Security :: User Access Restrictions To Network, USB Ports, PCMCIA, CDROM
May 3, 2011
How to create a user account on a Linux desktop machine with restrictions on connecting to the LAN, WAN, PCMCIA ports, Firewire, CDROM and generally any user controllable output options?
I have the task to set up a machine for users working with sensitive data that should not be leaving the machine where it is processed. This means disabling access to the ethernet device, lan, all other ports as mentioned earlier, and any other way of leaking the data.
In Mac OSX this was achieved using "Parental controls" from the System preferences; this even allows a selection of the applications that can be used. Under XP, Device Manager offers the option to click various devices and "Disable" them, which worked so far just fine. Some will point out that the latter mentioned OS may be easy to circumvent the security of in other ways, but that has been mitigated with other measures and it's not the point anyway. For the operator users in question, the aforementioned measure proved successful and worked.Using OSX and XP to do this was a 10-15 minutes job with testing included.
So far all guides and tutorials pointed to useradd, groups an facl, but in actual practical terms did not help at all, in fact most of the research did not render any practical results so far. I surely don't expect to point and click, and would gladly run a set of commands from CLI. If I had them. I would really would like to achieve the same restricted user account configuration in a concise, comprehensive and practical manner under Linux too. Preferably tested on humans before, and known to be workign, of course.
The machines that need to be set up are two laptops running Ubuntu. So how can this be accomplished in Linux?
View 6 Replies
ADVERTISEMENT
Jan 17, 2010
I have a user that has already used up a demo 24hr trial on my website. At present, I only check the customer id and the IP address to search for duplicates. On the whole this works but it's not foolproof. We now have 1 user from China that is changing their IP address everyday to get access to the free trial. Any options on what to do? I thought of downloading a cookie to their computer that the website could pick up - again not foolproff but most people don't disable cookies. Any other options?
I could ban China temporarily until the user gives up but if they find another proxy to chain then their IP address will be different again.
View 14 Replies
View Related
Oct 5, 2010
Normally all I/O goes through the kernel so that it can schedule the operations and prevent processes from stepping on each other. A few special user processes are allowed to slide around the kernel, usually by being given direct access to I/O ports. X servers are the most common example of this isn't it ? give examples for any other processes that are allowed to slide around the kernel ?
View 3 Replies
View Related
Nov 19, 2010
I have a JavaCL program trying to open a port on 41xxx and it is getting permission denied unless I run it as root. I would like to grant a single user this permission for opening this port. This program runs fine on a vanilla ubuntu install but not on server. Where does Ubuntu handle user permissions for opening ports?I understand this is typically a no-no on a server but this is an unusual circumstance.
View 1 Replies
View Related
Jun 26, 2010
My friends all request that I join Farmville so they can build their points. I don't play games but tried to oblige them. My firewall went nuts and I received requests to "open" certain ports. Can some one tell me what is going on and is this a security risk or not. I am 4 years deep into Linux and I haven't used microcrap in as many years but I am still learning, as there is so many things to master with Linux.
View 4 Replies
View Related
Jan 21, 2010
Prelude: OpenSUSE 11.2 (2.6.31.8-0.1-desktop), installed Novell client 2.0 SP2 (novell-client-2.0-sp2-sle11-i586.iso).
I found that if any usual user is logged into a NDS-tree, then _local_ root has full access to user's network shares, including the user's home directory located on remote Netware-server. Is it by design or
have I missed something? Nevertheless in windows local admin has no access to network resources mounted of any other user. If you runas shell (as admin) then admin in principle can't "see" network shares which were mounted (connected) by other users - they are accessible ("visible") per session.
View 3 Replies
View Related
May 30, 2011
Take a physical user FRED. FRED is a linux user ( known by linux on his laptop ) FRED is a Samba user ( Known by samba on the samba pdc server ) When he logs locally (with username/password) on its standalone laptop (with no network), he is known as FRED:user. He access his data in /home/FRED/. When he logs through samba (with username/password) on the domain MY_DOM, he is known as MY_DOMFRED:MY_DOMdomain user. He access his data in /home/MY_DOM/FRED/. ) Is it possible that the human FRED has only one repository and have full access to its repository regardless of how it was connected. If yes, how to do it
2) If not, Is it possible that the human FRED has full access to /home/FRED/.............. and /home/MY_DOM/FRED/.
View 4 Replies
View Related
Feb 16, 2010
I have searched other post on here and they appear to be relevant but when I enter in the exact same commands it denies relay access to everyone. I have also used the postmap command to refresh the database.
