From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LOeus-0008Os-Rl for garchives@archives.gentoo.org; Sun, 18 Jan 2009 21:10:47 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B9562E0226; Sun, 18 Jan 2009 21:10:44 +0000 (UTC) Received: from mail-ew0-f21.google.com (mail-ew0-f21.google.com [209.85.219.21]) by pigeon.gentoo.org (Postfix) with ESMTP id 45284E0226 for ; Sun, 18 Jan 2009 21:10:44 +0000 (UTC) Received: by ewy14 with SMTP id 14so437278ewy.10 for ; Sun, 18 Jan 2009 13:10:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:message-id; bh=fhaVDM+N8CM/iz1sUz5qvst6jigDyt1MFMu1XT0emGs=; b=QOxTp7R5sovLH7/kBfE6/s6ysxkuQLNd/fGJMIEEbe0EJjyETWq0+cyMUxMEGzzxd/ w3ZpjSs0EAoUUtOx1Kf/FtjHCMzYimO2QgVIEYoPTX0FJtm46NA7e0gzpGt9yv9iPSg8 lN+ZtrUccT/Dg0dJe8GCefVmeBJEcZNSkuhrQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :message-id; b=Msj+2VhH5wfos0WWRyGtl9QDqnHPhhqkmsYzjdE3/HjkhPAcgbAsyrstunwnuuEkaX Vdq88g5evkCRBUx3FZW47qV11di9a6oPqHAcXHO054yS6BU36jCbgDCQyl5BnFKCfXS2 7cxKpqDLx+329j5C2+Z4pHhhzpX9l5oZhKl8s= Received: by 10.210.19.7 with SMTP id 7mr570101ebs.29.1232313043691; Sun, 18 Jan 2009 13:10:43 -0800 (PST) Received: from ?172.20.0.4? ([196.210.139.153]) by mx.google.com with ESMTPS id 10sm6630635eyd.56.2009.01.18.13.10.41 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 18 Jan 2009 13:10:42 -0800 (PST) From: Alan McKinnon To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Reconciling users and services Date: Sun, 18 Jan 2009 23:09:47 +0200 User-Agent: KMail/1.9.10 References: <200901180954.51906.alan.mckinnon@gmail.com> <49bf44f10901181012i766a1a3fmf0a18066c794bcae@mail.gmail.com> In-Reply-To: <49bf44f10901181012i766a1a3fmf0a18066c794bcae@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200901182309.48081.alan.mckinnon@gmail.com> X-Archives-Salt: c881cf2e-7ced-46c9-96af-f8e362038607 X-Archives-Hash: b885719f098957e84bf4fa7a2e28630b On Sunday 18 January 2009 20:12:28 Grant wrote: > >> I have some users on a system and some services. How can I make sure > >> only certain users can log into certain services? Do I need to > >> explicitly define which users can log into each service? Are there > >> different types of users so that some can only log into certain > >> services? > >> > >> For example, I know any user that has their shell set to /bin/nologin > >> can't log into a shell. How can I check on users' shell settings? > >> > >> - Grant > > > > To do this you configure each service separately (there is no central > > registry-type thing for this). You don't say what "services" you are > > interested in, so I have to make some assumptions. > > > > apache, samba, ftp servers, all have their own authentication methods. > > You have to research what methods they provide, and choose which is most > > appropriate. For instance, Samba can auth against kerberos/ldap or using > > a local smbpasswd file. For a specific user to be able to access > > something via samba, you ensure they have an entry in AD or a line in > > smbpasswd. > > > > For more simple local services, you can use user and group permissions. I > > have to restrict cron and wget at work, I find the easiest way is to: > > chown root:trusted /usr/bin/wget > > chown root:trusted /usr/bin/crontab > > users authorized to use wget/cron must then be put in the trusted group. > > > > cron has it's cron.allow and cron.deny files that you can also use. > > > > sshd has config options to limit who can do what in sshd_config. > > > > If you post back with more specifics about what you want to achieve, we > > can assist you better. > > As far as open ports, most of my systems only run sshd and cupsd. > I've set AllowUsers in sshd_config to only allow my own non-root user > to log in, and I've locked down cupsd.conf. However, one of my > systems runs things like apache2, postfix, courier-imap, saslauthd, > mysql, and sshd. I set them up to be secure when I installed them, > but I wonder about the different users on my system (none of them with > shell access) and their access to the different services. Should I go > through each of these services and set up something similar to > AllowUsers so that only certain users have access to certain services? Yes, that is the way of it. You really so need to attack each service individually and set it up appropriately. You can limit your exposure by removing most of those users from /etc/passwd if all services they need use virtual users. For instance, if people only need a pop mailbox, make them virtual users defined only in your pop server. Whether you can do this universally depends very much on your exact needs and how you like to set things up. Unix daemons are extremely flexible, this is their strength and weakness. Strength because you can always get exactly what you want somehow, weakness because there's no standard howto recipe > On the subject of users, there are a lot of users in /etc/passwd, > although most of them have /bin/false or /sbin/nologin. There are 8 > users who have a different shell defined. The first 3 are fine: > > root /bin/bash > user /bin/bash What is this? Looks like some generic catch-all account. That's usually a recipe for disaster as it's the kind of thing that gets forgotten. It's definitely not a standard user for any distro I've ever seen, so why do you have it? > cart /bin/bash > > The next 3 are probably fine: > > sync /bin/sync > shutdown /sbin/shutdown > halt /sbin/halt > > But I don't recognize the following 2. Should I userdel them? > > operator /bin/bash > guest /dev/null What are they used for? I've just done a huge project to clean up and centrally manage all users on all my servers (about 100 machines), so I learned some tricks to find redundant users: grep -r /etc/* look at mailboxes look in crontabs ps axu | grep lsof -u find / -user -ls sift through all these outputs looking for evidence of an account that is actually used. Again, there's no standard recipe. This kind of audit absolutely requires eyeballs and a brain > mysql only needs to connect to a daemon running on the same system, > and I think it does so via a unix socket as opposed to tcp. I can see > from netstat that /var/run/mysqld/mysqld.sock is connected, there is > no mention of a tcp mysql connection, and nmap does not show a mysql > port to be open. Is there anything else I should do as far as locking > down mysql? I'm the only one with shell access to the system. mysql should be running as a non-root user (probably mysql) and for what you use, should be listening on localhost only. If you need to connect over the network, the usual technique is to allow access only to specified users and only to specified machines. The latter can be done with a. The service's own config (many services support this) b. hosts.[allow|deny] is the service is built against libwrap c. iptables if nothing else suffices (this is hard to manage so it's a last resort) > I would appreciate any other security advice regarding any of the > above-mentioned services. -- alan dot mckinnon at gmail dot com