Ubuntu Security :: User (in Jail) With Very Limited Permissions
Nov 21, 2010
I want to have an account (beta user), on which:I can use the Internet and other programs without administrative rights without the right to install programs with a kind of sandbox for everything that is connected to the Internet, which means: everything that is associated with the web browser's processes and files that I save to hard disk I want to be separated from the rest of the system, so that whatever can catch up on this account will be locked in it, for example any (if at all) possible malicious scripts from Internet or whatever may be dangerous now or invented in the future. Sometimes, for example, I save the web page to disk with all it content.
And in case someone cracked into this account I want make it in that way that he could not do any tricks to read or change passwords, or make any other changes to the system. The best would be if a password for that user might serve only to log in without having any other powers, and I would give that user an automatic login. For now I created a beta user without administrative rights. I understand that the limiting rights of the user are associated with limiting rights to their home directory. There are also groups, and a user may be included or excluded. I excluded that user from admin group but I don't know what else I can limit and how. When I give chmod 0644 for /home of this user he cannot run Firefox. When I give him 0740 he can run applications, so I assume the x attribute must be preserved.
This is a user without sudo rights, so when I type sudo apt-get update a message shows up correctly that this user doesn't belong to the sudoers group. But still it's not what I wanted. When the user runs Gufw and wants to change the settings to disable the firewall, a message shows up asking to type in a password of alpha user = primary user, which is that belonging to the sudoers group, the first / main user that I created during system installation. I wish that there was only the message that the beta user has no power to change anything, which means even completely remove the possibility of asking for sudo.
In addition, I wish that this beta couldn't be able to change the permissions to its home directory, or go to see what is above. Because so far beta can change the file permissions for its /home, even without a sudo password. How can I do it? Do I need to create a kind of chroot jail for this user? I would like any changes to that user account could be made only after the user log off from beta account, and log in on alfa account and that beta could run only programs that ware installed by alpha. And that beta could read and write, but alfa could also read and write or remove, alter files on beta account. Basically, alfa account should be superior to beta account. Can do that?
I'd like to add essentially an anonymous user, which does not require a password. Second I think it's probably a good idea to only give this user very limited permissions, is there a way I can restrict the commands that they can run to a list (i.e. they should be able to run scp, ls, cd, maybe a few more, but not much)?
chroot in two mini distros (Tiny Core and SliTaz): chroot jail appears 'blind'. Chroot can't find any files in the jail and exit with error code. Example (ugly):
I wanna make a small web server for local use , I've installed apache, every thing works fine I'm the root
I wanna protect the folder that contain the htdocs files (www), i don't want any users that not in root group to access (not even read)
I changed the permission of the htdocs folder as next
Owner: www (apache user) per: creat , delete group: root per: creat , delete other: none
it only works on the main folder that i changed its permissions ! not all sub folders and files ! were my steps right ? and are their anyway to change all folders and files at once ?
When james logs in he access his folder BUT he can also access other user's folders. How can I prevent his access to others? I wish to restrict his account to his folder only (he can read/write).
I want full permissions for all computers in my house, without having to get up and go to the other room and change permissions for the file, folder, drive, directory, computer, etc., then go back to the other room again.
I just created a partition, as THIS user, THIS machine, rebooted, and cannot create a folder on the partition I just created. UGH. No more of this stuff... I guess at the very least, I'll still have to log onto each machine for this?
Picture the following:On computer A, local user John (and John alone) has rwx access to file1.txtComputer B also has a local user account named John. If file1.txt was to be copied from computer A to computer B, would the user account John on computer B be able to access it?I guess this wouldn't work using two windows computers due to the User name / GUID relationship. Maybe linux has something similar?
look at this : Uploaded with ImageShack.us how can set permissions in linux like this? I want one user can delete files but can't modify them and ... in linux i have 3 group to assign read write and execute them. is ntfs flexible than linux file system?
However, configured a website on a dedicated server using WHM/cPanel. The site was uploaded using the master account for the website.
