Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: nix User Access Restrictions to Network, USB ports, PCMCIA, CDROM
Operating Systems Linux nix User Access Restrictions to Network, USB ports, PCMCIA, CDROM Post 302519689 by netfreighter on Wednesday 4th of May 2011 06:20:37 PM
Old 05-04-2011
nix User Access Restrictions to Network, USB ports, PCMCIA, CDROM
How to create a user account on a Linux desktop machine with restrictions on connecting to the LAN, WAN, PCMCIA ports, Firewire, CDROM and generally any user controllable output options?

I have the task to set up a machine for users working with sensitive data that should not be leaving the machine where it is processed.

This means disabling access to the ethernet device, lan, all other ports as mentioned earlier, and any other way of leaking the data.

In Mac OSX this was achieved using "Parental controls" from the System preferences; this even allows a selection of the applications that can be used. Under XP, Device Manager offers the option to click various devices and "Disable" them, which worked so far just fine. Some will point out that the latter mentioned OS may be easy to circumvent the security of in other ways, but that has been mitigated with other measures and it's not the point anyway. For the operator users in question, the aforementioned measure proved successful and worked.
Using OSX and XP to do this was a 10-15 minutes job with testing included.


So far all guides and tutorials pointed to useradd, groups an facl, but in actual practical terms did not help at all, in fact most of the research did not render any practical results so far. I surely don't expect to point and click, and would gladly run a set of commands from CLI. If I had them.

I would really would like to achieve the same restricted user account configuration in a concise, comprehensive and practical manner under Linux too. Preferably tested on humans before, and known to be workign, of course...
The machines that need to be set up are two laptops running Ubuntu.

So how can this be accomplished in Linux? Or, a mainstream Unix flavour that is available as OSS, presumably that would not work so very differently.

Thanks.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

USB Ports

I want to map out specific USB ports. For example if there are 7 ports on a USB hub I want to be able to identify port #2 and send a file there. How does UNIX see these ports? (1 Reply)
Discussion started by: eggfoot
1 Replies

2. Solaris

Non-root user access to privileged ports-Solaris 8

Please let me know how to setup a non-root user to be able to access a privileged port (<1024) on Solaris 8. I am currently running tomcat as "tomcat" user and I get the following error during to start up: SEVERE: Error initializing endpoint java.net.BindException: Permission denied<null>:443 (5 Replies)
Discussion started by: pingmeback
5 Replies

3. Red Hat

RHEL4&5 Automount for USB/CDROM/DVDROM

Hi Guys, as above, how do I enable automount for USB/CDROM/DVDROM in RHEL4 & 5? I have searched the forum on this topic but didn't find any. Also searched the net but it seems confusing and there are different ways to do things depending on the distros. Btw, I am on RHEL command line only... (4 Replies)
Discussion started by: DrivesMeCrazy
4 Replies

4. Linux

How to install linux in a system without cdrom, usb boot, floppy, other OS?

Hello to everyone, I am new to linux and I want to move to this system after bad experiences with windows. I have also a particular problem. An old laptop is probably able to handle just linux at this point of its life. The cdrom is gone, the bios doesn't have usb boot support, there is no... (6 Replies)
Discussion started by: highkftj
6 Replies

5. Solaris

Adding user with restrictions (Closed Homework)

Hello, I would to create a new user with some restriction: Example "Toto" I am a newer in unix please tell me how to do 1. The user will will have only remote access via FTP ( not telnet, ssh etc ...) 2. The user will not be able to access via FTP to other directory 4) He will access only... (1 Reply)
Discussion started by: fedeboubou
1 Replies

6. Shell Programming and Scripting

User restrictions

Hi, I am setting up a new Suse server and I'm very happy with it :). So far Apache2, SVN, PHP5 and MySQL are up and running. Now I want to create and delete users (for coders for our projects) but they aren't allowed to do anything so there must be some restrictions. I want access restriction so... (0 Replies)
Discussion started by: kever
0 Replies

7. UNIX for Dummies Questions & Answers

User restrictions

Hi, I am setting up a new Suse server and I'm very happy with it . So far Apache2, SVN, PHP5 and MySQL are up and running. Now I want to create and delete users (for coders for our projects) but they aren't allowed to do anything so there must be some restrictions. I want access restriction so... (1 Reply)
Discussion started by: kever
1 Replies

8. UNIX for Advanced & Expert Users

How to uniquely distinguish between two USB ports??

Hi all, I am facing a problem while writing a shell script. My machine has two USB ports- left port and right port. whenever I connect USBS to both the ports, entry is generated as /sys/block/sdc and /sys/block/sdd and I mount the USBs to a particular directory. But I need to know... (3 Replies)
Discussion started by: Pkumar Sachin
3 Replies

9. Shell Programming and Scripting

Admin user command usage restrictions

Hi, I need to work on restricting the Linux commands to the ADMIN user to some extent. It means for example, Admin users should not use passwd command to change the password of "root" or other important accounts like oracle, etc., So, I want to know which commands should be restricted upto which... (5 Replies)
Discussion started by: Dpu
5 Replies

10. UNIX for Advanced & Expert Users

How to provide root access via sudo with restrictions?

Hi, I have a requirement to provide root access but user should not run some specific commands, How it is possible. following is my configuration at sudoers file, Cmnd_Alias MYLIMIT = /usr/bin/passwd /sbin/shutdown /usr/bin/reboot /usr/sbin/visudo /bin/vi /usr/bin/vim test2... (5 Replies)
Discussion started by: anuragr
5 Replies

LEARN ABOUT OSX

natutil

natutil(8)						    BSD System Manager's Manual 						natutil(8)

NAME

     natutil -- Query and configure supported Network Address Translation (NAT) devices

SYNOPSIS

     natutil [-vx] [-a auth] [-n name] {-1 | -d | -m | -s | -i | -L}

     natutil [-vx] [-a auth] [-n name] {-t | -u} {-T | -U} -p ports

DESCRIPTION

     natutil uses the ACP protocol to detect, configure, and extract status information from Internet gateway devices (IGDs) (such as AirPort Base
     Stations) on the local network. Since most IGDs provide Network Address Translation (NAT) service, they are often interchangably referred to
     as "NAT devices" or simply "NATs".

     The first synopsis line (with the exception of -L) returns various information from NAT devices.

     The second invocation modifies settings on the device. After modifying settings, AirPort Base Stations must be rebooted for the changes to
     take effect. ( servermgrd(8) also reboots the AirPort Base Station when it modifies port mappings.)

OPTIONS

     The following options / commands are available:

     -1       Only return data if the IGD found is also our current gateway.  [AirPort only] Will only return if this base station can be autocon-
	      figured

     -a auth  [AirPort only] The authentication string to use when communicating with a device protected with a password other than the default
	      "public". Used mostly for scripted operation. Use -i to get the authentication string interactively.

     -i       Get the authentication string interactively. This preferred over -a for security reasons.

     -d       Reports the IGDs (Internet Gateway Devices) that were found during the discovery.

     -m       Retrieves the port mapping table from the NAT.

     -n name  The prefix of the targeted NAT device's name (useful in a LAN with multiple NAT devices).

     -p ports
	      A comma-separated list of the ports to tap or untap. Must be used with -t or -u.

     -s       Retrieves the WAN & LAN status and configuration from the IGD.

     -t       Configures the NAT to forward the given ports to this machine. Requires -p and either -T or -U.

     -u       Removes the given ports from the NAT's port forwarding rules. Requires -p and either -T or -U.

     -v       Verbose output. Provides progress and status information on standard output.

     -x       XML output. This option provides the most information.

     -L       [AirPort only] Convert existing DHCP lease into a static reservation so the host will receive the same IP address after each reboot.

     -T       Ports will be tapped / untapped for the TCP protocol. Must be used with -t or -u.

     -U       Ports will be tapped / untapped for the UDP protocol. Must be used with -t or -u.

SEE ALSO

     ifconfig(8), ipconfig(8)

Mac OS X Server 10.5						   July 23, 2007					      Mac OS X Server 10.5
All times are GMT -4. The time now is 04:35 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy