.What I need to do is restrict internet access to select domains, which would probably need DHCP through linux(I think, not really sure), and I need something simple like a 'blabla.conf' file with the allowed websites that I can edit. need to know how to regulate IP addresses through the linux box (all details if possible, I never tried to do that before), and how to restrict internet access also through linux.

View 4 Replies View Related

General :: Internet Access Restrictions With Squid?

Dec 30, 2010

I am using internet web control through squid... All is working fine only some little bit issues.

(1) Sometime when i tried to open google.com or any site I got message (The requested URL could not be retrieved) Screen Shot Attached.) but again after sometimes same websites will open.

url

(2) I would like to block word 'sex'.. So I have edit squid.conf with the following acl

acl Blockword url_regex sex
http_access deny Blockword

but problem occur in some websites where 'sensex' word found in url. Then squid block 'sensex' url content website also..

View 2 Replies View Related

Fedora Security :: User Access To Start And Stop Tomcat But Also Gives User Access To Start And Stop Other Services "/etc/sudoers"

Mar 13, 2009

I am trying to give access to ONE single user to start and shutdown tomcat server. The problem being, when I enter syntax: username ALL= /etc/init.d/tomcat5, /usr/local/tomcat/webapps, PASSWD:ALL This gives the user access to start and stop tomcat but also gives user access to start and stop other services within /etc/init.d - such as httpd etc... What is the proper way to give user access to start and stop service, and limiting that power to only one service....

View 2 Replies View Related

Ubuntu :: Create An Index In A Pdf File That Has No Security Restrictions On It?

Feb 16, 2011

Is there a program available that would allow me to create an index in a pdf file that has no security restrictions on it? I know people can lock there files so I am not worried about thise but if I have open permissions on a pdf file how do I go about creating an index. It seems that by default you get the thumbnail view but I like to be able to click on a index list to go to a page.

View 2 Replies View Related

OpenSUSE Network :: Samba Security Update / Lost Access To Network

Mar 25, 2010

Installed a security update for samba tonight via Opensuse updater.Now, when trying to access my home network an authentication box pops up (never used to)Asks me to enter authentication for my home network.I enter my username and password and hit enter. After a few seconds the authentication box pops up again askingfor the same indicating I have entered the wrong username / password combination (which I know I have not).

View 9 Replies View Related

Security :: Sudo Access For An User To A Script?

Jan 18, 2011

I am trying to get a non-root account on one of our servers to run a script with sudo capability. To that end, I went into the /etc/sudoers file, and added the following syntax:

Code:
## Enable the nagios user to run the check_iptables.sh script as root
nagios ALL=NOPASSWD: /usr/local/nrpe/libexec/check_iptables.sh, /sbin/iptables

I restarted the nagios service, and tested the results. The results were the user account still could not run the script due to the user, nagios, not having permission to run the iptables binary.

Is there another step(s) that I need to take in order to get the sudo access available to the user account?

View 1 Replies View Related

Security :: Restrict A User To Access Particular Service?

Sep 24, 2010

I heard we can set security in /etc/hosts.allow and /etc/hosts.deny on user base also like something user@domain or something if so how can I restrict a user to access particular service by his/her user name in a particular host via /etc/hosts.allow or /etc/hosts.deny

View 3 Replies View Related

General :: Security - Setup User That Can Only Access A Repository Via Ssh?

Feb 21, 2011

I have a mercurial repository on a secure server, to which I want to grant secure access to an external user.

I added for him a user account and publickey ssh authentication so that now he could push/pull changesets via ssh.

My question is: how can I make this new user account completely disabled from doing anything or accessing any data on the server other than accessing the repository? E.g. he shouldn't even have the possibility to enter an interactive shell session.

View 1 Replies View Related

Ubuntu Security :: Making New User With Limited Access?

Sep 19, 2010

is there any way to make user with command text, just with accessbility to change network IP Address ?

View 4 Replies View Related

Ubuntu Security :: Permanent User Access To A Device?

May 11, 2011

I managed to make an old parallel port scanner work in ubuntu 11.04 with SANE. Everything's perfect but one thing: scanner applications work only if they are executed as a root.After further researching, I've found the cause is that only the root has read and write permissions on the device /dev/parport0 which is my parallel port. If I set the right permissions giving sudo chmod a+rw /dev/parport0 I solve my problem, but just untill next reboot... the system resets root only permissions at each restart. I would like to make that change permanent... what can I do?

View 6 Replies View Related

Security :: Controlling User Access On Redhat Enterprise?

Mar 15, 2011

Im am working on a system which runs on RedHat Enterprise I have been asked by superiors to see if the following is possible. (sudoers file config change i guess)

Example
User1 has root access
user2 has root access, but must not be able to access ctmag (user account)

I know the obvious here is that if user2 can switch to root then it won't work. But i just need to prevent user2 from su - ctmag. A password is set on the account ctmag, but as user2 has root access it switches without a password prompt

Is there anyway i can prevent user2 from switching to ctmag but still have access to root?