The security issue is public users are able to upload files on to my server via the website. They could even access the root and execute whatever they want on the server.
I have consulted with 2-3 Linux experts. According to them, the PHP user has rights to execute anything on the server or upload & store files in whichever folder they want.
Can I protect my folders to avoid file uploads via the website. The application has security vulnerabilites. However, I want to prevent hackers to enter my site until the vulnerabilities are fixed.
I want to make a sandbox for my music streaming server(subsonic). I was going to make a directory and chroot to it. I don't really have any room on my HD for new partitions. For the sandbox/chroot jail to be proper does it need to be on a seperate filesystem/mount point?
I have one requirement i.e I want to call the java file from the php function using shell_exec command , i am using the chroot jail concept , if i using this command i am getting the empty file because java environment is outside the chroot jail,so how to access the the files those are out side the chroot jail.
I want to create a limited user, such that the user should only have the access to usb drives, cd drives and internet. And also I want to restrict the user from deleting the files from the system. How to do it..?
Can we create a limited user account in ubuntu like XP where user can not be able to change its networking settings (like changing IPs / enable & disable netwrok interface).
How do I create a user with ftp access and/or Putty access that can only see and change certain directories. I want to create users to work on my website but I don't want them to have access to all of the folders.
it is possible if i can have sub-users in my server and can i allocate a limited amount of space only. For example i am the root of server and now i can add another user with name john and he should be able to use only of 2GB out of my total hard-disk.
I want to share files over the web with only a few people and limiting them to certain folders. I have been doing a remote access (ssh) to my server to access it from a pc on the local network. I later found out the same program doing ssh (open_ssh) was also doing sftp, great I could do both with one system account. Problem I couldn't find away to configure another user to go over the web with limited folder access without messing up my user to access the pc. I tried ftps by using vsftpd, I couldn't get chroot set up correctly or even log in. So my question is what program and/or protocol should I use to do secure ftp over the web?
Most of us know the basic security practices on Windows:
Use a limited account Set a password Disable unused services Uninstall bloatware Antivirus / Antimalware etc.
I haven't ran linux as my main desktop computer before, so I don't know how to properly secure it. I have heard linux is supposed to be more secure than Windows, but I know that the default settings of anything are rarely secure. What are some things I should do as a new Linux user to secure my desktop system from attack?
I'm about to have a web server at home for the first time. I've always missed having full control and not having to contact my hosting company when I need to do some specific changes - and some changes they won't do for you at all.I've chosen the non-GUI Ubuntu Server with LAMP, and nothing more is installed really except for a couple of command line tools from the repository. The LAMP software has been locked down as good as I can by following some guides on the net and using common sense. Like Apache 2 don't have access to the file system except for the www folder, and setting the headers to Prod. MySQL has skip-networking and I've commented out the listen string to localhost. PHP has a truckload of functions that I've disabled in the php.ini, also by following some guides on the net, among some other security enhancing php.ini editing.
The only thing the server will serve is a well known PHP forum and some html docs, and that's all. Nothing advanced or complicated stuff, and I'm definitely not programming PHP myself or letting anyone do it for me.But I do want to sleep well at night knowing that my server is always on and sitting on the edge of my home network! And can I do that? I've heard that you don't need to be worried about getting your Linux server box hacked, but you should be worried about anyone getting root access to it. But is it really that simple? Ubuntu is shipped without root account and you must have the sudo password, right? What's the odds for anyone to get full access to my system?An issue: I've heard that Apache never must run as root. When I do a ps -ef, I see that there are several www-data processes running apache, but there's one root process running apache too. Is this normal and is it safe?An issue: I've heard that PHP can fail pretty easily. But isn't PHP running under apache 2 and limited by the www-data filesystem access?An issue: MySQL is running as a MySQL user, and I guess that's an unprivileged user right?
