[gentoo-user] Reconciling users and services

[gentoo-user] Reconciling users and services

[Grant]

I have some users on a system and some services.  How can I make sure
only certain users can log into certain services?  Do I need to
explicitly define which users can log into each service?  Are there
different types of users so that some can only log into certain
services?

For example, I know any user that has their shell set to /bin/nologin
can't log into a shell.  How can I check on users' shell settings?

- Grant

Re: [gentoo-user] Reconciling users and services

[Volker Armin Hemmann]

On Samstag 17 Januar 2009, Grant wrote:
> I have some users on a system and some services.  How can I make sure
> only certain users can log into certain services?  Do I need to
> explicitly define which users can log into each service?  Are there
> different types of users so that some can only log into certain
> services?
>
> For example, I know any user that has their shell set to /bin/nologin
> can't log into a shell.  How can I check on users' shell settings?

/etc/passwd?

Re: [gentoo-user] Reconciling users and services

[Norberto Bensa]

On Saturday January 17 2009 20:09:31 Grant wrote:
> I have some users on a system and some services.  How can I make sure
> only certain users can log into certain services? 

Depends on the service and how it is configured. Can you be more specific on 
what services yo want limited access?

Re: [gentoo-user] Reconciling users and services

[Alan McKinnon]

On Sunday 18 January 2009 00:09:31 Grant wrote:
> I have some users on a system and some services.  How can I make sure
> only certain users can log into certain services?  Do I need to
> explicitly define which users can log into each service?  Are there
> different types of users so that some can only log into certain
> services?
>
> For example, I know any user that has their shell set to /bin/nologin
> can't log into a shell.  How can I check on users' shell settings?
>
> - Grant

To do this you configure each service separately (there is no central 
registry-type thing for this). You don't say what "services" you are 
interested in, so I have to make some assumptions.

apache, samba, ftp servers, all have their own authentication methods. You 
have to research what methods they provide, and choose which is most 
appropriate. For instance, Samba can auth against kerberos/ldap or using a 
local smbpasswd file. For a specific user to be able to access something via 
samba, you ensure they have an entry in AD or a line in smbpasswd.

For more simple local services, you can use user and group permissions. I have 
to restrict cron and wget at work, I find the easiest way is to:
chown root:trusted /usr/bin/wget
chown root:trusted /usr/bin/crontab
users authorized to use wget/cron must then be put in the trusted group.

cron has it's cron.allow and cron.deny files that you can also use.

sshd has config options to limit who can do what in sshd_config.

If you post back with more specifics about what you want to achieve, we can 
assist you better.


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Reconciling users and services

[Grant]

>> I have some users on a system and some services.  How can I make sure
>> only certain users can log into certain services?  Do I need to
>> explicitly define which users can log into each service?  Are there
>> different types of users so that some can only log into certain
>> services?
>>
>> For example, I know any user that has their shell set to /bin/nologin
>> can't log into a shell.  How can I check on users' shell settings?
>>
>> - Grant
>
> To do this you configure each service separately (there is no central
> registry-type thing for this). You don't say what "services" you are
> interested in, so I have to make some assumptions.
>
> apache, samba, ftp servers, all have their own authentication methods. You
> have to research what methods they provide, and choose which is most
> appropriate. For instance, Samba can auth against kerberos/ldap or using a
> local smbpasswd file. For a specific user to be able to access something via
> samba, you ensure they have an entry in AD or a line in smbpasswd.
>
> For more simple local services, you can use user and group permissions. I have
> to restrict cron and wget at work, I find the easiest way is to:
> chown root:trusted /usr/bin/wget
> chown root:trusted /usr/bin/crontab
> users authorized to use wget/cron must then be put in the trusted group.
>
> cron has it's cron.allow and cron.deny files that you can also use.
>
> sshd has config options to limit who can do what in sshd_config.
>
> If you post back with more specifics about what you want to achieve, we can
> assist you better.

As far as open ports, most of my systems only run sshd and cupsd.
I've set AllowUsers in sshd_config to only allow my own non-root user
to log in, and I've locked down cupsd.conf.  However, one of my
systems runs things like apache2, postfix, courier-imap, saslauthd,
mysql, and sshd.  I set them up to be secure when I installed them,
but I wonder about the different users on my system (none of them with
shell access) and their access to the different services.  Should I go
through each of these services and set up something similar to
AllowUsers so that only certain users have access to certain services?

