From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LOSVV-00046q-6p for garchives@archives.gentoo.org; Sun, 18 Jan 2009 07:55:45 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AC465E04D9; Sun, 18 Jan 2009 07:55:43 +0000 (UTC) Received: from mail-ew0-f21.google.com (mail-ew0-f21.google.com [209.85.219.21]) by pigeon.gentoo.org (Postfix) with ESMTP id 4E09FE04D9 for ; Sun, 18 Jan 2009 07:55:43 +0000 (UTC) Received: by ewy14 with SMTP id 14so223902ewy.10 for ; Sat, 17 Jan 2009 23:55:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:to:subject :content-disposition:from:date:mime-version:content-type :content-transfer-encoding:message-id; bh=liWjabGwat7tpc7fDZQJkosxNtYYpEFPGwDwRpH/nKk=; b=JGJsZTnj7hk804mjTIfe+RJ4WLQWYKdE9OHG3wmh957WX2CfrAxH+cjeJmDAzBWNpO qgfOFMVc3U5Gdpk9Kt8pL841koz4dBzDE0liWdEL1/pRacJzMv8kMGFlPv4kJoRJQfmV 0oVACZBNobb8HIXF47Cf8B8n97ZmGtr9YJ5vA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=to:subject:content-disposition:from:date:mime-version:content-type :content-transfer-encoding:message-id; b=JHWoFW6VwY/Qw7268GKoLybcneFrQqXSwzKkQOYTaZHwzp8Evglt0TCv25OyAMRzCA t43YWRH+VCAipLUykutDhA8k/8tS7wlM2ysD5/T66JlLEJFeKYJW2W0ChiYXA2WbOcMy FtdYLvXtKK+M4Q2suE8j2iIh6+KzeanslZEQw= Received: by 10.210.131.6 with SMTP id e6mr3547815ebd.77.1232265342765; Sat, 17 Jan 2009 23:55:42 -0800 (PST) Received: from ?172.20.0.4? ([196.210.139.153]) by mx.google.com with ESMTPS id 28sm3642980eyg.44.2009.01.17.23.55.41 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 17 Jan 2009 23:55:42 -0800 (PST) To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Reconciling users and services Content-Disposition: inline From: Alan McKinnon Date: Sun, 18 Jan 2009 09:54:51 +0200 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200901180954.51906.alan.mckinnon@gmail.com> X-Archives-Salt: 8f3402d9-08ae-47ba-a5e2-929bcfe59a80 X-Archives-Hash: 022887c7ecdc0a0d38e41effbbe91484 On Sunday 18 January 2009 00:09:31 Grant wrote: > I have some users on a system and some services. How can I make sure > only certain users can log into certain services? Do I need to > explicitly define which users can log into each service? Are there > different types of users so that some can only log into certain > services? > > For example, I know any user that has their shell set to /bin/nologin > can't log into a shell. How can I check on users' shell settings? > > - Grant To do this you configure each service separately (there is no central registry-type thing for this). You don't say what "services" you are interested in, so I have to make some assumptions. apache, samba, ftp servers, all have their own authentication methods. You have to research what methods they provide, and choose which is most appropriate. For instance, Samba can auth against kerberos/ldap or using a local smbpasswd file. For a specific user to be able to access something via samba, you ensure they have an entry in AD or a line in smbpasswd. For more simple local services, you can use user and group permissions. I have to restrict cron and wget at work, I find the easiest way is to: chown root:trusted /usr/bin/wget chown root:trusted /usr/bin/crontab users authorized to use wget/cron must then be put in the trusted group. cron has it's cron.allow and cron.deny files that you can also use. sshd has config options to limit who can do what in sshd_config. If you post back with more specifics about what you want to achieve, we can assist you better. -- alan dot mckinnon at gmail dot com