Linux
Console Access
When an user (root or not) logs-in the system console,
some additional features like combination keys (Ctrl+Alt+Delete) are
supported. This chapter focuses on how to restrict/control the access
to the system console and which operations are permitted on it.
Shutdown via Ctrl+Alt+Del
By default the file /etc/init/control-alt-delete.conf
sets to reboot the system in response a Ctrl+Alt+Del key combination
used at the console for ANY user :
cat /etc/init/control-alt-delete.conf
# control-alt-delete - emergency keypress handling
#
# This task is run whenever the Control-Alt-Delete key combination is
# pressed. Usually used to shut down the machine.
start on control-alt-delete
exec /sbin/shutdown -r now "Control-Alt-Delete pressed"
* To complete disable this functionality comment the line 'exec /sbin/shutdown -r now "Control-Alt-Delete pressed"' putting a hash mark (#) in front it.
* To only allow certain non-root users the right of shutdown via Ctrl+Alt+Del on the console substitute the line ż?
cat /etc/init/control-alt-delete.conf
# control-alt-delete - emergency keypress handling
#
# This task is run whenever the Control-Alt-Delete key combination is
# pressed. Usually used to shut down the machine.
start on control-alt-delete
exec /sbin/shutdown -r now "Control-Alt-Delete pressed"
* To complete disable this functionality comment the line 'exec /sbin/shutdown -r now "Control-Alt-Delete pressed"' putting a hash mark (#) in front it.
* To only allow certain non-root users the right of shutdown via Ctrl+Alt+Del on the console substitute the line ż?
Console Access
/etc/security/access.conf
This file controls the access to the console based on
user/groups and depending from where the connection in done using the
pam_access module. The format used in this file is three fields
separated by a ":" character
permission ("+" access granted,"-" access denied) : user/group : origins
* For example, to deny console access to user kate :
1.- Activate the pam_access module on /etc/pam.d/login adding on the first 'account' line --> "account required pam_access.so"
2.- Configure the access on /etc/security/access.conf :
$ echo "-:kate:ALL" >> /etc/security/access.conf
Now access on console to user kate is denied.
permission ("+" access granted,"-" access denied) : user/group : origins
* For example, to deny console access to user kate :
1.- Activate the pam_access module on /etc/pam.d/login adding on the first 'account' line --> "account required pam_access.so"
2.- Configure the access on /etc/security/access.conf :
$ echo "-:kate:ALL" >> /etc/security/access.conf
Now access on console to user kate is denied.
/etc/security/time.conf
This file uses the pam_time.so module to restrict
access to the console based on user/groups and time access. The
syntax of this file is
services;ttys;users;times
* For example, to allow access to the console to user kate only on Mondays from 12:00-14:00
1.- Activate the pam_time module on /etc/pam.d/login adding on the first 'account' line --> "account required pam_time.so"
2.- Configure the access on /etc/security/time.conf :
$ echo "login;*;kate;Mo1200-1400" >> /etc/security/time.conf
Now access on console to kate is allowed only on Mondays from 12:00 to 14:00
services;ttys;users;times
* For example, to allow access to the console to user kate only on Mondays from 12:00-14:00
1.- Activate the pam_time module on /etc/pam.d/login adding on the first 'account' line --> "account required pam_time.so"
2.- Configure the access on /etc/security/time.conf :
$ echo "login;*;kate;Mo1200-1400" >> /etc/security/time.conf
Now access on console to kate is allowed only on Mondays from 12:00 to 14:00
Console Program Access
Disabling console program access
In secured environments where you may not want to allow
any user at the console run 'reboot', 'halt' or 'poweroff' commands
the corresponding files in /etc/security/console.apps
must be removed :
rm -rf /etc/security/console.apps/reboot
rm -rf /etc/security/console.apps/halt
rm -rf /etc/security/console.apps/poweroff
By default any user on console can execute 'reboot', 'halt' or 'poweroff' !!!
To disable access by users to any console program :
rm -rf /etc/security/console.apps/*
rm -rf /etc/security/console.apps/reboot
rm -rf /etc/security/console.apps/halt
rm -rf /etc/security/console.apps/poweroff
By default any user on console can execute 'reboot', 'halt' or 'poweroff' !!!
To disable access by users to any console program :
rm -rf /etc/security/console.apps/*
Enabling console access for any application via PAM
In order to control the access from console users to
system programs in /sbin or /usr/sbin the consolehelper
command, that authenticates console users via PAM, must be used :
1.- Create in /usr/bin directory a link from the application name to control to /usr/bin/consolehelper program. For example if the need to control the access to the /usr/sbin/pwck command to certain users :
$ cd /usr/bin
$ ln -s consolehelper pwck
2.- Create the file /etc/security/console.apps/aplication_name in order to allow the aplication_name execution on console. In our particular case :
$ touch /etc/security/console.apps/pwck
3.- Create the PAM configuration file for the application. One easy way to do it is copy /etc/pam.d/halt on /etc/pam.d/application_name :
$ cp /etc/pam.d/halt /etc/pam.d/pwckAdd in the second line --> 'auth required pam_listfile.so onerr=fail item=user sense=allow file=/etc/pwck.allow'
Users on /etc/pwck.allow (john) will be allowed to execute '/usr/bin/pwck', the rest (kate et al) will not be allowed
4.- Verify the result
Login at console as kate ( 'su - kate' is not a console login !!!)
kate-$ pwck
Nothing is done
Login at console as john ( 'su - john' is not a console login !!!)
john-$ pwck
user 'adm': directory '/var/adm' does not exist
1.- Create in /usr/bin directory a link from the application name to control to /usr/bin/consolehelper program. For example if the need to control the access to the /usr/sbin/pwck command to certain users :
$ cd /usr/bin
$ ln -s consolehelper pwck
2.- Create the file /etc/security/console.apps/aplication_name in order to allow the aplication_name execution on console. In our particular case :
$ touch /etc/security/console.apps/pwck
3.- Create the PAM configuration file for the application. One easy way to do it is copy /etc/pam.d/halt on /etc/pam.d/application_name :
$ cp /etc/pam.d/halt /etc/pam.d/pwckAdd in the second line --> 'auth required pam_listfile.so onerr=fail item=user sense=allow file=/etc/pwck.allow'
Users on /etc/pwck.allow (john) will be allowed to execute '/usr/bin/pwck', the rest (kate et al) will not be allowed
4.- Verify the result
Login at console as kate ( 'su - kate' is not a console login !!!)
kate-$ pwck
Nothing is done
Login at console as john ( 'su - john' is not a console login !!!)
john-$ pwck
user 'adm': directory '/var/adm' does not exist
No comments :
Post a Comment