On the subject of users, there are a lot of users in /etc/passwd,
although most of them have /bin/false or /sbin/nologin.  There are 8
users who have a different shell defined.  The first 3 are fine:

root /bin/bash
user /bin/bash
cart /bin/bash

The next 3 are probably fine:

sync /bin/sync
shutdown /sbin/shutdown
halt /sbin/halt

But I don't recognize the following 2.  Should I userdel them?

operator /bin/bash
guest /dev/null

mysql only needs to connect to a daemon running on the same system,
and I think it does so via a unix socket as opposed to tcp.  I can see
from netstat that /var/run/mysqld/mysqld.sock is connected, there is
no mention of a tcp mysql connection, and nmap does not show a mysql
port to be open.  Is there anything else I should do as far as locking
down mysql?  I'm the only one with shell access to the system.

I would appreciate any other security advice regarding any of the
above-mentioned services.

Thanks,
Grant

Re: [gentoo-user] Reconciling users and services

[Alan McKinnon]

On Sunday 18 January 2009 20:12:28 Grant wrote:
> >> I have some users on a system and some services.  How can I make sure
> >> only certain users can log into certain services?  Do I need to
> >> explicitly define which users can log into each service?  Are there
> >> different types of users so that some can only log into certain
> >> services?
> >>
> >> For example, I know any user that has their shell set to /bin/nologin
> >> can't log into a shell.  How can I check on users' shell settings?
> >>
> >> - Grant
> >
> > To do this you configure each service separately (there is no central
> > registry-type thing for this). You don't say what "services" you are
> > interested in, so I have to make some assumptions.
> >
> > apache, samba, ftp servers, all have their own authentication methods.
> > You have to research what methods they provide, and choose which is most
> > appropriate. For instance, Samba can auth against kerberos/ldap or using
> > a local smbpasswd file. For a specific user to be able to access
> > something via samba, you ensure they have an entry in AD or a line in
> > smbpasswd.
> >
> > For more simple local services, you can use user and group permissions. I
> > have to restrict cron and wget at work, I find the easiest way is to:
> > chown root:trusted /usr/bin/wget
> > chown root:trusted /usr/bin/crontab
> > users authorized to use wget/cron must then be put in the trusted group.
> >
> > cron has it's cron.allow and cron.deny files that you can also use.
> >
> > sshd has config options to limit who can do what in sshd_config.
> >
> > If you post back with more specifics about what you want to achieve, we
> > can assist you better.
>
> As far as open ports, most of my systems only run sshd and cupsd.
> I've set AllowUsers in sshd_config to only allow my own non-root user
> to log in, and I've locked down cupsd.conf.  However, one of my
> systems runs things like apache2, postfix, courier-imap, saslauthd,
> mysql, and sshd.  I set them up to be secure when I installed them,
> but I wonder about the different users on my system (none of them with
> shell access) and their access to the different services.  Should I go
> through each of these services and set up something similar to
> AllowUsers so that only certain users have access to certain services?

Yes, that is the way of it. You really so need to attack each service 
individually and set it up appropriately.

You can limit your exposure by removing most of those users from /etc/passwd 
if all services they need use virtual users. For instance, if people only 
need a pop mailbox, make them virtual users defined only in your pop server.

Whether you can do this universally depends very much on your exact needs and 
how you like to set things up. Unix daemons are extremely flexible, this is 
their strength and weakness. Strength because you can always get exactly what 
you want somehow, weakness because there's no standard howto recipe

> On the subject of users, there are a lot of users in /etc/passwd,
> although most of them have /bin/false or /sbin/nologin.  There are 8
> users who have a different shell defined.  The first 3 are fine:
>
> root /bin/bash
> user /bin/bash

What is this? Looks like some generic catch-all account. That's usually a 
recipe for disaster as it's the kind of thing that gets forgotten.

It's definitely not a standard user for any distro I've ever seen, so why do 
you have it?

