>> I have some users on a system and some services. How can I make sure >> only certain users can log into certain services? Do I need to >> explicitly define which users can log into each service? Are there >> different types of users so that some can only log into certain >> services? >> >> For example, I know any user that has their shell set to /bin/nologin >> can't log into a shell. How can I check on users' shell settings? >> >> - Grant > > To do this you configure each service separately (there is no central > registry-type thing for this). You don't say what "services" you are > interested in, so I have to make some assumptions. > > apache, samba, ftp servers, all have their own authentication methods. You > have to research what methods they provide, and choose which is most > appropriate. For instance, Samba can auth against kerberos/ldap or using a > local smbpasswd file. For a specific user to be able to access something via > samba, you ensure they have an entry in AD or a line in smbpasswd. > > For more simple local services, you can use user and group permissions. I have > to restrict cron and wget at work, I find the easiest way is to: > chown root:trusted /usr/bin/wget > chown root:trusted /usr/bin/crontab > users authorized to use wget/cron must then be put in the trusted group. > > cron has it's cron.allow and cron.deny files that you can also use. > > sshd has config options to limit who can do what in sshd_config. > > If you post back with more specifics about what you want to achieve, we can > assist you better.
As far as open ports, most of my systems only run sshd and cupsd. I've set AllowUsers in sshd_config to only allow my own non-root user to log in, and I've locked down cupsd.conf. However, one of my systems runs things like apache2, postfix, courier-imap, saslauthd, mysql, and sshd. I set them up to be secure when I installed them, but I wonder about the different users on my system (none of them with shell access) and their access to the different services. Should I go through each of these services and set up something similar to AllowUsers so that only certain users have access to certain services? On the subject of users, there are a lot of users in /etc/passwd, although most of them have /bin/false or /sbin/nologin. There are 8 users who have a different shell defined. The first 3 are fine: root /bin/bash user /bin/bash cart /bin/bash The next 3 are probably fine: sync /bin/sync shutdown /sbin/shutdown halt /sbin/halt But I don't recognize the following 2. Should I userdel them? operator /bin/bash guest /dev/null mysql only needs to connect to a daemon running on the same system, and I think it does so via a unix socket as opposed to tcp. I can see from netstat that /var/run/mysqld/mysqld.sock is connected, there is no mention of a tcp mysql connection, and nmap does not show a mysql port to be open. Is there anything else I should do as far as locking down mysql? I'm the only one with shell access to the system. I would appreciate any other security advice regarding any of the above-mentioned services. Thanks, Grant
