[gentoo-user] Users with access to shell!
List, I have users accessing to the bash shell of my Gentoo Server, my question is: How can secure my server with this users accessing to shell? , How can I monitor this server to see what users have done? Is there available tools for that? I'd like to allow every user to access ONLY its home directory, I mean he only can work in his directory... Thanks in advance, Regards, Israel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Users with access to shell!
On 12/05/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: List, I have users accessing to the bash shell of my Gentoo Server, my question is: How can secure my server with this users accessing to shell? , You can't trust your users. That's the idea. 1. they may use a simple password 2. even if they were given a quality password, how do u know the password didn't end up on a piece of sticker on their monitors? How can I monitor this server to see what users have done? Is there available tools for that? Tripwire can monitor file changes, can't think of other tools, but I'm sure ppl on the list will provide you with a handful. I'd like to allow every user to access ONLY its home directory, I mean he only can work in his directory... Well, this can be done, but in a pretty complex way. Allowing users to see other files isn't that harmful, provided permissions on critical files are correctly set. HTH -- Joe -- Money can't buy everything. Sometimes money can't even buy a gun... -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] Users with access to shell!
I'd like to allow every user to access ONLY its home directory, I mean he only can work in his directory... Well, this can be done, but in a pretty complex way. Allowing users to see other files isn't that harmful, provided permissions on critical files are correctly set. Hmm, I suppose you could set up a chroot session for each user. Would limit their access to other people's values, properties, etc... -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Users with access to shell!
[EMAIL PROTECTED] writes: How can secure my server with this users accessing to shell? , If you can't trust your users you always have a problem as shell access and/or compiler-access are the first steps to installing a root-kit if they are really up to this kind of things. Putting them in a changeroot might help in some cases but there are often ways out of the jail. In my opinion: if you can't trust your users you should not give them shell access. At least that is what I am doing with my users on my servers. Just my 2 cents, Martin -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Users with access to shell!
On May 12, 2005, at 2:34 pm, [EMAIL PROTECTED] wrote: I'd like to allow every user to access ONLY its home directory, I mean he only can work in his directory... My web-hosting provider provides me with ssh access - when I log in the prompt says jailshell $ * app-misc/jail Latest version available: 1.9-r1 Latest version installed: [ Not Installed ] Size of downloaded files: [no/bad digest] Homepage:http://www.jmcresearch.com/projects/jail/ Description: Jail Chroot Project is a tool that builds a chrooted environment and automagically configures and builds all the required files, directories and libraries Might be worth a look. Stroller. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Users with access to shell!
[EMAIL PROTECTED] wrote: I have users accessing to the bash shell of my Gentoo Server, my question is: How can secure my server with this users accessing to shell? , How can I monitor this server to see what users have done? Is there available tools for that? I'd like to allow every user to access ONLY its home directory, I mean he only can work in his directory... This isn't a great situation, but the only thing I can think of that comes close is to use mandatory access controls, such as grsecurity's RBAC. -- [EMAIL PROTECTED]http://www.chemoelectric.org pgptgBvC178K6.pgp Description: PGP signature
Re: [gentoo-user] Users with access to shell!
On Thu, 2005-05-12 at 08:34 -0500, [EMAIL PROTECTED] wrote: [stuff] apart from all the other great suggestions, another good trick is to mount the /home partition as noexec which stops users running apps they download and install locally. HTH, -- Iain Buchanan [EMAIL PROTECTED] -- gentoo-user@gentoo.org mailing list