> cart /bin/bash
>
> The next 3 are probably fine:
>
> sync /bin/sync
> shutdown /sbin/shutdown
> halt /sbin/halt
>
> But I don't recognize the following 2.  Should I userdel them?
>
> operator /bin/bash
> guest /dev/null

What are they used for? I've just done a huge project to clean up and 
centrally manage all users on all my servers (about 100 machines), so I 
learned some tricks to find redundant users:

grep -r <username> /etc/*
look at mailboxes
look in crontabs
ps axu | grep <username>
lsof -u <username>
find / -user <username> -ls

sift through all these outputs looking for evidence of an account that is 
actually used. Again, there's no standard recipe. This kind of audit 
absolutely requires eyeballs and a brain

> mysql only needs to connect to a daemon running on the same system,
> and I think it does so via a unix socket as opposed to tcp.  I can see
> from netstat that /var/run/mysqld/mysqld.sock is connected, there is
> no mention of a tcp mysql connection, and nmap does not show a mysql
> port to be open.  Is there anything else I should do as far as locking
> down mysql?  I'm the only one with shell access to the system.

mysql should be running as a non-root user (probably mysql) and for what you 
use, should be listening on localhost only. If you need to connect over the 
network, the usual technique is to allow access only to specified users and 
only to specified machines. The latter can be done with

a. The service's own config (many services support this)
b. hosts.[allow|deny] is the service is built against libwrap
c. iptables if nothing else suffices (this is hard to manage so it's a last 
resort)

> I would appreciate any other security advice regarding any of the
> above-mentioned services.




-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Reconciling users and services

[Grant]

>> >> I have some users on a system and some services.  How can I make sure
>> >> only certain users can log into certain services?  Do I need to
>> >> explicitly define which users can log into each service?  Are there
>> >> different types of users so that some can only log into certain
>> >> services?
>> >>
>> >> For example, I know any user that has their shell set to /bin/nologin
>> >> can't log into a shell.  How can I check on users' shell settings?
>> >>
>> >> - Grant
>> >
>> > To do this you configure each service separately (there is no central
>> > registry-type thing for this). You don't say what "services" you are
>> > interested in, so I have to make some assumptions.
>> >
>> > apache, samba, ftp servers, all have their own authentication methods.
>> > You have to research what methods they provide, and choose which is most
>> > appropriate. For instance, Samba can auth against kerberos/ldap or using
>> > a local smbpasswd file. For a specific user to be able to access
>> > something via samba, you ensure they have an entry in AD or a line in
>> > smbpasswd.
>> >
>> > For more simple local services, you can use user and group permissions. I
>> > have to restrict cron and wget at work, I find the easiest way is to:
>> > chown root:trusted /usr/bin/wget
>> > chown root:trusted /usr/bin/crontab
>> > users authorized to use wget/cron must then be put in the trusted group.
>> >
>> > cron has it's cron.allow and cron.deny files that you can also use.
>> >
>> > sshd has config options to limit who can do what in sshd_config.
>> >
>> > If you post back with more specifics about what you want to achieve, we
>> > can assist you better.
>>
>> As far as open ports, most of my systems only run sshd and cupsd.
>> I've set AllowUsers in sshd_config to only allow my own non-root user
>> to log in, and I've locked down cupsd.conf.  However, one of my
>> systems runs things like apache2, postfix, courier-imap, saslauthd,
>> mysql, and sshd.  I set them up to be secure when I installed them,
>> but I wonder about the different users on my system (none of them with
>> shell access) and their access to the different services.  Should I go
>> through each of these services and set up something similar to
>> AllowUsers so that only certain users have access to certain services?

Thanks a lot for going over this with me.  More below....

> Yes, that is the way of it. You really so need to attack each service
> individually and set it up appropriately.
>
> You can limit your exposure by removing most of those users from /etc/passwd
> if all services they need use virtual users. For instance, if people only
> need a pop mailbox, make them virtual users defined only in your pop server.
>
> Whether you can do this universally depends very much on your exact needs and
> how you like to set things up. Unix daemons are extremely flexible, this is
> their strength and weakness. Strength because you can always get exactly what
> you want somehow, weakness because there's no standard howto recipe
>
>> On the subject of users, there are a lot of users in /etc/passwd,
>> although most of them have /bin/false or /sbin/nologin.  There are 8
>> users who have a different shell defined.  The first 3 are fine:
>>
>> root /bin/bash
>> user /bin/bash
>
> What is this? Looks like some generic catch-all account. That's usually a
> recipe for disaster as it's the kind of thing that gets forgotten.