View 6 Replies View Related

Security :: Doesn't Access Root Passward From User Login

Nov 26, 2009

I get the problem to acess root password when i am in user login, means wahen i am in user login and want to install software from terminal then he asked root password, when i supplied root password but he give me login incorrect.

View 2 Replies View Related

Ubuntu Security :: Adding User With Access To Mount Point Over SSHFS Only

Sep 2, 2010

I'd like to add a user to my server that will only have access to a mount point over sshfs. Is there any way I can provide them this access without actually giving them permission to open a terminal on my server? I tried /bin/false and /sbin/nologin already, but /bin/false didn't allow the mount point to be made and /sbin/nologin prevented a login completely (also stopped the mount point from working).

View 6 Replies View Related

Security :: Su - Incorrect Password - When Logging As Wheel User And Trying To Access Root

Dec 18, 2010

I have tried to not allow root access and have created a wheel user.

Now I can not logged in as root.

Its okay but when am logging as wheel user and trying to access root then it says:

Code:

View 14 Replies View Related

CentOS 5 Hardware :: Wireless USB/PCI/PCMCIA Adapter As Access Point?

Feb 9, 2009

Which USB/PCI/PCMCIA adapter can I configure as access point in Cento 5.2?b

View 1 Replies View Related

Ubuntu Security :: Unable To Deny Sudo Access To Regular User Account.

Dec 19, 2010

I made a Desktop User account. When I went on that account, it allowed me to execute sudo as if I was an administrator. I don't know what might be causing this. I do have ufw set up and blocking incoming connections. Do you guys know what might be at the root of this?Also, when I used sudo from the user account (which I shouldn't have been able to do), I provided the password for my admin account.

View 9 Replies View Related

Security :: Centralize Users And Passwords And Also Create Controls For User Access To Some Equipment?

May 12, 2011

I'm planning to centralize users and passwords and also create controls for user access to some equipment, for example, Linux Servers, Switches, routers and firewalls. In case of failure of the link between the ACS and AD or equipment to the ACS, this device would use local username and password.

At the moment, my AD structure is a Microsoft, Cisco ACS servers and Linux Standalone. I wish that both linuxs servers and network equipment were authorized by Cisco ACS on the accounts that are in Microsoft AD.

The configuration of the Cisco ACS to use the AD is done and no problems, the network equipment is OK too, but am having difficulties configuring the server for this solution.

View 1 Replies View Related

General :: Network User Cannot Access Usb Drive

Feb 15, 2011

I'm running CentOS and I get an error when I plug in my usb flash drive.

Error org.freedesktop.DBus.Error.AccessDenied

A security policy in place prevents this sender from sending this message to this recipient, see message bus configuration file (rejected message had interface org.freedesktop.Hal.Device.Volume member Mount error name (unset) destination org.freedesktop.Hal)

How would that work when all of the users are network users(openldap)? So these are not local accounts.

View 1 Replies View Related

Security :: Restrict Access On Windows Network?

Feb 18, 2011

my team is working on network thier termial is windows and my server is linux centos we work on simple network with out domainmy user works on files on the server, can I deman ser name and passwork when they try to change to the shared files on the servernd can i monitor which user chaned a fileI have css developer and he is only allowed to create and modify css files can i do this ?

View 3 Replies View Related

Debian Configuration :: Non Root User Unable To Access Network

Mar 28, 2011

I upgraded a Guruplug Display machine running Lenny to Squeeze. It's running Linux on a MicroSD device, running an ARM-cpu.

# uname -a
Linux gplugD 2.6.29 #1 Wed Feb 16 17:59:04 IST 2011 armv5tejl GNU/Linux
yeri@gplugD ~ $ cat /etc/debian_version
6.0.1

However, after rebooting, every non root user was unable to access anything related to the net.This means, DHCP failed to auto start, ntp is giving errors, etc

# ntpq -p
localhost: timed out, nothing received
***Request timed out

daemon.log:

Mar 27 06:07:44 localhost ntpd[1478]: ./../lib/isc/unix/ifiter_ioctl.c:348: unexpected error:
Mar 27 06:07:44 localhost ntpd[1478]: making interface scan socket: Permission denied
Mar 27 06:07:44 localhost ntpd[1478]: Too many errors.  Shutting up.

As root:

gplugD ~ # ping 85.12.6.171 -c 1
PING 85.12.6.171 (85.12.6.171) 56(84) bytes of data.
64 bytes from 85.12.6.171: icmp_req=1 ttl=58 time=42.1 ms

[code]....

View 1 Replies View Related

OpenSUSE Network :: Access Windows User Profile In AD Env From Client?

Feb 23, 2010

I have already windows 2003 server with active directory, with 200 + user accounts and each user has allocated a specific disk quota. Now i want to install suse on client side so that it can do all same things as windows clients does(active directory login and disk quota). I have downloaded 11.2 suse linux and installed all samba required pakages and also joined the windows domain (2003 server). how can i access my user space located on win 2003 server from my linux client machine.

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved