Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
I want to create an user such that 1) user should not have network access 2) user should be given permission to access (read/write) to a particular directly only Is ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2006
    Posts
    22

    How to create an user with least privileges on Linux?


    I want to create an user such that
    1) user should not have network access
    2) user should be given permission to access (read/write) to a particular directly only

    Is it do'able in linux (RHEL5)? and what commands make it? may be a script also would help me..

    Thanks in Advance

  2. #2
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    893
    Check out this link:
    Block Outgoing Network Access For a Single User Using Iptables

    As far as limiting permissions to a single directory, standard linux permissions should suffice.

    If you intend to have multiple users set up this way, you can add them all to some group, and give that group access to only that folder.

  3. #3
    Linux Newbie
    Join Date
    Apr 2012
    Posts
    112
    Quote Originally Posted by mizzle View Post
    Check out this link:
    Block Outgoing Network Access For a Single User Using Iptables

    As far as limiting permissions to a single directory, standard linux permissions should suffice.

    If you intend to have multiple users set up this way, you can add them all to some group, and give that group access to only that folder.
    I wasn't aware of this feature of iptables.

    One learns something new every day

  4. #4
    Just Joined!
    Join Date
    Jul 2006
    Posts
    22

    Update

    I created a random user
    #sudo adduser misc // create usr
    #sudo passwd misc // set passwd

    then used below
    #sudo /sbin/iptables -A OUTPUT -o eth0 -m owner --uid-owner misc -j DROP
    #sudo service iptables save

    Then i tried login to my host using new usr
    #ssh misc@hostname
    #/sbin/ifconfig still gives me eth0 details..

    from which i am still able to ping other hosts.. ie., it still have n/w access..

    I tried
    #sudo /sbin/iptables -A OUTPUT -o eth0 -m owner --uid-owner misc -j REJECT
    #sudo service iptables save

    But still no luck!!!!

    Am i doing anything wrong?

    Thanks in advance!

  5. #5
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    this simple test worked for me:

    Code:
    useradd joeblow
    echo password|passwd --stdin joeblow
    iptables --new-chain chk_joeblow_user
    iptables -A OUTPUT -m owner --uid-owner joeblow -j chk_joeblow_user
    iptables -A chk_joeblow_user -j REJECT
    iptables-save
    i am then able to ssh in to this box as user joeblow, but network commands (ping, ssh, nmap) all fail.

    Edit: if you need to, stick "sudo" in front of those commands
    Last edited by atreyu; 05-17-2012 at 11:48 PM. Reason: sudo

  6. #6
    Just Joined!
    Join Date
    Jul 2006
    Posts
    22
    ThanX a lot for the commands
    I am able to create such user with above commands.. it indeed restricted ssh, nmap, ping to some extent.

    ping doesn't work for hostnames registered in a domain or hosts under a domain controller. But user is in-deed able to ping using IP.

    $ ping gmail.com
    ping: unknown host gmail.com

    $ ping 209.85.143.19 // this is gmails IP.
    PING 209.85.143.19 (209.85.143.19) 56(84) bytes of data.
    64 bytes from 209.85.143.19: icmp_seq=1 ttl=51 time=178 ms
    64 bytes from 209.85.143.19: icmp_seq=1 ttl=51 time=178 ms

    Basically, to me it looks like, it still have network access but "user has been restricted to an extent where it couldn;t find domain controllers to get ip of a hostname".

    Also, 'nslookup' doesn't work for this user...

    $ nslookup gmail.com
    ;; connection timed out; no servers could be reached

    We are almost there.
    Can we completely disable network access to this? As i need to create this user and i dont want this user to get connected to network in any way?
    I wantto perform certain actions as "this user" in a controlled manner. (ie., who doesn't have access to network)

    Thanks & Regards

  7. #7
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    that's odd. on my system (Fedora 16), joeblow cannot ping, either via hostname or ip address.

    you can try specifically adding a rule to block outbound ping, e.g.:

    Code:
    iptables -A chk_joeblow_user -p icmp --icmp-type echo-request -j DROP

  8. #8
    Just Joined!
    Join Date
    Jul 2006
    Posts
    22
    Mine belongs to same distro.. RHEL5...

    I tried the above command..
    $sudo iptables -A chk_misc1_user -p icmp --icmp-type echo-request -j DROP
    $echo $? ~
    0
    $sudo iptables-save
    $echo $? ~
    0

    But still, user is able to ping ip. Not sure what's going wrong...

    can we just disable access to ethernet card itself.."eth0" so that we cannot even do an ssh as "that user" .. then i can have scripts to runas "that user" .. ?

  9. #9
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    if you are using sudo, it makes me think you are running some *buntu flavor.

    anyway, maybe you need to drop INPUT ICMP packets, too. maybe try something like this:
    Code:
    -A INPUT -p icmp -m icmp --icmp-type echo-reply -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p icmp -m icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-prohibited
    -A OUTPUT -m owner --uid-owner joeblow -p icmp -m icmp --icmp-type echo-reply -j REJECT --reject-with icmp-host-prohibited
    -A OUTPUT -m owner --uid-owner joeblow -p icmp -m icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-prohibited
    with the above rules, other regular users can still ping, but not joeblow...
    Last edited by atreyu; 05-18-2012 at 03:34 AM. Reason: typo

  10. #10
    Just Joined!
    Join Date
    Jul 2006
    Posts
    22
    Its not *debian distro. I am using RHEL.
    Hey it did worked. Now if i login as that user, i am not able to ping even with ip.

    Thanks for timely help..

    And still an open Q':
    *Can't we block eth0 card access to an unix user
    Last edited by vnykr; 05-18-2012 at 05:52 AM.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •