Ubuntu Security :: Making New User With Limited Access?
Sep 19, 2010is there any way to make user with command text, just with accessbility to change network IP Address ?
View 4 Replies
ADVERTISEMENT
Software :: Making Copy Of Website With Limited Access
Jul 14, 2010Trying to make a copy of my website to a local ubuntu server - I have very limited access ie: no shell access. What is the best way to make a copy of my site. have ftp cli, lftp, wget ... just not sure what to use and how.
View 3 Replies View RelatedUbuntu :: How To Create User With Limited Access
Oct 24, 2010I want to create a limited user, such that the user should only have the access to usb drives, cd drives and internet. And also I want to restrict the user from deleting the files from the system. How to do it..?
View 5 Replies View RelatedUbuntu Security :: User (in Jail) With Very Limited Permissions
Nov 21, 2010I want to have an account (beta user), on which:I can use the Internet and other programs without administrative rights without the right to install programs with a kind of sandbox for everything that is connected to the Internet, which means: everything that is associated with the web browser's processes and files that I save to hard disk I want to be separated from the rest of the system, so that whatever can catch up on this account will be locked in it, for example any (if at all) possible malicious scripts from Internet or whatever may be dangerous now or invented in the future. Sometimes, for example, I save the web page to disk with all it content.
And in case someone cracked into this account I want make it in that way that he could not do any tricks to read or change passwords, or make any other changes to the system. The best would be if a password for that user might serve only to log in without having any other powers, and I would give that user an automatic login. For now I created a beta user without administrative rights. I understand that the limiting rights of the user are associated with limiting rights to their home directory. There are also groups, and a user may be included or excluded. I excluded that user from admin group but I don't know what else I can limit and how. When I give chmod 0644 for /home of this user he cannot run Firefox. When I give him 0740 he can run applications, so I assume the x attribute must be preserved.
This is a user without sudo rights, so when I type sudo apt-get update a message shows up correctly that this user doesn't belong to the sudoers group. But still it's not what I wanted. When the user runs Gufw and wants to change the settings to disable the firewall, a message shows up asking to type in a password of alpha user = primary user, which is that belonging to the sudoers group, the first / main user that I created during system installation. I wish that there was only the message that the beta user has no power to change anything, which means even completely remove the possibility of asking for sudo.
In addition, I wish that this beta couldn't be able to change the permissions to its home directory, or go to see what is above. Because so far beta can change the file permissions for its /home, even without a sudo password. How can I do it? Do I need to create a kind of chroot jail for this user? I would like any changes to that user account could be made only after the user log off from beta account, and log in on alfa account and that beta could run only programs that ware installed by alpha. And that beta could read and write, but alfa could also read and write or remove, alter files on beta account. Basically, alfa account should be superior to beta account. Can do that?
Ubuntu Security :: PHP Is Not Running Under Apache 2 And Limited By The Www-data Filesystem Access?
Jun 30, 2010I'm about to have a web server at home for the first time. I've always missed having full control and not having to contact my hosting company when I need to do some specific changes - and some changes they won't do for you at all.I've chosen the non-GUI Ubuntu Server with LAMP, and nothing more is installed really except for a couple of command line tools from the repository. The LAMP software has been locked down as good as I can by following some guides on the net and using common sense. Like Apache 2 don't have access to the file system except for the www folder, and setting the headers to Prod. MySQL has skip-networking and I've commented out the listen string to localhost. PHP has a truckload of functions that I've disabled in the php.ini, also by following some guides on the net, among some other security enhancing php.ini editing.
The only thing the server will serve is a well known PHP forum and some html docs, and that's all. Nothing advanced or complicated stuff, and I'm definitely not programming PHP myself or letting anyone do it for me.But I do want to sleep well at night knowing that my server is always on and sitting on the edge of my home network! And can I do that? I've heard that you don't need to be worried about getting your Linux server box hacked, but you should be worried about anyone getting root access to it. But is it really that simple? Ubuntu is shipped without root account and you must have the sudo password, right? What's the odds for anyone to get full access to my system?An issue: I've heard that Apache never must run as root. When I do a ps -ef, I see that there are several www-data processes running apache, but there's one root process running apache too. Is this normal and is it safe?An issue: I've heard that PHP can fail pretty easily. But isn't PHP running under apache 2 and limited by the www-data filesystem access?An issue: MySQL is running as a MySQL user, and I guess that's an unprivileged user right?
Ubuntu Servers :: Sftp Or Ftps - Configure Another User To Go Over The Web With Limited Folder Access?
Dec 11, 2010I want to share files over the web with only a few people and limiting them to certain folders. I have been doing a remote access (ssh) to my server to access it from a pc on the local network. I later found out the same program doing ssh (open_ssh) was also doing sftp, great I could do both with one system account. Problem I couldn't find away to configure another user to go over the web with limited folder access without messing up my user to access the pc. I tried ftps by using vsftpd, I couldn't get chroot set up correctly or even log in. So my question is what program and/or protocol should I use to do secure ftp over the web?
OS: Ubuntu 64bit 10.04
Fedora Security :: User Access To Start And Stop Tomcat But Also Gives User Access To Start And Stop Other Services "/etc/sudoers"
Mar 13, 2009I am trying to give access to ONE single user to start and shutdown tomcat server. The problem being, when I enter syntax: username ALL= /etc/init.d/tomcat5, /usr/local/tomcat/webapps, PASSWD:ALL This gives the user access to start and stop tomcat but also gives user access to start and stop other services within /etc/init.d - such as httpd etc... What is the proper way to give user access to start and stop service, and limiting that power to only one service....
View 2 Replies View RelatedUbuntu Security :: Permanent User Access To A Device?
May 11, 2011I managed to make an old parallel port scanner work in ubuntu 11.04 with SANE. Everything's perfect but one thing: scanner applications work only if they are executed as a root.After further researching, I've found the cause is that only the root has read and write permissions on the device /dev/parport0 which is my parallel port. If I set the right permissions giving sudo chmod a+rw /dev/parport0 I solve my problem, but just untill next reboot... the system resets root only permissions at each restart. I would like to make that change permanent... what can I do?
View 6 Replies View RelatedSecurity :: Sudo Access For An User To A Script?
Jan 18, 2011I am trying to get a non-root account on one of our servers to run a script with sudo capability. To that end, I went into the /etc/sudoers file, and added the following syntax:
Code:
## Enable the nagios user to run the check_iptables.sh script as root
nagios ALL=NOPASSWD: /usr/local/nrpe/libexec/check_iptables.sh, /sbin/iptables
I restarted the nagios service, and tested the results. The results were the user account still could not run the script due to the user, nagios, not having permission to run the iptables binary.
Is there another step(s) that I need to take in order to get the sudo access available to the user account?
Security :: Restrict A User To Access Particular Service?
Sep 24, 2010I heard we can set security in /etc/hosts.allow and /etc/hosts.deny on user base also like something user@domain or something if so how can I restrict a user to access particular service by his/her user name in a particular host via /etc/hosts.allow or /etc/hosts.deny
View 3 Replies View RelatedUbuntu :: Create A Limited User Account?
Jul 19, 2011Can we create a limited user account in ubuntu like XP where user can not be able to change its networking settings (like changing IPs / enable & disable netwrok interface).
View 9 Replies View RelatedGeneral :: Security - Setup User That Can Only Access A Repository Via Ssh?
Feb 21, 2011I have a mercurial repository on a secure server, to which I want to grant secure access to an external user.
I added for him a user account and publickey ssh authentication so that now he could push/pull changesets via ssh.
My question is: how can I make this new user account completely disabled from doing anything or accessing any data on the server other than accessing the repository? E.g. he shouldn't even have the possibility to enter an interactive shell session.
Security :: Controlling User Access On Redhat Enterprise?
Mar 15, 2011Im am working on a system which runs on RedHat Enterprise I have been asked by superiors to see if the following is possible. (sudoers file config change i guess)
Example
User1 has root access
user2 has root access, but must not be able to access ctmag (user account)
I know the obvious here is that if user2 can switch to root then it won't work. But i just need to prevent user2 from su - ctmag. A password is set on the account ctmag, but as user2 has root access it switches without a password prompt
Is there anyway i can prevent user2 from switching to ctmag but still have access to root?
Ubuntu Security :: Adding User With Access To Mount Point Over SSHFS Only
Sep 2, 2010I'd like to add a user to my server that will only have access to a mount point over sshfs. Is there any way I can provide them this access without actually giving them permission to open a terminal on my server? I tried /bin/false and /sbin/nologin already, but /bin/false didn't allow the mount point to be made and /sbin/nologin prevented a login completely (also stopped the mount point from working).
View 6 Replies View RelatedFedora :: Add User For Ftp To Limited Directories?
Jul 22, 2010How do I create a user with ftp access and/or Putty access that can only see and change certain directories. I want to create users to work on my website but I don't want them to have access to all of the folders.
View 2 Replies View RelatedUbuntu :: No Password - Read Only User (Limited Permissions)
Nov 9, 2010I'd like to add essentially an anonymous user, which does not require a password. Second I think it's probably a good idea to only give this user very limited permissions, is there a way I can restrict the commands that they can run to a list (i.e. they should be able to run scp, ls, cd, maybe a few more, but not much)?
View 5 Replies View RelatedSecurity :: Doesn't Access Root Passward From User Login
Nov 26, 2009I get the problem to acess root password when i am in user login, means wahen i am in user login and want to install software from terminal then he asked root password, when i supplied root password but he give me login incorrect.
View 2 Replies View RelatedUbuntu Security :: Unable To Deny Sudo Access To Regular User Account.
Dec 19, 2010I made a Desktop User account. When I went on that account, it allowed me to execute sudo as if I was an administrator. I don't know what might be causing this. I do have ufw set up and blocking incoming connections. Do you guys know what might be at the root of this?Also, when I used sudo from the user account (which I shouldn't have been able to do), I provided the password for my admin account.
View 9 Replies View RelatedUbuntu Servers :: Allocate A Limited Amount Of Space For Each User?
Oct 1, 2010it is possible if i can have sub-users in my server and can i allocate a limited amount of space only. For example i am the root of server and now i can add another user with name john and he should be able to use only of 2GB out of my total hard-disk.
View 4 Replies View RelatedSecurity :: User Access Restrictions To Network, USB Ports, PCMCIA, CDROM
May 3, 2011How to create a user account on a Linux desktop machine with restrictions on connecting to the LAN, WAN, PCMCIA ports, Firewire, CDROM and generally any user controllable output options?
I have the task to set up a machine for users working with sensitive data that should not be leaving the machine where it is processed. This means disabling access to the ethernet device, lan, all other ports as mentioned earlier, and any other way of leaking the data.
In Mac OSX this was achieved using "Parental controls" from the System preferences; this even allows a selection of the applications that can be used. Under XP, Device Manager offers the option to click various devices and "Disable" them, which worked so far just fine. Some will point out that the latter mentioned OS may be easy to circumvent the security of in other ways, but that has been mitigated with other measures and it's not the point anyway. For the operator users in question, the aforementioned measure proved successful and worked.Using OSX and XP to do this was a 10-15 minutes job with testing included.
So far all guides and tutorials pointed to useradd, groups an facl, but in actual practical terms did not help at all, in fact most of the research did not render any practical results so far. I surely don't expect to point and click, and would gladly run a set of commands from CLI. If I had them. I would really would like to achieve the same restricted user account configuration in a concise, comprehensive and practical manner under Linux too. Preferably tested on humans before, and known to be workign, of course.
The machines that need to be set up are two laptops running Ubuntu. So how can this be accomplished in Linux?
Security :: Su - Incorrect Password - When Logging As Wheel User And Trying To Access Root
Dec 18, 2010I have tried to not allow root access and have created a wheel user.
Now I can not logged in as root.
Its okay but when am logging as wheel user and trying to access root then it says:
Code:
Ubuntu Servers :: LAMP Setup With Limited Access To Users
Mar 9, 2010I'd like to setup an Ubuntu LAMP server, and provide limited access to it for our in-house web developers/designers. I'm not quite sure how to go about the permissions side of things. Which user/group should "own" the /var/www directory? Is it www-data?
How do I create user accounts (for our developers) that have access to the /var/www directory - do I create accounts then add them to the www-data group? Or should I make a special 'webdev' group and give it access somehow?
Ubuntu Servers :: Have SSH Running / But Create A New Login With Limited Access
Jun 7, 2011I have SSH running on a computer I use as a server at home and login to it for my own purposes but am needing to share access to this server with someone else, and I'd like to do it in a way so that when they sign in all they see is the contents of one folder and nothing outside of it. So I'd like them to have full access to this folder and do anything they want with it, but not be able to browse outside of it at all via something like WinSCP (they're using Windows). I'm thinking I need to create a new account for them to sign in with but beyond that I'm not sure what I need to do. The only other special thing is that the folder I'd like them to be presented with is actually on an external hard drive. We're going to be doing a lot of online music collaboration and I need to give him lots of free space to drop files and the internal hard drive doesn't have a lot to spare right now.