Feb 16 15:54:48 EMAIL2 postfix/smtpd[6512]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <josh.dobs@gmail.com>: Recipient address rejected: Relay access denied; from=<msolis@EMAIL2.drewmedical.com> to=<josh.dobs@gmail.com> proto=ESMTP helo=<192.168.1.51>
I used this page as reference. [URL]
Below is my main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
[Code]....
View 2 Replies
View Related
Feb 15, 2010
Been trying for some time to get Postfix to not allow some internal users to send email externally. I have found some good resources online but none of them work. The user is still able to send email internally and externally.
I used the following web pages to assist me... [URL]
Below is my main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
[Code]....
View 3 Replies
View Related
May 31, 2011
I have a work network of about 20 boxes most of which are running Windows 7 and one of them is a file server using linux and another is Windows server 2003. Now the local IP is distributed by the router, and no regulation of internet access is done by any of the servers.What I need to do is restrict internet access to select domains, which would probably need DHCP through linux(I think, not really sure), and I need something simple like a 'blabla.conf' file with the allowed websites that I can edit. need to know how to regulate IP addresses through the linux box (all details if possible, I never tried to do that before), and how to restrict internet access also through linux.
View 4 Replies
View Related
Dec 30, 2010
I am using internet web control through squid... All is working fine only some little bit issues.
(1) Sometime when i tried to open google.com or any site I got message (The requested URL could not be retrieved) Screen Shot Attached.) but again after sometimes same websites will open.
url
(2) I would like to block word 'sex'.. So I have edit squid.conf with the following acl
acl Blockword url_regex sex
http_access deny Blockword
but problem occur in some websites where 'sensex' word found in url. Then squid block 'sensex' url content website also..
View 2 Replies
View Related
Mar 13, 2009
I am trying to give access to ONE single user to start and shutdown tomcat server. The problem being, when I enter syntax: username ALL= /etc/init.d/tomcat5, /usr/local/tomcat/webapps, PASSWD:ALL This gives the user access to start and stop tomcat but also gives user access to start and stop other services within /etc/init.d - such as httpd etc... What is the proper way to give user access to start and stop service, and limiting that power to only one service....
View 2 Replies
View Related
Feb 16, 2011
Is there a program available that would allow me to create an index in a pdf file that has no security restrictions on it? I know people can lock there files so I am not worried about thise but if I have open permissions on a pdf file how do I go about creating an index. It seems that by default you get the thumbnail view but I like to be able to click on a index list to go to a page.
View 2 Replies
View Related
Mar 25, 2010
Installed a security update for samba tonight via Opensuse updater.Now, when trying to access my home network an authentication box pops up (never used to)Asks me to enter authentication for my home network.I enter my username and password and hit enter. After a few seconds the authentication box pops up again askingfor the same indicating I have entered the wrong username / password combination (which I know I have not).
View 9 Replies
View Related
Jan 18, 2011
I am trying to get a non-root account on one of our servers to run a script with sudo capability. To that end, I went into the /etc/sudoers file, and added the following syntax:
Code:
## Enable the nagios user to run the check_iptables.sh script as root
nagios ALL=NOPASSWD: /usr/local/nrpe/libexec/check_iptables.sh, /sbin/iptables
I restarted the nagios service, and tested the results. The results were the user account still could not run the script due to the user, nagios, not having permission to run the iptables binary.
Is there another step(s) that I need to take in order to get the sudo access available to the user account?
View 1 Replies
View Related
Sep 24, 2010
I heard we can set security in /etc/hosts.allow and /etc/hosts.deny on user base also like something user@domain or something if so how can I restrict a user to access particular service by his/her user name in a particular host via /etc/hosts.allow or /etc/hosts.deny
View 3 Replies
View Related
Feb 21, 2011
I have a mercurial repository on a secure server, to which I want to grant secure access to an external user.
I added for him a user account and publickey ssh authentication so that now he could push/pull changesets via ssh.
My question is: how can I make this new user account completely disabled from doing anything or accessing any data on the server other than accessing the repository? E.g. he shouldn't even have the possibility to enter an interactive shell session.
View 1 Replies
View Related
Sep 19, 2010
is there any way to make user with command text, just with accessbility to change network IP Address ?
View 4 Replies
View Related
May 11, 2011
I managed to make an old parallel port scanner work in ubuntu 11.04 with SANE. Everything's perfect but one thing: scanner applications work only if they are executed as a root.After further researching, I've found the cause is that only the root has read and write permissions on the device /dev/parport0 which is my parallel port. If I set the right permissions giving sudo chmod a+rw /dev/parport0 I solve my problem, but just untill next reboot... the system resets root only permissions at each restart. I would like to make that change permanent... what can I do?