That OK, it's me.

> It's definitely not a standard user for any distro I've ever seen, so why do
> you have it?
>
>> cart /bin/bash
>>
>> The next 3 are probably fine:
>>
>> sync /bin/sync
>> shutdown /sbin/shutdown
>> halt /sbin/halt
>>
>> But I don't recognize the following 2.  Should I userdel them?
>>
>> operator /bin/bash
>> guest /dev/null
>
> What are they used for? I've just done a huge project to clean up and
> centrally manage all users on all my servers (about 100 machines), so I
> learned some tricks to find redundant users:
>
> grep -r <username> /etc/*
> look at mailboxes
> look in crontabs
> ps axu | grep <username>
> lsof -u <username>
> find / -user <username> -ls
>
> sift through all these outputs looking for evidence of an account that is
> actually used. Again, there's no standard recipe. This kind of audit
> absolutely requires eyeballs and a brain

OK, I've deleted 'operator' and 'guest'.

>> mysql only needs to connect to a daemon running on the same system,
>> and I think it does so via a unix socket as opposed to tcp.  I can see
>> from netstat that /var/run/mysqld/mysqld.sock is connected, there is
>> no mention of a tcp mysql connection, and nmap does not show a mysql
>> port to be open.  Is there anything else I should do as far as locking
>> down mysql?  I'm the only one with shell access to the system.
>
> mysql should be running as a non-root user (probably mysql) and for what you
> use, should be listening on localhost only. If you need to connect over the

How can I check to make sure mysql is only listening to localhost?  It
doesn't show up with nmap.

- Grant


> network, the usual technique is to allow access only to specified users and
> only to specified machines. The latter can be done with
>
> a. The service's own config (many services support this)
> b. hosts.[allow|deny] is the service is built against libwrap
> c. iptables if nothing else suffices (this is hard to manage so it's a last
> resort)
>
>> I would appreciate any other security advice regarding any of the
>> above-mentioned services.

Re: [gentoo-user] Reconciling users and services

[kashani]

Grant wrote:
>>> mysql only needs to connect to a daemon running on the same system,
>>> and I think it does so via a unix socket as opposed to tcp.  I can see
>>> from netstat that /var/run/mysqld/mysqld.sock is connected, there is
>>> no mention of a tcp mysql connection, and nmap does not show a mysql
>>> port to be open.  Is there anything else I should do as far as locking
>>> down mysql?  I'm the only one with shell access to the system.
>> mysql should be running as a non-root user (probably mysql) and for what you
>> use, should be listening on localhost only. If you need to connect over the
> 
> How can I check to make sure mysql is only listening to localhost?  It
> doesn't show up with nmap.
> 
> - Grant

sudo netstat -ptln

It' also works without sudo, but then you don't see the process 
associated with the open TCP port.

kashani

Re: [gentoo-user] Reconciling users and services

[Grant]

>>>> mysql only needs to connect to a daemon running on the same system,
>>>> and I think it does so via a unix socket as opposed to tcp.  I can see
>>>> from netstat that /var/run/mysqld/mysqld.sock is connected, there is
>>>> no mention of a tcp mysql connection, and nmap does not show a mysql
>>>> port to be open.  Is there anything else I should do as far as locking
>>>> down mysql?  I'm the only one with shell access to the system.
>>>
>>> mysql should be running as a non-root user (probably mysql) and for what
>>> you
>>> use, should be listening on localhost only. If you need to connect over
>>> the
>>
>> How can I check to make sure mysql is only listening to localhost?  It
>> doesn't show up with nmap.
>>
>> - Grant
>
> sudo netstat -ptln
>
> It' also works without sudo, but then you don't see the process associated
> with the open TCP port.
>
> kashani

Thank you, the Local Address for mysqld is listed as 127.0.0.1 so I
must be good to go.

- Grant