Linux server – centralized user management

linux

I'm setting up a couple of linux servers (with ssh,apache,gitolite), but I want centralized user management. So far I've set-up LDAP directory support, which works great. But here's the catch: I want certain user U to have different access to server A than to server B. Let's say I want user U to have access specifications like this:
– server A: access to home folder only
– server B: access to home folder and /mnt/ folder
– server C: on this server the user U is root user

I also want to be able to quickly change the permissions: revert/grant user permissions, like granting user U to change everything in /mnt.

So main question is: what should I look into (kerberos, radius, …?) that support different access regulations (permissions) on different servers.

Thanks

Best Answer

A simple but useful login restriction mechanism is available in most distros under /etc/security/access.conf to define access rules for 'user A is allowed to login to Hosts A, B and C but not D' type configurations. You can specify by group, by user, from hosts, from subnet, etc.

As others have mentioned, you can control the deployment of such changes with a tool like cfengine or puppet.

And also as others have mentioned, you can use 'sudo' (configured via /etc/sudoers) to control root-like access to specific binaries from accounts or groups in LDAP. It's quite flexible. man sudo / man sudoers

And one more time as others have mentioned, you can use POSIX ACLs if classic user/group/other rwx permissions are insufficient to control access to filesystem objects by group or by user.

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Linux – push commits to git (gitolite) repository messes up file permissions (no more trac access)

setting the umask/default umask has no effect because gitolite has it's own setting.

at ~/.gitolite.rc

$REPO_UMASK = 0027;

set it as you like :)

Best Answer

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Linux – push commits to git (gitolite) repository messes up file permissions (no more trac access)

Related Topic