05-04-2011
nix User Access Restrictions to Network, USB ports, PCMCIA, CDROM
How to create a user account on a Linux desktop machine with restrictions on connecting to the LAN, WAN, PCMCIA ports, Firewire, CDROM and generally any user controllable output options?
I have the task to set up a machine for users working with sensitive data that should not be leaving the machine where it is processed.
This means disabling access to the ethernet device, lan, all other ports as mentioned earlier, and any other way of leaking the data.
In Mac OSX this was achieved using "Parental controls" from the System preferences; this even allows a selection of the applications that can be used. Under XP, Device Manager offers the option to click various devices and "Disable" them, which worked so far just fine. Some will point out that the latter mentioned OS may be easy to circumvent the security of in other ways, but that has been mitigated with other measures and it's not the point anyway. For the operator users in question, the aforementioned measure proved successful and worked.
Using OSX and XP to do this was a 10-15 minutes job with testing included.
So far all guides and tutorials pointed to useradd, groups an facl, but in actual practical terms did not help at all, in fact most of the research did not render any practical results so far. I surely don't expect to point and click, and would gladly run a set of commands from CLI. If I had them.
I would really would like to achieve the same restricted user account configuration in a concise, comprehensive and practical manner under Linux too. Preferably tested on humans before, and known to be workign, of course...
The machines that need to be set up are two laptops running Ubuntu.
So how can this be accomplished in Linux? Or, a mainstream Unix flavour that is available as OSS, presumably that would not work so very differently.
Thanks.
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
I want to map out specific USB ports. For example if there are 7 ports on a USB hub I want to be able to identify port #2 and send a file there. How does UNIX see these ports? (1 Reply)
Discussion started by: eggfoot
1 Replies
2. Solaris
Please let me know how to setup a non-root user to be able to access a privileged port (<1024) on Solaris 8. I am currently running tomcat as "tomcat" user and I get the following error during to start up:
SEVERE: Error initializing endpoint
java.net.BindException: Permission denied<null>:443 (5 Replies)
Discussion started by: pingmeback
5 Replies
3. Red Hat
Hi Guys,
as above, how do I enable automount for USB/CDROM/DVDROM in RHEL4 & 5?
I have searched the forum on this topic but didn't find any.
Also searched the net but it seems confusing and there are different ways to do things depending on the distros.
Btw, I am on RHEL command line only... (4 Replies)
Discussion started by: DrivesMeCrazy
4 Replies
4. Linux
Hello to everyone,
I am new to linux and I want to move to this system after bad experiences with windows.
I have also a particular problem. An old laptop is probably able to handle just linux at this point of its life.
The cdrom is gone, the bios doesn't have usb boot support, there is no... (6 Replies)
Discussion started by: highkftj
6 Replies
5. Solaris
Hello,
I would to create a new user with some restriction: Example "Toto"
I am a newer in unix please tell me how to do
1. The user will will have only remote access via FTP ( not telnet, ssh etc ...)
2. The user will not be able to access via FTP to other directory
4) He will access only... (1 Reply)
Discussion started by: fedeboubou
1 Replies
6. Shell Programming and Scripting
Hi,
I am setting up a new Suse server and I'm very happy with it :). So far Apache2, SVN, PHP5 and MySQL are up and running. Now I want to create and delete users (for coders for our projects) but they aren't allowed to do anything so there must be some restrictions. I want access restriction so... (0 Replies)
Discussion started by: kever
0 Replies
7. UNIX for Dummies Questions & Answers
Hi,
I am setting up a new Suse server and I'm very happy with it . So far Apache2, SVN, PHP5 and MySQL are up and running. Now I want to create and delete users (for coders for our projects) but they aren't allowed to do anything so there must be some restrictions. I want access restriction so... (1 Reply)
Discussion started by: kever
1 Replies
8. UNIX for Advanced & Expert Users
Hi all,
I am facing a problem while writing a shell script.
My machine has two USB ports- left port and right port.
whenever I connect USBS to both the ports, entry is generated as /sys/block/sdc and /sys/block/sdd and I mount the USBs to a particular directory.
But I need to know... (3 Replies)
Discussion started by: Pkumar Sachin
3 Replies
9. Shell Programming and Scripting
Hi,
I need to work on restricting the Linux commands to the ADMIN user to some extent. It means for example, Admin users should not use passwd command to change the password of "root" or other important accounts like oracle, etc.,
So, I want to know which commands should be restricted upto which... (5 Replies)
Discussion started by: Dpu
5 Replies
10. UNIX for Advanced & Expert Users
Hi,
I have a requirement to provide root access but user should not run some specific commands, How it is possible.
following is my configuration at sudoers file,
Cmnd_Alias MYLIMIT = /usr/bin/passwd /sbin/shutdown /usr/bin/reboot /usr/sbin/visudo /bin/vi /usr/bin/vim
test2... (5 Replies)
Discussion started by: anuragr
5 Replies
UHSO(4) BSD Kernel Interfaces Manual UHSO(4)
NAME
uhso -- Option N.V. Wireless WAN modem driver
SYNOPSIS
uhso* at uhub? port ?
HARDWARE
The uhso driver supports at least the following adapters:
GlobeSurfer HSUPA
GlobeSurfer iCON 7.2
GlobeTrotter Express 40x
GlobeTrotter Express HSUPA
GlobeTrotter HSUPA
GlobeTrotter Max HSDPA
GlobeTrotter Module 382
GlobeTrotter iCON 225
GlobeTrotter iCON 321
GlobeTrotter iCON 322
GlobeTrotter iCON 401
GlobeTrotter iCON 505
GlobeTrotter iCON EDGE
DESCRIPTION
The Option N.V. modems appear at first as a umass(4) device containing the Windows and MacOS drivers and, upon receipt of a SCSI "REZERO
UNIT" command, will detach from the USB bus and reattach as a Wireless WAN modem. Unless disabled by clearing the sysctl(8) variable
hw.uhso.autoswitch, the driver will handle that automatically.
The modems provide a number of IO channels spread over several USB interfaces which are mapped by function to a standard port number in each
driver instance. The defined channels are:
Channel Name Port
Control 0
Diagnostic 1
Diagnostic 2 2
Application 3
Application 2 4
GPS 5
GPS Control 6
PC Smartcard 7
Modem 8
MSD 9
Voice 10
Network 11
Apart from the Network port, which is attached as a network interface, the ports are attached as tty(4) devices using the port number as the
minor device number. In order to connect using pppd(8), the Modem tty should be used (eg /dev/ttyHS0.08).
The Network port provides a direct IPv4 interface, but before this can be used the modem needs to be placed in connected mode and network
settings subsequently retrieved using the proprietary "_OWANCALL" and "_OWANDATA" AT commands on the Control port.
Note that the Modem and Network ports should not be enabled at the same time for USB performance reasons.
FILES
/dev/ttyHS?.??
/dev/dtyHS?.??
/dev/ctyHS?.??
SEE ALSO
intro(4), netintro(4), tty(4), uhub(4), usb(4), ifconfig(8)
HISTORY
This driver originated as the hso module for FreeBSD written by Frederik Lindberg. It was rewritten for NetBSD, and to provide more complete
device support with information extracted from the hso driver for Linux provided by Option N.V.
The rewrite and this manual page by Iain Hibbert.
BSD
August 26, 2011 BSD