View 6 Replies View RelatedSecurity :: Centralize Users And Passwords And Also Create Controls For User Access To Some Equipment?
May 12, 2011I'm planning to centralize users and passwords and also create controls for user access to some equipment, for example, Linux Servers, Switches, routers and firewalls. In case of failure of the link between the ACS and AD or equipment to the ACS, this device would use local username and password.
At the moment, my AD structure is a Microsoft, Cisco ACS servers and Linux Standalone. I wish that both linuxs servers and network equipment were authorized by Cisco ACS on the accounts that are in Microsoft AD.
The configuration of the Cisco ACS to use the AD is done and no problems, the network equipment is OK too, but am having difficulties configuring the server for this solution.
General :: Basic Security Practices For Desktop Ubuntu - Use A Limited Account
Apr 30, 2010Most of us know the basic security practices on Windows:
Use a limited account
Set a password
Disable unused services
Uninstall bloatware
Antivirus / Antimalware
etc.
I haven't ran linux as my main desktop computer before, so I don't know how to properly secure it. I have heard linux is supposed to be more secure than Windows, but I know that the default settings of anything are rarely secure. What are some things I should do as a new Linux user to secure my desktop system from attack?
General :: Squid And Iptables - Limited Access To Websites
Sep 23, 2010I have configured my squid that have a limited access to websites but still some website were accessable vis https so I removed transparent from squid. Now what changes do I have to make in iptbles
View 1 Replies View RelatedSecurity :: Forgot LUKS Password - Possible To Crack With Limited Charset?
May 22, 2011I've encrypted my root partition with LUKS and cannot remember my password. My main question is this: is it possible to extract the hash (or key; not sure on the correct terminology here) from the LUKS header and run it through a cracker? The hash type is SHA1 and I can remember the characters I used for the password, just not in the correct order (lots of special characters). That being said, given such a small charset, it should be crackable within a reasonable time, correct? Especially if I used a GPU accelerated cracker. What I don't know how to do is go about getting the hash from the LUKS header. Is any of this possible, or am I SOL? Of course, I have physical access to the system so I can boot it into any utilities I may need to.
View 3 Replies View RelatedOpenSUSE Network :: Firefox - No Or Extremely Limited Internet Access
Nov 15, 2009I've been running Suse 11.2 KDE on a 64-bit Dell Studio 1535 since last week's release, and have had no trouble using Firefox. At some point today, however, it stopped accessing webpages -- or, when managing to grab a page, it would do so without full html rendering. 95% of the time I get an error splash, while the other 5% I get some sort of truncated page that looks nothing like it should. Konquer and Opera work fine, as does KMail.
I tried deleting the profile.int file (no luck), then uninstalled/re-installed (no luck), then uninstalled and deleted every Mozilla/Firefox file I could find in order for a fresh install -- but this has not worked after several attempts. I still cannot get Internet access. How to completely wipe-out Firefox in order to allow for a totally new installation?
Security :: How To Rate Limited IPTABLEs Treat A Screen Session On Ssh After Disconnection
Nov 3, 2010Take this scenario If I have rate limited the connections to 4.(i.e if you attempt 4th connection you wont be able to login for some time.) If in a minute I get disconnected 3 times while I was already logged in on the server with a screen session, will I be able to login or I need to keep quite for a minute?
Quote:
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
Security :: NIS Password Mapping - Allow User "techsupport1" To Access Web Server?
May 19, 2010I have a NIS server and a web server as a client. I have a regular linux user (without root privileges) "techsupport1" on NIS server.
On the client web server, I have root user, and my clients. Now what I want to achieve is, allow my user "techsupport1" to access the web server, but instead of logging in using root user, I'd like the client to use username "techsupport1", but in the same time, give that user root privileges on the web server (client). The reason, is that I have more than one user who need to manage the web server (client), so I want to be able to clearly see in the bash_history, who has been running what commands. right now, when I login as a techsupport user to the web server (client) from my NIS server
[code]...
I don't have root privileges, also my gid is matching to gid of a customer who has the same 517 on the web server. How can I configure, so when a tech support agent 1, logs in to web server, NIS grants root privileges, but keeps the techsupport username?