View 6 Replies
View Related
Mar 15, 2011
Im am working on a system which runs on RedHat Enterprise I have been asked by superiors to see if the following is possible. (sudoers file config change i guess)
Example
User1 has root access
user2 has root access, but must not be able to access ctmag (user account)
I know the obvious here is that if user2 can switch to root then it won't work. But i just need to prevent user2 from su - ctmag. A password is set on the account ctmag, but as user2 has root access it switches without a password prompt
Is there anyway i can prevent user2 from switching to ctmag but still have access to root?
View 6 Replies
View Related
Nov 26, 2009
I get the problem to acess root password when i am in user login, means wahen i am in user login and want to install software from terminal then he asked root password, when i supplied root password but he give me login incorrect.
View 2 Replies
View Related
Sep 2, 2010
I'd like to add a user to my server that will only have access to a mount point over sshfs. Is there any way I can provide them this access without actually giving them permission to open a terminal on my server? I tried /bin/false and /sbin/nologin already, but /bin/false didn't allow the mount point to be made and /sbin/nologin prevented a login completely (also stopped the mount point from working).
View 6 Replies
View Related
Dec 18, 2010
I have tried to not allow root access and have created a wheel user.
Now I can not logged in as root.
Its okay but when am logging as wheel user and trying to access root then it says:
Code:
View 14 Replies
View Related
Feb 9, 2009
Which USB/PCI/PCMCIA adapter can I configure as access point in Cento 5.2?b
View 1 Replies
View Related
Dec 19, 2010
I made a Desktop User account. When I went on that account, it allowed me to execute sudo as if I was an administrator. I don't know what might be causing this. I do have ufw set up and blocking incoming connections. Do you guys know what might be at the root of this?Also, when I used sudo from the user account (which I shouldn't have been able to do), I provided the password for my admin account.
View 9 Replies
View Related
May 12, 2011
I'm planning to centralize users and passwords and also create controls for user access to some equipment, for example, Linux Servers, Switches, routers and firewalls. In case of failure of the link between the ACS and AD or equipment to the ACS, this device would use local username and password.
At the moment, my AD structure is a Microsoft, Cisco ACS servers and Linux Standalone. I wish that both linuxs servers and network equipment were authorized by Cisco ACS on the accounts that are in Microsoft AD.
The configuration of the Cisco ACS to use the AD is done and no problems, the network equipment is OK too, but am having difficulties configuring the server for this solution.
View 1 Replies
View Related
Feb 15, 2011
I'm running CentOS and I get an error when I plug in my usb flash drive.
Error org.freedesktop.DBus.Error.AccessDenied
A security policy in place prevents this sender from sending this message to this recipient, see message bus configuration file (rejected message had interface org.freedesktop.Hal.Device.Volume member Mount error name (unset) destination org.freedesktop.Hal)
How would that work when all of the users are network users(openldap)? So these are not local accounts.
View 1 Replies
View Related
Feb 18, 2011
my team is working on network thier termial is windows and my server is linux centos we work on simple network with out domainmy user works on files on the server, can I deman ser name and passwork when they try to change to the shared files on the servernd can i monitor which user chaned a fileI have css developer and he is only allowed to create and modify css files can i do this ?
View 3 Replies
View Related
Mar 28, 2011
I upgraded a Guruplug Display machine running Lenny to Squeeze. It's running Linux on a MicroSD device, running an ARM-cpu.
# uname -a
Linux gplugD 2.6.29 #1 Wed Feb 16 17:59:04 IST 2011 armv5tejl GNU/Linux
yeri@gplugD ~ $ cat /etc/debian_version
6.0.1
However, after rebooting, every non root user was unable to access anything related to the net.This means, DHCP failed to auto start, ntp is giving errors, etc
# ntpq -p
localhost: timed out, nothing received
***Request timed out
daemon.log:
Mar 27 06:07:44 localhost ntpd[1478]: ./../lib/isc/unix/ifiter_ioctl.c:348: unexpected error:
Mar 27 06:07:44 localhost ntpd[1478]: making interface scan socket: Permission denied
Mar 27 06:07:44 localhost ntpd[1478]: Too many errors. Shutting up.
As root:
gplugD ~ # ping 85.12.6.171 -c 1
PING 85.12.6.171 (85.12.6.171) 56(84) bytes of data.
64 bytes from 85.12.6.171: icmp_req=1 ttl=58 time=42.1 ms
[code]....
View 1 Replies
View Related
Feb 23, 2010
I have already windows 2003 server with active directory, with 200 + user accounts and each user has allocated a specific disk quota. Now i want to install suse on client side so that it can do all same things as windows clients does(active directory login and disk quota). I have downloaded 11.2 suse linux and installed all samba required pakages and also joined the windows domain (2003 server). how can i access my user space located on win 2003 server from my linux client machine.
View 3 Replies
View Related