I've encrypted my root partition with LUKS and cannot remember my password. My main question is this: is it possible to extract the hash (or key; not sure on the correct terminology here) from the LUKS header and run it through a cracker? The hash type is SHA1 and I can remember the characters I used for the password, just not in the correct order (lots of special characters). That being said, given such a small charset, it should be crackable within a reasonable time, correct? Especially if I used a GPU accelerated cracker. What I don't know how to do is go about getting the hash from the LUKS header. Is any of this possible, or am I SOL? Of course, I have physical access to the system so I can boot it into any utilities I may need to.
Take this scenario If I have rate limited the connections to 4.(i.e if you attempt 4th connection you wont be able to login for some time.) If in a minute I get disconnected 3 times while I was already logged in on the server with a screen session, will I be able to login or I need to keep quite for a minute?
Quote:
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
I'm running Apache2 under uBuntu 9.10. My problem is that I use my own user "wavesailor" to work on my websites. I kept all my sites under /var/www and I set up the security of the directory after following the guidelines.
I got ubuntu working fine on my netbook and wanted to play around with opensuse. I have it installed and everything works fine except my wireless connection. I have updated everything since the installation through a wired connection, that didn't help. I have read the stickies, but to be honest, I'm so new to this stuff I'm kinda lost. So my wireless network has a WEP encryption and I have entered that password as a 64 HEX Key in the Wireless Manager widget. It connects to the network and says is labeled as active, however there is still the yellow exclamation shield next to the connection. Firefox and other apps don't have access to the internet.
Is it possible "reset" all (X, GDM related) permissions/settings of one user? What would cause one specific user not to be able to log into anything via gdm/the login screen? After providing the proper password, the screen goes black and then jumps back to the login screen. No session alternative works, not even xterm or gnome failsafe. I can however log in via the console (Ctrl+Alt+F6, recovery etc). With another user I can log in via GDM just fine, and deleting and re-adding the "broken" user doesn't make any difference.
Some (maybe) relevent logs:
part of syslog:
Quote:
Dec 12 01:20:58 <specific user> pulseaudio[1358]: core-util.c: Home directory /etc/timidity not ours. Dec 12 01:20:58 <specific user> pulseaudio[1358]: lock-autospawn.c: Cannot access autospawn lock.
What does Set user ID do? Reason I ask is if I select "Set group ID" it makes it so any files/folders created within that directory get the group accordingly. But if I select "Set user ID", it doesn't do anything that I notice. I thought maybe it would change it so any files/folders created get that user set as the owner. So if that's not it - what's its purpose?
I just started dual booting Ubuntu 10.10 on my mini 10v with OS X a couple days ago, so I'm still pretty new to Linux.
But anyhow, I was attempting to change my User ID number so I could access the files in my User folder on my OS X partition. So, I tried entering the following commands:
Of course, smart me should've realized I should've been logged out and on a different administrative account to do this. But I didn't, and I believe the second command didn't work. So, whatever, I thought I'd try logging out and logging in as root.
So, I logged out, tried logging in as root, and of course, no dice because I didn't know the password. So then I tried logging onto my account and upon logging in, I got two errors. One was about ".ICEauthority" and I didn't keep track of what the other one was.
Great. So I did a quick google for the error, then tried entering these codes:
And again, I think the last one didn't work. So, I looked up how to login as root, changed the password and logged in as root successfully. Then, whilst in root, I entered:
Upon entering those, I logged out and logged back into my account and everything was a complete success. No error messages anywheres AND I could access the files in my Mac user folder.
So, here's my question. How can I make sure I have all the right permissions I need? Or do I already have the all of the permissions I had before changing my user id?
Did those last three lines of code I entered "override" all of the codes I had entered previously? I just want to make sure verify I have all the correct permissions necessary so I don't run into any issues later on.
I want full permissions for all computers in my house, without having to get up and go to the other room and change permissions for the file, then go back to the other room again.
I just created a partition, as THIS user, THIS machine, rebooted, and cannot create a folder on the partition I just created. UGH. No more of this stuff...
created a user but i forgot to change the home directory permission.so after user created when i go to the user and group mangement i cant see that permission filed related to the home permission directory.my purpose is to stop accessing other user to my home directory,how it can be possible??
