After searching it doesn't look like LDAP or Kerberos will do this. Apparently there is no attribute for it in LDAP and there really is no way for it to work from an LDAP perspective. There's no logout from LDAP, so it would never be able to decrement the login count.
Given this, it appears that the solution will have to be ad hoc.
You'll need a service that monitors /var/run/utmp
or the command w
(shows users currently logged in) on each machine and reports it to a central server by some mechanism (nfs mount + text file, for example).
Then, you'll need a login script that kicks the user out if they've exceeded the limit of concurrent logins. The login script would read from the central server what the current login count is. Alternatively, you could have a service that modifies the maxlogins
in /etc/security/limits.conf
based on the value of the login count retrieved from the central server.
maxlogins = $total_logins - $current_logins
Basically, the most important consideration is that the users don't have permission to change the login count themselves or they could just manually change the value to allow more logins.
Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.
The long answer: you can redirect connections on port 80 to some other port you can open as normal user.
Run as root:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).
EDIT: as per comment question - to delete the above rule:
# iptables -t nat --line-numbers -n -L
This will output something like:
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 redir ports 8088
2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
The rule you are interested in is nr. 2, so to delete it:
# iptables -t nat -D PREROUTING 2
Best Answer
I won't go into detail on how SELinux is set up or how one creates a SELinux policy. This might be a good starting point for getting familiar with SELinux.
To address your problem with SELinux, try this:
Assign a type to the network interface you like to restrict
Assign labels to traffic passing through the interface
This example assigns the type
foo_peer_t
to all IPv4 and IPv6 traffic.Add rules to allow packet flow
Traffic entering
Traffic leaving
Replace
user_t
with type assigned to the user you wish to restrict.References: