Ubuntu Security :: Restricting File Listings ?
Nov 7, 2010
We set up a server with my friend (still newbies ) a couple of months ago using Ubuntu 10.04 LTS server edition and agreed to let some folks at school to use it to install drupal on it for teaching and learning purposes. So the idea is that there are multiple users that all install drupal in their home folders separately using SSH and continue from there on etc.
Everything is set up for that to work (domain, settings etc), but there's one thing nagging me, and that's how everyone can look at everything on the server. They dont have rights to modify anything but can look at file listings and view inside files etc.
So how do I restrict the viewing rights of users to inside their home folder, BUT so that they can use the cd command to go to folders inside their home folder, but not outside of it. As far as I know rbash purely keeps you inside home and allows nothing else, so that doesn't work, because you need the cd command.
View 6 Replies
ADVERTISEMENT
Apr 11, 2010
I have searched somewhat this forum but haven't yet found a similar post using the keywords I entered but perhaps there is already a similar post then please refer me to it.I am trying to add a user account "Guest" to allow people on my laptop without giving them access to vital parts of the computer. Basically, I want them to only be able to view their own home directory and access internet. Nothing more.I have set the group to "guest" and changed the other home directories of other users to owner access only.
Guest still has access to root and is still allowed to perform actions in various critical areas (deleting files from for example my Windows 7 partition). This I also want to prevent. I was thinking to set each directory's permissions to Owner and Group only and remove Others access.My questions:
1. Will this have any undesirable impact (programs of main user accounts not able to access certain directories)? For guest user I don't care as long as internet works.
2. When I start User Manager and disable for Guest all options except "access internet" (so I also disable access to CDROM), the guest can still access the CDROM. Does this mean the User Settings menu has no effect or is overruled by something?
View 9 Replies
View Related
Apr 13, 2010
Is there a way to restrict users that are logged into the shell via SSH/Telnet/SFTP from using the 'cd' command to move into certain directories, yet not use the chmod command to do it? For instance, restrict users logged in from accessing the /var/www/ folder but have it still accessible using a web browser. Also, would this defeat the purpose since they could just wget from it if its still web accessible through a browser?
View 8 Replies
View Related
Jul 12, 2009
I've got a question about chattr command. is it possible to restrict a root access for this command. what i want is something similar to freebsd behaviour aka the kernel secure level. setting a particular security level results in limiting some operations (i.e changing immutable flags on files) by root. well, if someone gained an access to a machine in some way, nothing would stop him changing the file's flags. so the question is if it can be achieved with selinux?
View 2 Replies
View Related
Mar 17, 2011
I run a system that users may log into either remotely or physically. Multiple users may be logged in simultaneously because of the remote access, but only one user can be physically logged in at a time.With the current setup, however, if the physical user inserts a flash drive (which the OS mounts automatically) then the remote users gain access to the removable media.
View 6 Replies
View Related
Apr 8, 2011
I'm having trouble applying a CSS file to my Apache directory listings. I am running Apache 2.2.3, and have the following lines in my httpd.conf file:IndexOptions FancyIndexing FoldersFirst IconsAreLinks IgnoreCase VersionSort NameWidth=* HTMLTable IndexStyleSheet "css/dir.css"
View 2 Replies
View Related
Jan 21, 2011
i want to Restrict a particular user from creating a file beyond a prticular size.ie he should not be able to create a prticular size [say 10mb] but he can use upto 10 gb.[ not the quota space i mean]
View 6 Replies
View Related
Jul 23, 2010
In my /media directory, there is a sub-directory that doesn't point to any drive (mounted or unmounted) - when I look at it in nautilus, it looks like a folder with an x on it, and I can't actually get inside the folder through the terminal. It has the same name as an external hard drive that I used to own, but has since been repartitioned. I think that, at one point, the drive was removed from my computer without unmounting, and its listing in /media was never removed (I left my home for a weekend and when I got back the drive didn't work and this listing was there in /media. I think my roommate might have done something to it, but he hasn't admitted to anything). Is there any way to remove this listing?
View 2 Replies
View Related
Feb 17, 2010
I recently downloaded some browsers using the synaptic package manager and after taking a look at them I used synaptic to remove them.
However when I ran an update I found that these browsers were still on my sources list and I could not update correctly. So I need to remove them from my sources list.
View 7 Replies
View Related
Jan 23, 2010
I have been having an issue getting the menu listings for uninstalled Wine programs to actually get removed from the menu. I can deselect/hide them, but it will not delete them.Anyone else having this problem? How can I get rid of all the icons? It seems that it almost creates one every time I use a Wine to open something.
View 1 Replies
View Related
Jun 5, 2010
I did a fresh 64-bit install of 10.04 workstation a few weeks ago, and my grub seems to "double up" the listings of my kernel versions. I have removed the older versions hanging around on my system, but you can see in the list below, that I still get the listings more than once:
jim@jim-laptop:/etc/grub.d$ sudo update-grub
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-2.6.32-22-generic
Found initrd image: /boot/initrd.img-2.6.32-22-generic
Found linux image: /boot/vmlinuz-2.6.32-22-generic
[Code]....
View 9 Replies
View Related
Mar 30, 2011
I currently have some windows (Win7 Ultimate 64-bit) shares automounted to my linux laptop whenever I am on my home wireless network. I have this functionality set up using autofs/CIFS and it works well, except for one issue: The directory listings for the mounted windows shares are incomplete, i.e. when listing the directories on the linux machine, it only lists a fraction of what is available in the actual share. One directory returns 28 of 51 files present, for example, and another 33 of 60. NOTE: None of the files on the windows shares are 'hidden' or in any way shared differently than the others.
View 1 Replies
View Related
Jan 26, 2011
It only occured to me now, but why is it that date listings are not consistent?
ex:
Code:
They are all Month Day Year but one (from that particular extract, there's more), why is the 3rd there one Month Day Time? I know the year is not 2011 because we have not hit august 2011 yet, but what if it's 2009 or 2008? I would not know.
One of my sites got hacked and I'm just trying to figure out what the hacker got into and trying to figure how he got in so I can fix the exploit.
View 3 Replies
View Related
Jun 7, 2011
Issue is: I'm using an external USB DVD burner and can not get the DVD to show in the linked hardware listings, so need help getting that mounted. I need it to run the recently installed MONDO.
View 2 Replies
View Related
May 17, 2011
I have a SSD that is a SATA-IF YOU NEED MORE INFORMATION PLEASE DO NOT HESITATE TO CONTACT ME. and can run at 3.0 Gb/s - in the error log it is being restricted to 1.5.... I have no propritary drivers, (apparently) that need updating - is there anything else I can do to get the full speed?
View 3 Replies
View Related
Jun 29, 2010
I have a desktop (picard), and I want to be able to connect to it from my sisters laptop (zuma) to quickly scp files from my machine to hers. At the same time I don't want the whole world to be able to connect to my machine via SSH. We're connected through a router. I've tried adding the line
"ListenAddress 192.168.0.0"
to /etc/ssh/sshd_config, but this prevents me from being able to connect to my machine from another on the network. From my understanding of the ListenAddress directive, I would assume "ListenAddress 192.168.0.0" would allow my sister's address through (192.168.0.192).
Am I missing something?
View 1 Replies
View Related
Feb 4, 2011
In my office i want to setup a Linux machine for public usage , in this machine i want to restrict/deny access to certain applications (ex:- k3b, xterm , pdf reader etc) for certain users/group of users as per the office policies.
1)By what method/procedure i can achieve this objective ?
View 3 Replies
View Related
May 30, 2010
I have setup firefox for certain users, with specific extensions. I would like to know which directories to restrict so that no new extensions can be installed, but the currently installed extensions will be able to update without a problem.ba
View 1 Replies
View Related
Dec 29, 2010
I wanted to restrict users within a particular folder say /var/lib/tomcat/webapps. I want the users to see all subfolders inside webapps and work with it (edit+read but no delete). I understood that chroot is the way, and i read this [URL] community discussion, but what i understand out of it is, they are trying to give a complete working installation of ubuntu to the user within a directory which i dont want to.
View 3 Replies
View Related
Jan 14, 2010
I have a small home network with a router to the outside world and an ubuntu server through which traffic passes first.My ISP limits my download usage during the day, which traditionally has not been an issue, but now the children come in from school, boot up the internet and up goes my usage!Ideally I would like to be able to restrict them to IM and maybe certain specified URLs (I think the latter probably needs to use Squid though?). Once the download limits are lifted, I would like my iptables to allow HTTP, etc, but pretty much block most other things.
I have two sets of iptables currently to approach this issue, with a cron job that runs to swap between one and the other.Chains run in order, so if rule A says allow x, and rule B says drop all, then X should still be allowed. However, try as I may, this is not what happens in practice. I have even tried changing the overall order from ALLOW to DROP in FORWARD and then approach from the other angle. That didn't work either. *IS* it actually possible to block all but http / https and IM? These are myrules:
Code:
# Generated by iptables-save v1.4.4 on Sat Jan 9 19:15:49 2010
*nat
:PREROUTING ACCEPT [583:45175]
:POSTROUTING ACCEPT [694:60887]
:OUTPUT ACCEPT [143:18642]
[code]....
View 14 Replies
View Related
Nov 14, 2010
I am pretty frustrated with Ubuntu security partially because I don't know exactly how to fix things in it like I do windows and you can't always use GUI with Ubuntu which is quite annoying. Basically.. I created a samba share. When I copy files from my Windows machine TO the Samba share the permissions are always screwed up. I can watch the videos but I can't delete them. I have to go into Nautalis? via F2, sudo something and change permissions everytime I copy something into the shared folder. To me, this is stupid.
Another issue... I added a 2nd hard drive to my Ubuntu machine, shared the entire drive. Once again.. when I copy files to the share I can only read them.. I have to keep stealing ownership so to speak over the files. Now, when I want to CUT and PASTE from my Drive "C" Ubuntu to my Drive "D" I dont have access. Ugh... why can't there just be a way to make all files accessable.
Why should I have to pop into a different program to regain permissions everytime. When I create a folder it should STAY that way. Anything I copy into it.. its MINE. Just because I copy from another machine onto THIS machine, I am still the creator of that folder. I SHOULD have access to EVERYTHING in it.
View 7 Replies
View Related
Feb 15, 2011
I'm trying to write a script that uses the 'du' command to make essentially a text-based filelight type program. It should scan the current directory for the file's sizes and display them in order largest to smallest (or vice versa). The user should be able to go throughout the file tree and see child directories scanned for the sizes as they're accessed. I just need to know one more thing- how can I restrict the displayed results to the current working directory? would a grep for the output of pwd suffice? just getting some thoughts before i try and possibly dig myself a hole.
View 1 Replies
View Related
Jul 16, 2009
I hope I am in the right forum. I have a question about restricting users from being able to change their own passwords in Fedora 10. In Fedora 6, I was able to do this by using passwd with -n and -x flags. If I would set the -n value greater than the -x value, then the user would not be able to change his/her own password. If I do this in Fedora 10, this no longer works
View 4 Replies
View Related
Apr 22, 2010
I have an internet and mail server installed CentOS, and I want to restrict client machines to access a certain website, e.g. if i want restrict users from accessing the website: www.mydomain.com, How do I do it?
View 6 Replies
View Related
Feb 16, 2010
I need some kind of step by step process to restrict my users to only have access to directories that I specify ? For example user joe can only access his home directory, read access to /tmp and read access to /var/log/httpd
View 1 Replies
View Related
Aug 9, 2010
I have a few small lists created in mailman, and I want users to be able to receive, but not post. Where do you find this setting?
View 2 Replies
View Related
Nov 26, 2010
Every developer in our organization has access to a single development server and all development ( other than basic experimentation ) is done on this server. This is primarily because there are several interdependent systems and having copies of these systems on each developers machine slows that machine down to the extent of making it completely unusable. All developers access this development server using ssh. Of course this implies that scp will also work as the sshd daemon is running making data vulnerable.
We are currently attempting to secure the code and data on this server from unauthorized copying and transfer.
Currently I am attempting to set up virtual machines on each developer machine that can then be used to connect to the development server. I have created a shell that does nothing but allow for the typing of one command that simply transfers ( ssh login ) the user onto the development server.
I am using virtualBox and ubuntu mini to achieve this.
Problems: The first question is if this is a reasonable way to achieve what I am attempting to. Is there a better way?
The others is more in terms of the set-up: I am attempting to resize the virtualBox console. I tried this by editing grub. Although I am able to resize the screen at start-up the entire screen goes back to ( what I believe is 800x600 ) after the Ubuntu splash screen.
The virualBox seems to have completely messed up the keyboard detection how can I rectify this?
The other is regarding the restricting of shell access I have currently done this by removing access to /bin/ for normal users. Is this secure enough or is there a better way?
View 1 Replies
View Related
Apr 3, 2011
I want to limit the amount of connections a user can make outside of the box per user group, should I be doing this via iptables or what? aka:
group1 can only have 2 simultaneous outbound connections
group2 can only have 8
View 1 Replies
View Related
Dec 15, 2010
I'm trying to restrict a particular ssh user to his home directory, I'm just giving him access so that he can ssh to another server that is only accessible from the former but restrict his movement so that he can't poke around the former.I already made some changes to sshd_config file and added the following line at the end:
Did some test, user joe can ssh to the server but unable to do anything aside from logging in, even a simple ls command will immediately close the putty session. I know I'm still missing something but don't really know what it is.I also tried this how to that uses rssh --> http://www.adamhawkins.net/2009/05/r...ured/#more-431 however when I login the session immediately closes.
View 5 Replies
View Related
Jan 15, 2010
I've had two hd's in my box forever. for more space and backup reasons. Well I have started running the Debian Squeeze distro since December. I've had many issues, some are still unresolved. but now I'm running into major headaches with the fstab. Specifically dealing with/wondering why UUID's are used instead of the old /dev/hd? I was a little annoyed when I tried Kubuntu to find /dev/sd? used instead of /dev/hd? but that was workable. But the UUID's are a nightmare. Here's my problem.
My main box is finally giving up the ghost. The mobo is dying. So in order to do some tests I took my hd bundle (my two hard drives with their cables) physically out of the box and temp installed them in a test box. I wanted to do some benchmark and other tests. I got all kinds of errors. I found that the system wasn't recognizing the UUID's listed in fstab. My concern is when the new mobo gets here next week I won't simply be able to plug the hd's in like I always have been and just let Linux reconfigure itself (Debian used to be good about this). I really don't want to have to clean reinstall if it's not needed.
So for this I have two questions. WHY developers decided to drop using /dev/hd? or even /dev/sd? ?
And is it possible to revert fstab's listings back to the old /dev/hd? settings. In debian fstab had lines commented out showing how each partition was listed in it's /dev/hd? status during install.
I'm getting really sick of all these archane changes in ALL aspects of linux that don't seem to have any good explaination or need.
View 4 Replies
View Related