From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Reconciling users and services
Date: Sun, 18 Jan 2009 09:54:51 +0200 [thread overview]
Message-ID: <200901180954.51906.alan.mckinnon@gmail.com> (raw)
On Sunday 18 January 2009 00:09:31 Grant wrote:
> I have some users on a system and some services. How can I make sure
> only certain users can log into certain services? Do I need to
> explicitly define which users can log into each service? Are there
> different types of users so that some can only log into certain
> services?
>
> For example, I know any user that has their shell set to /bin/nologin
> can't log into a shell. How can I check on users' shell settings?
>
> - Grant
To do this you configure each service separately (there is no central
registry-type thing for this). You don't say what "services" you are
interested in, so I have to make some assumptions.
apache, samba, ftp servers, all have their own authentication methods. You
have to research what methods they provide, and choose which is most
appropriate. For instance, Samba can auth against kerberos/ldap or using a
local smbpasswd file. For a specific user to be able to access something via
samba, you ensure they have an entry in AD or a line in smbpasswd.
For more simple local services, you can use user and group permissions. I have
to restrict cron and wget at work, I find the easiest way is to:
chown root:trusted /usr/bin/wget
chown root:trusted /usr/bin/crontab
users authorized to use wget/cron must then be put in the trusted group.
cron has it's cron.allow and cron.deny files that you can also use.
sshd has config options to limit who can do what in sshd_config.
If you post back with more specifics about what you want to achieve, we can
assist you better.
--
alan dot mckinnon at gmail dot com
next reply other threads:[~2009-01-18 7:55 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-18 7:54 Alan McKinnon [this message]
2009-01-18 18:12 ` [gentoo-user] Reconciling users and services Grant
2009-01-18 21:09 ` Alan McKinnon
2009-01-19 18:33 ` Grant
2009-01-19 18:39 ` kashani
2009-01-19 19:45 ` Grant
-- strict thread matches above, loose matches on Subject: below --
2009-01-17 22:09 Grant
2009-01-17 23:47 ` Volker Armin Hemmann
2009-01-18 2:45 ` Norberto Bensa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200901180954.51906.alan.mckinnon@gmail.com \
--to=alan.mckinnon@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox